SuSEfirewall2 + iptables string module

Hi folks,

I am trying to setup a scenario where I am able to control the access to
certain html files. I’d like forbid access to the URL:

http://myserver.here/test.html

my iptables rule in “SuSEfirewall2-custom” looks like:

iptables -I INPUT -j DROP -p tcp -m string –-string “.test.” –algo bm
-–dport $port

As a result, I get:
#> rcSuSEfirewall2 start
Starting Firewall Initialization (phase 2 of 2) Bad argument `–-string’

(same for “-string”)

Any ideas? Any suggestions for other solutions such as Squid or SquidGuard?

Thanks in advance.
Regards,
Roland


Use ‘r_2’ at ‘gmx.net’ for PMs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like you put that rule in a bad text editor at some point and it
turned one of your hyphens into a unicode character. Notice how the
dashes are not the same length? Look at it with a hex editor:

00000000 e2 80 93 2d 73 74 72 69 6e 67 |…-string|

0000000a

Notice that the first dash is non-printable, and that you do not have the
same character twice (which you should with hyphens back-to-back) in the
hex output. Interpretation, you are copying/pasting from a dumb app.
Dumb apps include microsoft word, microsoft wordpad, and anything that
changes good ascii hyphens into abominable characters.

Good luck.

On 10/28/2010 02:51 PM, Roland Rickborn wrote:
> Hi folks,
>
> I am trying to setup a scenario where I am able to control the access to
> certain html files. I’d like forbid access to the URL:
>
> http://myserver.here/test.html
>
> my iptables rule in “SuSEfirewall2-custom” looks like:
>
> iptables -I INPUT -j DROP -p tcp -m string –-string “.test.” –algo bm
> -–dport $port
>
> As a result, I get:
> #> rcSuSEfirewall2 start
> Starting Firewall Initialization (phase 2 of 2) Bad argument `–-string’
>
> (same for “-string”)
>
> Any ideas? Any suggestions for other solutions such as Squid or SquidGuard?
>
> Thanks in advance.
> Regards,
> Roland
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMyeqsAAoJEF+XTK08PnB5xRsQAKmJxLEHif3H6fWcsgCCtS+0
nDn2gBuMP8uW14chAKXh3vpm1OSzZm8hlS4chOTZ/Bbngq1cBp1LS420OemA58nJ
tbgn7BoqMFnZRdsYwYo1OZl0jKdxAIrWdlYSOA/1wCuo0aMCJEK1zWCa4DVaf21O
pSgzyNK652fa9gJjnb0/G2dTl+uFbpIthhTiCcTnLA0gX8FbkS5MAeJWJyNHTn5D
9QF7DzDbwPoVeUToqazzLz5+956yVtZuw+BZegjfe++Vl0mzVcpoXoNF74lPbeEK
v+xVKxCvaH/i/0Dp5HN0HlP9CB2ZVr2i0xG2iZVuUVg6XGf3WzH4Hr7lO6HIzvyo
DBEvXjpSMqhxdjeMLenXgjc5X/Nkar/Ny4EYE9xyDsycL/57H/rPHNjaxQhyTdU9
MiVmTALyx84xSKFWCr649t71Q0MqlYRSCEn52sFR5C3gxGZYvnWxhvu8YGgiFBLU
hVIOSrZKU/pWIDakVHbannGqErHyKaVBNA2bKTOQJFZkTeRb/ULjpYw1sBNWi38J
v0yFffrfMGs+sAfP+3B8KsV1Kr+bdE2NmNShLhLbTp3ck+2M3H1V72UKDRX+1EFR
78Y2xR1B+Pu74bYtgeuV7WeHbolDBqs6CrKpo4v4Snn0y5d2xvCjyUBZhtrpWUxY
4Zz0GrQcaW3a1rwi+x5R
=lOo8
-----END PGP SIGNATURE-----

Great! Works now with:

iptables -I INPUT -j DROP -p tcp -m string --string “test” --algo bm
–dport $port

