Dropping packets with matching string using iptables drops all the subsequent packets with no match
https://stackoverflow.com/questions/828884
-
06-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am trying to write a worm filtering utility on application layer.
i have setup following rule to drop tcp packet with specific substring.
iptables -A INPUT -p tcp -m string --string "test" -j DROP --algo kmp
however,once a packet with matching string is found all the subsequent packets, even with non matching strings are dropped, until i flush the rule from iptable.
i would like to know why is this happening and what is the solution for it.
thanks
Solution
tcp is connected oriented reliable protocol which maintains the sequence of data being sent. it keeps trying to change the particular payload until it reaches there so you cannot send other subsequent payload until the older one is reached, that's why you feel that all the subsequent packets are being dropped.
If you set the similar rule for udp this won't happen you will be able to receive all the subsequent packets that do not match the string. this is because udp is a connectionless, unreliable protocol.
OTHER TIPS
A bit late here, but seeing people with similar issues. One way to circumvent this is to do this rule within the RAW chain. ALL packets will hit here before any sort of conntrack is placed on the packet, therefore it's best to do filtering here.
iptables -A PREROUTING -t raw -p tcp -m string --string "test" -j DROP --algo kmp
