Match multiple strings in iptables












2















I have 2 strings, and i wish to queue the packet if it contains both the strings ( something like ("jsh"&&"gjhyg")), i tried following ways, but they don't seem to work:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm -m string --string "def" --algo bm



This doesn't work, it only works if the packet contains the string "abcdef", but the packet i wish to queue contains the strings at two different locations. Then I tried another method:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



But this time it works like "or", it queues packets with string "abc" or "def".






linux networking ubuntu iptables







share|improve this question

























  • I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/

    – m4573r
    Oct 2 '12 at 8:04











  • I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower.

    – adnan kamili
    Oct 2 '12 at 10:06
















2















I have 2 strings, and i wish to queue the packet if it contains both the strings ( something like ("jsh"&&"gjhyg")), i tried following ways, but they don't seem to work:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm -m string --string "def" --algo bm



This doesn't work, it only works if the packet contains the string "abcdef", but the packet i wish to queue contains the strings at two different locations. Then I tried another method:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



But this time it works like "or", it queues packets with string "abc" or "def".






linux networking ubuntu iptables







share|improve this question

























  • I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/

    – m4573r
    Oct 2 '12 at 8:04











  • I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower.

    – adnan kamili
    Oct 2 '12 at 10:06














2












2








2


1






I have 2 strings, and i wish to queue the packet if it contains both the strings ( something like ("jsh"&&"gjhyg")), i tried following ways, but they don't seem to work:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm -m string --string "def" --algo bm



This doesn't work, it only works if the packet contains the string "abcdef", but the packet i wish to queue contains the strings at two different locations. Then I tried another method:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



But this time it works like "or", it queues packets with string "abc" or "def".






linux networking ubuntu iptables







share|improve this question
















I have 2 strings, and i wish to queue the packet if it contains both the strings ( something like ("jsh"&&"gjhyg")), i tried following ways, but they don't seem to work:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm -m string --string "def" --algo bm



This doesn't work, it only works if the packet contains the string "abcdef", but the packet i wish to queue contains the strings at two different locations. Then I tried another method:



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm



sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



But this time it works like "or", it queues packets with string "abc" or "def".






linux networking ubuntu iptables




linux networking ubuntu iptables






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 10 '14 at 14:00









Kenster

4,93022034




4,93022034










asked Oct 2 '12 at 6:29









adnan kamiliadnan kamili

2811515




2811515













  • I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/

    – m4573r
    Oct 2 '12 at 8:04











  • I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower.

    – adnan kamili
    Oct 2 '12 at 10:06



















  • I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/

    – m4573r
    Oct 2 '12 at 8:04











  • I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower.

    – adnan kamili
    Oct 2 '12 at 10:06

















I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/

– m4573r
Oct 2 '12 at 8:04





I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/

– m4573r
Oct 2 '12 at 8:04













I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower.

– adnan kamili
Oct 2 '12 at 10:06





I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower.

– adnan kamili
Oct 2 '12 at 10:06










1 Answer
1






active

oldest

votes


















0














the "and" in this case could be achived with an user defined chain




sudo iptables -N my_chain



sudo iptables -A my_chain -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



sudo iptables -A INPUT -p tcp -j my_chain ! -f -m string --string "abc" --algo bm




when the input chain process the last line and "abc" is present the control jumps to my_chain which has a similar rule checking for the presence of "def"; if "def" is there then jumps to QUEUE.