Cheers, Roland

Am 28.10.2010 23:27, schrieb ab@novell.com:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Looks like you put that rule in a bad text editor at some point and it
> turned one of your hyphens into a unicode character. Notice how the
> dashes are not the same length? Look at it with a hex editor:
>
> 00000000 e2 80 93 2d 73 74 72 69 6e 67 |…-string|
>
>
> 0000000a
>
>
>
> Notice that the first dash is non-printable, and that you do not have the
> same character twice (which you should with hyphens back-to-back) in the
> hex output. Interpretation, you are copying/pasting from a dumb app.
> Dumb apps include microsoft word, microsoft wordpad, and anything that
> changes good ascii hyphens into abominable characters.
>
> Good luck.
>
>
>
>
>
> On 10/28/2010 02:51 PM, Roland Rickborn wrote:
>> Hi folks,
>>
>> I am trying to setup a scenario where I am able to control the access to
>> certain html files. I’d like forbid access to the URL:
>>
>> http://myserver.here/test.html
>>
>> my iptables rule in “SuSEfirewall2-custom” looks like:
>>
>> iptables -I INPUT -j DROP -p tcp -m string –-string “.test.” –algo bm
>> -–dport $port
>>
>> As a result, I get:
>> #> rcSuSEfirewall2 start
>> Starting Firewall Initialization (phase 2 of 2) Bad argument `–-string’
>>
>> (same for “-string”)
>>
>> Any ideas? Any suggestions for other solutions such as Squid or SquidGuard?
>>
>> Thanks in advance.
>> Regards,
>> Roland
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.15 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJMyeqsAAoJEF+XTK08PnB5xRsQAKmJxLEHif3H6fWcsgCCtS+0
> nDn2gBuMP8uW14chAKXh3vpm1OSzZm8hlS4chOTZ/Bbngq1cBp1LS420OemA58nJ
> tbgn7BoqMFnZRdsYwYo1OZl0jKdxAIrWdlYSOA/1wCuo0aMCJEK1zWCa4DVaf21O
> pSgzyNK652fa9gJjnb0/G2dTl+uFbpIthhTiCcTnLA0gX8FbkS5MAeJWJyNHTn5D
> 9QF7DzDbwPoVeUToqazzLz5+956yVtZuw+BZegjfe++Vl0mzVcpoXoNF74lPbeEK
> v+xVKxCvaH/i/0Dp5HN0HlP9CB2ZVr2i0xG2iZVuUVg6XGf3WzH4Hr7lO6HIzvyo
> DBEvXjpSMqhxdjeMLenXgjc5X/Nkar/Ny4EYE9xyDsycL/57H/rPHNjaxQhyTdU9
> MiVmTALyx84xSKFWCr649t71Q0MqlYRSCEn52sFR5C3gxGZYvnWxhvu8YGgiFBLU
> hVIOSrZKU/pWIDakVHbannGqErHyKaVBNA2bKTOQJFZkTeRb/ULjpYw1sBNWi38J
> v0yFffrfMGs+sAfP+3B8KsV1Kr+bdE2NmNShLhLbTp3ck+2M3H1V72UKDRX+1EFR
> 78Y2xR1B+Pu74bYtgeuV7WeHbolDBqs6CrKpo4v4Snn0y5d2xvCjyUBZhtrpWUxY
> 4Zz0GrQcaW3a1rwi+x5R
> =lOo8
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good to hear. Thanks for posting back your results.

Good luck.

