Reputation: 309
How can I drop packets matching the source URL
I want to block all incoming tcp packets that contain some string in the source URL. for example, I want to block all packages where the source url contains "facebook.com".
Using the commands below, I can block any package (input, output, forward) that contains the string "facebook.com". The problem is if the string "facebook.com" is inside the html body of the packet, this will be blocked as well.
# iptables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP
# iptables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP
# iptables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROP
There is a easy way to match the string only in the source URL of the packet?
Upvotes: 1
Views: 8027
Answers (2)
Reputation: 30285
First of all, according to the MAN page, the string filter accepts "from" and "to" parameters, limiting the range of bytes searched. Assuming there's nothing special about the packets passing through this machine (i.e. tunneling or any special headers), you can specify "from" to be 40 bytes (20 bytes IP header, 20 bytes tcp header), and "to" to be around 80 (I suggest looking at some sample packets to verify these numbers)
Second, to minimize false positives, try blocking request packets that contain facebook as the HTTP host (i.e. "Host: facebook.com" or 'Host: www.facebook.com"), I'd also limit it to tcp ("-p tcp") and port 80. The result is something like this:
iptables -A OUTPUT -p tcp --dport 80 -m string --algo bm --from 40 --to 80 --string "Host: facebook.com" -j DROP
Note that I'm currently on a windows machine and can't verify the syntax.
In any case, this won't help against HTTPS sessions. If you need to block HTTPS sessions with facebook using iptables, you'll have to use -j DROP -d facebook.com like John suggested. Naturally, that still won't work against someone accessing facebook over HTTPS through a proxy or a tunnel, but it should be enough to block most users.
Upvotes: 1
Reputation: 2096
There is a easy way to match the string only in the source URL of the packet?
it works for some sites (like www.ku.edu), but it don't works from facebook :'(
Note that Facebook uses SSL so you're not going to have anything to string match in the packets (they'll be encrypted). It probably works for ku.edu because it's HTTP traffic and not HTTPS. To do what you want with IP tables, you would need to filter based on IP address or host name. You could try something like -j DROP -d facebook.com.
Agreed with DanFromGermany that iptables is not the right tool for the job. Blocking based on IP address or host name might initially work but it could break and would be difficult to maintain. I believe that the DNS name is resolved to an IP address when the rule set is loaded by iptables. This means that if Facebook changes its external IP (perhaps due to a failover or load issue) or has more than one IP it won't work.
Upvotes: 1
Related Questions
- block ip addresses that request a specific url
- How can I drop outbound UDP packets without affecting the sender?
- How to use iptable to filter urls containing string?
- Need to drop established connections with iptables
- Dropping packets with matching string using iptables drops all the subsequent packets with no match
- How to make all outgoing RST drop
- iptables - remove packet mark on certain packets
- Block IP address which matches a rule
- Removing specific iptables rule
- Iptable does not drop incoming or out going packets