Search This Blog

Friday, November 16, 2012

Re: Iptables rules with module string give strange counter results

On Fri, Nov 16, 2012 at 04:09:56PM +0300, Vladimir Budnev wrote:
> 2012/11/16 Stephan Balmer <sb@cis.ch>:
> >> OS: debian testing, kernel 3.2.0-3-686-pae
> >>
> >> iptables -t filter -A OUTPUT --protocol tcp --dport 80 --match string
> >> --algo bm --from 0 --to 1500 --string "/index.php" --jump LOG
> >> --log-prefix "matched :"
> >
> > Works for me on Debian stock kernel 3.2.0-3-amd64.
> >
>
> Tnx for test.
> You mean you get correct counters with 2 matches for both packets?

I only tested the part that didn't work for you:

iptables -t filter -A OUTPUT --protocol tcp --dport 80 --match string --algo bm --from 0 --to 1500 --string /index.php --jump LOG
echo -n "GET /index.php HTTP/1.1\r\nHost: www.gentoo.org\r\n\r\n" | nc 89.16.167.134 80


> Can you list your iptables version ?
>

iptables v1.4.14
It shoudn't make a difference.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20121116163043.GA13245@lia.ch

No comments: