TransWikia.com

Why does iptables work on matching strings when using -m string "example.com"?

Server Fault Asked by light9876 on November 4, 2021

According to my information, it is better not to use the command:

iptables -A INPUT -s example.com -j DROP

Because example.com will be replaced in realtime with an ip address, which will not cover all possible ip addresses.

But if I use:

iptables -A INPUT -m string --string "example" --algo kmp -j DROP

Taken from this answer and I tested it myself, then I no longer need to worry about ip substitution, because "example" will match "example.com" and it will block it.

So if iptables only works with ip addresses, why does it work on names in the second case?

4 Answers

Because example.com have to be present in header of most request against server at example.com:

  • If you sent an email, you will put to: [email protected] in the mail header.

  • If you do some HTTP request against example.com, once DNS resolved, minimal request have to contain target host:

    host example.com
    example.com has address 123.45.78.89
    

    DNS request is done on a DNS server, not necessarly at example.com. (if not cached!)

    nc 123.45.67.89 80 <<eoRequest
    GET /index.html HTTP/1.0
    Host: example.com
    eoRequest
    

Of course, your iptable rule will only drop header packet, but following packet won't be understood by server, so will be dropped by server himself. Server logs and client window may prompt something like 400 Bad Request

Answered by F. Hauri on November 4, 2021

If you use -m string --string example, it will match all IP packets where the payload contains the string example.

If you go to a page via HTTP and the page contains word example, the page is shown only partially, because your rule drops the packet that contains the word example.

The rule can also break many other protocols that use plain-text. It can also break encrypted connections if the encrypted payload would match to example.

You should use a filtering proxy to block your traffic, it is accurate and doesn't cause unwanted side-effects.

If you don't want to implement a filtering proxy, then a poor man's version is to block DNS queries for your target domain:

EDIT Removed .com due to the fact that DNS packets don't contain dots but length indicators.

iptables -I OUTPUT -p udp --dport 53 -m string --string example -j DROP

This will drop DNS queries for your target domain, effectively blocking the access to those domains. Clients will time out waiting for DNS reply, so the blocking is quite invasive.

Answered by Tero Kilkanen on November 4, 2021

You cannot search for example.com in the URL as most websites now work via HTTPS exclusively.

Yes, in your example iptables will resolve example.com on a first invocation and in case its IP address changes this rule will no longer work but you could solve it by running e.g. a cron script which resolves example.com and if there's a new IP address it then gets added to your iptables rules via -I or -A.

Answered by Artem S. Tashkinov on November 4, 2021

Because it is a pattern for strings. Yes, you got your aim. But! If you try to search anything ingluding "example" by google.com you cannt too. Be careful use this setting.

Answered by Paravozik on November 4, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP