| |
| |
| |
|
Page: 1 2
Comments:
<0> yes ... i have tried a fair few ... for what i do ... htb seems to achive 95% of my goal which is 5% over Target ;-)
<1> and I do the filtering with iptables nowadays..
<0> yes ... as i see many people starting to do now
<0> using userspace nf_queue or something isnt it ?
<1> just need the firewall to support it
<1> but then again, I wrote qos & the firewall together so it works fine :)
<1> no, no userspace
<0> oh ok
<2> guys i would really appreciate if you could give m some guidance...
<2> i want to drop packets which has a private IP in the application layer in the message body.. in the SDP ?
<2> i was tryin my luck with l7 but have run out of luck
<1> santosh1, sorry this is more like a netfilter channel than specific iptables help center :)
<0> santosh1: really this is a question for l7filter news group or something
<1> so it's not the best forum for l7filter
<1> we might know some, but I have personally never written any l7 filters myself so I really don't know how to do that stuff
<2> ^(c= IN IP4) (192\.168\..*\..*$)|(10\..*\..*\..*$)|(172\.(16-31)\..*\..*$) i tried to filter something like this.. the c= IN IP$ was contained in the "Connection =" in the message body > SDP
<3> an l7 filter is just a regex for the first packet of a connection
<1> I think there might be some better forum (irc channel, web board or so) for your questions
<0> i have intergtaed into qos / tc before ... but not the iptables module
<1> even the manual might help you out
<1> santosh1, I don't know SIP either so I really can't say what it should be or what could be wrong, if any
<1> jengelh, surely it can span multiple packets if necessary ?
<0> jengelh: i was thinking that before ... but was scared if i said it i would be wrong ... =P
<2> it would filter only the header of the application layer or can traverse inside.. ?
<2> i am sorry but couldnt resist asking ;)
<1> application is just raw data, there's no "header" that l7 would understand
<1> but surely some applications include headers in their sequence of data
<2> ok.. i was looking at a tcpdump.. and in the application layer i could seperately c meage header and the message body...
<2> which could be application specific right
<3> xkr47 : Yes but it only matches at the beginning
<3> so you possibly need ^.*laterpacketdata
<3> and only matches within the first (configurable variable) 2048 bytes of the connection
<3> no tcp headers included, just the plain text that is transferred at L7
<1> there we go, a guru on the channel after all :))
<3> well it's so ****ing simple
<3> ^220[\x09-\x0d -~]*ftp
<3> this is all what FTP must match
<1> jengelh, well you need to know the 2048 byte thing, sip and how to reload rules to be able to help
<3> SIP?
<1> and I don't/didn't know any of those :)
<1> he want's to match some SIP traffic I understand
<3> no I do notknow SIP
<3> Session Initiation Protocol, an IETF standard relating to VoIP technology?
<3> apart from that, the newest l7 definitions has a sip.pat
<2> yeah from teh sip.pat i tried to create sdp.pat.. m
<3> sdp?
<3> ugh
<2> tryin to match the the test "c= IN IP4 <ipaddress>
<3> ^c= IN IP4 \d+\.\d+\.\d+\.\d+
<2> SDP is session descp protocal which contains the media data like the
<3> http://tools.ietf.org/html/2327
<1> santosh1, is it at the beginning of the stream or somewhere in the middle?
<2> yes i tried something like this (c= IN IP4) (192\.168\..*\..*$)|(10\..*\..*\..*$)|(172\.(16-31)\..*\..*$) ,,,
<2> some whr in the middle
<3> and?
<3> i am not sure if it works with udp
<2> and i did a iptables -A INPUT -m layer7 --l7proto sdp -j DROP but it wont drop
<3> iptables -L -v -n => does that counter for that rule increase?
<1> does l7filter work with udp ?
<3> i do not know, and I believe probably not
<3> let me take a glance
<2> thanks guys for taking interest.. i appreciate it
<1> the -m string match still might help, maybe ?
<1> (if l7 doesn't)
<3> hm i can't get l7 to match with http even
<3> oh well at least it supports tcp udp and icmp over ipv4
<2> u tried matchin http.. and ?
<3> and no counter increased
<3> iow, did not match
<3> i even tried to match a single char - no luck
<3> any
<2> wait i try to use the default sip.pat tht came along..
<3> bbl
<2> bbl ?
<2> not happenening.. ? i wonder why.. i just did a iptables -A OUTPUT -m layer7 --l7proto sip -j DROP ... output and input both.. the its still accepting packets and everything
<2> http://sial.org/pbot/17796
<2> xkr47: u still around ?
<2> c the thing is ok.. tht sdp match tht i put is filtering the packets.. but.. now i am trying to drop packets which have originated from tht linux box..
<1> .
<2> say for exampe a ===> b <== c where a and c initially sent packets to b and then b sends out to them.. then b sends packets to a and c which has the ip i am tryin to filter.. now tht i know the filter works..wht should be the table i should be dropping
<2> because if i do iptable -A input it drops everything coming in.. and when i do output it stops replyin to the intital packets sent by a for example
<1> you want to filter SIP packets just from one IP ?
<2> not exactly.. i want to filter out packets tht the server send to a which has the info abt c and which has a local ip in tht info
<1> the server = ?
<2> a and c initially send their invites.. which i do not want to drop. ok thn b sends packets to both the parties one of which packet s had the wron info.. which i wanna drop
<2> server is asterisk
<1> and how did you say you identify that wrong info ?
<2> see a is behind NAT ok.. .. and asterisk sends two packets to c giving the information abt a's ip. one which has local ip and 2nd which has the nat box iP. so i am trying to drop tht packets which b sends and in the message body is a local ip(of a)
<2> so i drop all input packets.. it drops all packets which have c= in ip4 <local ip> and output also it drops all packets which has c= in ip4 <local ip>.. i tried to drop or log forward,, but dint happen
<1> ah
<2> ah ? xkr47
<1> you mean the FORWARD chain ?
<1> ah = I undestand a bit more now :)
<2> hehe
<2> the forward chain i tried put the count dint increase in -L -v -n
<1> hmm
<2> wait i will paste the o/p..
<1> do the packets from c to a go through asterix ? ?
<2> tht is wht the asterisk box is rying to establish .. meaning it is tryin to setup comm between a and c and nothing reaches back to a since c recieved a packet from b which had a local ip of a
<2> http://sial.org/pbot/17797. here is the o/p of -L -v -n
<1> for some reason b sends two packets to c ?
<2> yes..
<1> maybe your original rule wasn't so bad
<2> meaning ?
<1> c= IN IP4 (192\.168\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6789]|2\d|3[01])\.\d+\.\d+)
<1> you had some extra parenthesis therre
<1> and the .* maybe weren't so good
<1> I don't think you need the FORWARD rule at all..
<1> probably everything goes through asterix..
<2> yes the etheral dumps show all the communication going thru astersk.. but the rtp it sends directly to each other.. which is wht they are trying to establish
<1> guess you don't need to worry about that...
<2> yes but if i dont drop packets having the wrong info .. tht rtp coomunication fails
<2> becasue c is sending data to a 192.168. something
<2> xkr47: .....................
<1> sorry phone
<2> ohh..
<1> yeah.. but if you get the correct sdp packets dropped, then rtp will be fine right ?
<2> yes
<1> did you try the rule I pasted ?
<2> yes.. same..
<2> but forward was stilll dropping u want me to try without the forward drop
<1> since it says "0 0" in the beginning of the line, it means it never matched
<1> so it doesn't matter
<2> yes
<2> i am guess we need to somehow drop outgoing but not all outgoing. with the matching packet
<1> so does it still drop too much or what is the case
<2> wait
<1> do the INPUT & OUTPUT rules match ?
<1> i.e. what do the counters say (the ones at the beginning of the rows of iptables -L -n -v
<2> yes.. i mean in the intial incite itself. it increased the count
<2> incite =invite
<1> hmm
<2> and also when sending. reinvites..:(
<1> well.. I need to go to the shop now
<1> and then I have other stuff to do
<1> but if you can paste some problematic ethereal dumps maybe I can look at it when I have time
<1> sorry..
<2> ethereal.. dumps.. i can send u the file..
<2> how do i paste the dump file.. i mean.
<1> if santosh1 comes back, tell him http://www.putfile.com/
<1> oh sorry that was for images only
<1> maybe http://www.megaupload.com/
<4> xkr47: Thanks for all that help last night. :)
<1> :)
Return to
#netfilter
or
Go to some related
logs:
the programme gaim uses the HOWL
#ai
#redhat
msse3 turion
suspend dv5000
currentTimeMillis to microtime
chroot mknod Operation not permitted
change background another div rollover
#sdl
xorgconfig debian package
|
|