View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions string filtering in iptables, needs new kernel?
Log in to Ask a Question

string filtering in iptables, needs new kernel?

networking

Well I'm trying to filter based on certain strings in packets and I can't get it to work, which led me to sites suggesting I need to recompile my kernel with a few options (netfilter etc)

My main question then is more along the lines of how you do this on a linode.

I have compiled countless kernels from scratch, but I do not know what be needed on the linode, I have not messed with my kernel and I think you guys use some special kernels, I wouldn't want to disable anythign important.

The distro is Gentoo, so how would I go about building a kernel for this box with netfilter?

Or maybe someone knows how I can do this without recompiling the kerrnel? Thanks!

Thanks!

7 Replies

On linode you can not run your own kernel.

Adam

Linode Staff

Most, if not ALL of the netfilter options are enabled inside the kernel config, except for those labelled experimental.

http://www.linode.com/forums/viewtopic.php?t=1006

Can you tell me which .config options you need specifically?

-Chris

Hmm I did a bit of research and it looks like nefilter has patches for the kernel source that you need to patch in for some of these options.

Specifically it is:

CONFIGIPNFMATCHSTRING which allows you to

match a string in a whole packet.

Referenced at:

http://www.knowplace.org/netfilter/ipt_compile.html#ip2

Not sure if this is doable with the linode kernels but I would really like to find a way to drop packets based on strings in their payload.

@Crisis:

…I would really like to find a way to drop packets based on strings in their payload.

No, you wouldn't. It's unreliable, because it only looks at a packet at a time, and there's no guarantee that the dangerous string "foobar" won't be split across two packets. It can happen accidentally, and the cracker can force it.

What you want is a proxy firewall, where you can look at the actual data stream, and parse it properly.

Well for now I achieved what I was trying to do on the application layer, but what would you recommend for a proxy firewall?

Hmmm, I'm not sure there are any free proxy firewalls that can do reject based on the contents of the data stream. Probably you can write add-ins for SOCKS to do it. But if you've solved your problem at the application layer, then you're done: proxy firewalls are at the application layer.

OK thanks for the response ;)

I figured the application layer would be the easiest to do it on but I thought it might be interesting to learn how to do it a bit lower with a firewall.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct