I am fairly familiar with Linux and iptables, but I am having an issue
with the "--m -string pattern" matching functionality. I am trying to
use iptables with this extension/option to log DNS requests containing
a specified URL string, but iptables does not seem to match if the search
string contains a '.' (i.e. a period).
As an example of this issue, I first set up a rule to log the traversal
of DNS request packets leaving a single ported computer, that contain
a matching string of "google". The iptables command is:
Code: Select all
iptables -t filter -I OUTPUT 1 -o eth0 -p udp -m udp --dport 53 \
-m string --algo bm --icase --string "google" \
-j LOG --log-level info --log-prefix "iptables-string-match: "
and the following is the (expected) results for the output chain:
Code: Select all
Chain OUTPUT (policy ACCEPT ...)
target prot opt in out source destination
LOG udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "google" ALGO name bm TO 65535 ICASE LOG flags 0 level 6 prefix `iptables-string-match: '
dmesg command, which prints the following:
Code: Select all
iptables-string-match: IN= OUT=eth0 SRC=192.168.0.106 DST=192.168.0.1 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=21838 PROTO=UDP SPT=52372 DPT=53 LEN=36
However, when I change the rule slightly by adding a ".com" to the end
of the search string, the iptables logging does not work.
Here is the corresponding iptables command:
Code: Select all
iptables -t filter -I OUTPUT 1 -o eth0 -p udp -m udp --dport 53 \
-m string --algo bm --icase --string "google.com" \
-j LOG --log-level info --log-prefix "iptables-string-match: "
and then use iptables to check what is configured, I get the following
as the (expected) results for the output chain:
Code: Select all
Chain OUTPUT (policy ACCEPT ...)
target prot opt in out source destination
LOG udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "google.com" ALGO name bm TO 65535 ICASE LOG flags 0 level 6 prefix `iptables-string-match: '
by a dmesg command, which prints nothing for this last DNS request.
I have tried various search strings, and all appear to work, except
when they contain a '.'. I have used wireshark to examine the request
packets going out to the DNS server, and see exacting what I expect.
But for some reason that I don't understand, iptables does not seem to
match with a search string containing a '.'.
I have tried this on CentOS 6.8 (with iptables 1.4.7) and CentOS 7.2.1511
(with iptables 1.4.21).
Can someone explain or help me with this issue?