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f482274%2fmatch-multiple-strings-in-iptables%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    the "and" in this case could be achived with an user defined chain




    sudo iptables -N my_chain



    sudo iptables -A my_chain -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



    sudo iptables -A INPUT -p tcp -j my_chain ! -f -m string --string "abc" --algo bm




    when the input chain process the last line and "abc" is present the control jumps to my_chain which has a similar rule checking for the presence of "def"; if "def" is there then jumps to QUEUE.






    share|improve this answer






























      0














      the "and" in this case could be achived with an user defined chain




      sudo iptables -N my_chain



      sudo iptables -A my_chain -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



      sudo iptables -A INPUT -p tcp -j my_chain ! -f -m string --string "abc" --algo bm




      when the input chain process the last line and "abc" is present the control jumps to my_chain which has a similar rule checking for the presence of "def"; if "def" is there then jumps to QUEUE.






      share|improve this answer




























        0












        0








        0







        the "and" in this case could be achived with an user defined chain




        sudo iptables -N my_chain



        sudo iptables -A my_chain -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



        sudo iptables -A INPUT -p tcp -j my_chain ! -f -m string --string "abc" --algo bm




        when the input chain process the last line and "abc" is present the control jumps to my_chain which has a similar rule checking for the presence of "def"; if "def" is there then jumps to QUEUE.






        share|improve this answer















        the "and" in this case could be achived with an user defined chain




        sudo iptables -N my_chain



        sudo iptables -A my_chain -p tcp -j QUEUE ! -f -m string --string "def" --algo bm



        sudo iptables -A INPUT -p tcp -j my_chain ! -f -m string --string "abc" --algo bm




        when the input chain process the last line and "abc" is present the control jumps to my_chain which has a similar rule checking for the presence of "def"; if "def" is there then jumps to QUEUE.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Oct 9 '12 at 22:23

























        answered Oct 9 '12 at 22:15









        PatPat

        2,5341021




        2,5341021






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f482274%2fmatch-multiple-strings-in-iptables%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Plaza Victoria

            Image
            Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l...
            Read more

            Brian Clough

            Image
            Brian Clough Datos personales Nombre completo Brian Howard Clough Apodo(s) Old Big 'Ead, Cloughie [ 1 ] ​ Nacimiento Middlesbrough, Inglaterra, Reino Unido 21 de marzo de 1935 Nacionalidad(es) Fallecimiento Derby, Reino Unido 20 de septiembre de 2004 (69 años) Altura 1,78 [ 1 ] ​ metros Carrera Deporte Fútbol Debut deportivo 1955 (Como jugador) 1965 (Como entrenador) (Middlesbrough F. C. (Como jugador) Hartlepool United F. C. (Como entrenador) ) Posición Delantero Goles en clubes 269 [ 2 ] ​ Retirada deportiva 1964 (Como jugador) 1993 (Como entrenador) (Sunderland A. F. C. (Como jugador) Nottingham Forest (Como entrenador) ) Carrera internacional Part. 2 [editar datos en Wikidata] Brian Howard Clough , OBE [ 3 ] ​ (Middlesbrough, Inglaterra, Reino Unido, 21 de marzo de 1935 – Derby, Inglaterra, Reino Unido, 20 de septiembre de 2004) fue un jugador y entrenador británico de fútbol. Es conocido por...
            Read more

            Cáceres

            Image
            Para otros usos de este término, véase Cáceres (desambiguación). Cáceres Municipio y ciudad Bandera Escudo Collage de Cáceres Cáceres Ubicación de Cáceres en España. Cáceres Ubicación de Cáceres en la provincia de Cáceres. País  España • Com. autónoma  Extremadura • Provincia  Cáceres • Partido judicial Cáceres Ubicación 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 Coordenadas: 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 • Altitud 457 [ 1 ] ​ msnm (mín.:211 [ 2 ] ​, máx.:708 [ 2 ] ​) Superficie 1750,33 km² Núcleos de población Cáceres Estación Arroyo-Malpartida Rincón de Ballesteros Valdesalor Fundación 34 a. C. Población 96 068 hab. (2018) • Densidad 54,8 hab./km² Gentilicio Cacereño/a [ 3 ] ​ Código postal 10001-10005, 10195 Alcaldesa (2015) María Elena Nevado del Campo [ 4 ] ​ Presupuesto 69.045.004€ [ 5 ] ​  (año ...
            Read more