[RESOLVED] String Match Issue with iptables

Support for security such as Firewalls and securing linux
Post Reply
PatP
Posts: 4
Joined: 2013/03/11 16:21:44

[RESOLVED] String Match Issue with iptables

Post by PatP » 2016/08/11 17:41:38

Hi all,

I am fairly familiar with Linux and iptables, but I am having an issue
with the "--m -string pattern" matching functionality. I am trying to
use iptables with this extension/option to log DNS requests containing
a specified URL string, but iptables does not seem to match if the search
string contains a '.' (i.e. a period).

As an example of this issue, I first set up a rule to log the traversal
of DNS request packets leaving a single ported computer, that contain
a matching string of "google". The iptables command is:

Code: Select all

iptables -t filter -I OUTPUT 1 -o eth0 -p udp -m udp --dport 53 \
         -m string --algo bm --icase --string "google"          \
         -j LOG --log-level info --log-prefix "iptables-string-match: "
After running this command, I use iptables to check what is configured,
and the following is the (expected) results for the output chain:

Code: Select all

Chain OUTPUT (policy ACCEPT ...)
           target     prot opt in     out     source               destination
           LOG        udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:53 STRING match "google" ALGO name bm TO 65535 ICASE LOG flags 0 level 6 prefix `iptables-string-match: '
I then perform a "dig google.com" command (which works), followed by a
dmesg command, which prints the following:

Code: Select all

iptables-string-match: IN= OUT=eth0 SRC=192.168.0.106 DST=192.168.0.1 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=21838 PROTO=UDP SPT=52372 DPT=53 LEN=36
Thus iptables and this rule obviously work.

However, when I change the rule slightly by adding a ".com" to the end
of the search string, the iptables logging does not work.

Here is the corresponding iptables command:

Code: Select all

iptables -t filter -I OUTPUT 1 -o eth0 -p udp -m udp --dport 53 \
         -m string --algo bm --icase --string "google.com"      \
         -j LOG --log-level info --log-prefix "iptables-string-match: "
After I remove the previous rule, run this new (slightly altered) command,
and then use iptables to check what is configured, I get the following
as the (expected) results for the output chain:

Code: Select all

Chain OUTPUT (policy ACCEPT ...)
           target     prot opt in     out     source               destination
           LOG        udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:53 STRING match "google.com" ALGO name bm TO 65535 ICASE LOG flags 0 level 6 prefix `iptables-string-match: '
I then perform the "dig google.com" command (which again works), followed
by a dmesg command, which prints nothing for this last DNS request.

I have tried various search strings, and all appear to work, except
when they contain a '.'. I have used wireshark to examine the request
packets going out to the DNS server, and see exacting what I expect.
But for some reason that I don't understand, iptables does not seem to
match with a search string containing a '.'.

I have tried this on CentOS 6.8 (with iptables 1.4.7) and CentOS 7.2.1511
(with iptables 1.4.21).

Can someone explain or help me with this issue?
Last edited by PatP on 2016/08/11 23:13:42, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: String Match Issue with iptables

Post by TrevorH » 2016/08/11 22:35:36

The dig packets going out don't have dots in them, they've been replaced by 0x03.

Code: Select all

	0x0020:  0001 0000 0000 0000 0377 7777 0667 6f6f  .........www.goo
	0x0030:  676c 6503 636f 6d00 0001 0001            gle.com.....
I got it to work using

Code: Select all

iptables -R OUTPUT 1 -p udp -m udp --dport 53 -m string --algo bm --icase --hex-string \|676f6f676c6503636f6d\|   -j LOG
but that's hex based to --icase is not applicable so you'd need buckets of entries to cater for all the possibilities!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

PatP
Posts: 4
Joined: 2013/03/11 16:21:44

Re: String Match Issue with iptables

Post by PatP » 2016/08/11 23:12:26

Thanks. This explains a lot.

I did not realize that the domain names in DNS requests are encoded (i.e. the separating
period characters are replaced by the field length of the next field).

Regards.

Pat

Post Reply