On 10/29/2010 03:18 PM, Roland Rickborn wrote:
> Great! Works now with:
>
> iptables -I INPUT -j DROP -p tcp -m string --string “test” --algo bm
> --dport $port
>
> Cheers, Roland
>
> Am 28.10.2010 23:27, schrieb ab@novell.com:
> Looks like you put that rule in a bad text editor at some point and it
> turned one of your hyphens into a unicode character. Notice how the
> dashes are not the same length? Look at it with a hex editor:
>
> 00000000 e2 80 93 2d 73 74 72 69 6e 67 |…-string|
>
>
> 0000000a
>
>
>
> Notice that the first dash is non-printable, and that you do not have the
> same character twice (which you should with hyphens back-to-back) in the
> hex output. Interpretation, you are copying/pasting from a dumb app.
> Dumb apps include microsoft word, microsoft wordpad, and anything that
> changes good ascii hyphens into abominable characters.
>
> Good luck.
>
>
>
>
>
> On 10/28/2010 02:51 PM, Roland Rickborn wrote:
>>>> Hi folks,
>>>>
>>>> I am trying to setup a scenario where I am able to control the access to
>>>> certain html files. I’d like forbid access to the URL:
>>>>
>>>> http://myserver.here/test.html
>>>>
>>>> my iptables rule in “SuSEfirewall2-custom” looks like:
>>>>
>>>> iptables -I INPUT -j DROP -p tcp -m string -string .*test.* algo bm
>>>> -dport $port
>>>>
>>>> As a result, I get:
>>>> #> rcSuSEfirewall2 start
>>>> Starting Firewall Initialization (phase 2 of 2) Bad argument `-string’
>>>>
>>>> (same for “-string”)
>>>>
>>>> Any ideas? Any suggestions for other solutions such as Squid or SquidGuard?
>>>>
>>>> Thanks in advance.
>>>> Regards,
>>>> Roland
>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMyzwUAAoJEF+XTK08PnB5mv4QAMKqdJ2R1J/+iSiBMDCgK9li
zHS5YmIBc/4z2tH6Nc35GMKYgVxmj6jePDN1ITBm9zfIZJY/VBeHDw9n1BU3Z02D
PCaNGZx1VMUAQcjnmst8Hzm+X4e/0CTDi1fiD62SoFkWYl+78ZFg5YTULsQQKWbd
jBDevYHeIPNvWiu1kNMreVZvL4RlJghxuqRdrsYZ0qzWnwbJHvVgYCP0le73iktW
bz3FDXqe5/YgsfVim+wQGGCdpPq0x32cMaXb8QyaSZZrxYEWppdDNYtM7zvOSYDA
KbrDYQPrZuU8BbBRdztTZO9KY3j2BUi8LNAhNfgV4qUqksCJWe9xUZN4aST8wjiG
AegCiARC+2L20ETYC0MklpscldQTBZmObm8f0kk9vz+xuy7irzjut3lytaI9xAPh
48ssOjfYtOO80zJP0hd+P7Q3RoznZ0XXcoLC+uXLv2dgQIyqxJ+Pb6wpnNUJywyS
Nie5YIwTLaA8JwOcczqWyd/Z8g3eDpswPy5dhksAqQWX+pzGKxWvfvv5/Ar7qAym
3/O7feeeGJiT4YYNufptAGbics20TiTSgA2LP9S6l8d1qzxzBckqVmXHW1CJLyPb
0U+Y1zBPcZlhsDXnZwz2CxBJ8xFI2wQ5wrS7OaYvQxJDFzcu87yvJUWw8B+5Xg0h
izbBaPYZV1B8fqHCdGit
=NZOr
-----END PGP SIGNATURE-----

But remember this sort of packet inspection is very crude. If the banned string appears anywhere in the returned data, even a mention of it in the body of the web page, the page will be blocked. And if you are blocking a hostname, it can be bypassed by changing the case of the hostname since domain names are not case-sensitive.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leave it to kenyap to put a damper on a perfectly illogical success
involving syntax with a dose of real-life rationale…

Good luck.

On 10/29/2010 08:36 PM, ken yap wrote:
>
> But remember this sort of packet inspection is very crude. If the banned
> string appears anywhere in the returned data, even a mention of it in
> the body of the web page, the page will be blocked. And if you are
> blocking a hostname, it can be bypassed by changing the case of the
> hostname since domain names are not case-sensitive.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMzG/hAAoJEF+XTK08PnB5y0kQANU1ugb10q7ohQk8z+2yMeph
r0bDUZOaDD2DFkaIInr5eUnulmh2BeAQTYZ3JhGMWv/MBXr4Uxnla18UTDQB4/Ps
sPHlnpSC82XVmfIwqoHYQAjk7asn2XfitGGcuWwqogDZCizMYX2B+quGreGtPb34
qS0sLQ2ygxdIW1lj1280OqQIQXNpDhDP/qzrxOIpXSn/1Rx5F5f/AyuzWHq2h8SZ
MQPLn0AMGkXX3YrHZSn2iJuxEw+0CjxG4+SL37+eu8Qn7G10sqX8ST2NeurNL4nC
2I0iXZU5BQxpRFwJ4TX1flgpRylnlJovX5OeTuqRabkmxf15RC9eortpgE+BStld
ZTAbWfFMysAZh5RLS/v+mBz0L46kJh5O5tzAVrYvIZ3pTWnFdLQGECmxISPD7/0b
ijy2sNKEGFBDIbzYD9Sg8Z7w+6M9CaVotYj1HhZrlek7IyO7Xn5JH6XnyD5oir1J
/AUdAweB4pOdZpeoEpwW+TNAkYvPoFEt7zgtrtyyHCVkKR3Fa7D9DVSw1RAqBQoj
Hlbvx3spwxyd3QjZbUrhWMqnKZIWunOPyagR06NphXklHSGKB2zZX9I26ilodslJ
px4LBSIC2kULiagfJl6X1VACYL89uI+70vKgJV+75OnxjeWIM0MM3qGb3jq5HnWf
ADDUvj1WN9XnyPmE/iBC
=HDlg
-----END PGP SIGNATURE-----