-m string and RELATED
Cedric Blancher
blancher@cartel-securite.fr
04 Nov 2002 11:42:32 +0100
Le lun 04/11/2002 à 11:14, Arkadiusz Miskiewicz a écrit :
> iptables -A INPUT -m string --string "xyztest" -j LOG --log-prefix "xyztest: " -m state --state NEW,ESTABLISHED,RELATED
>
> [misiek@ikar misiek]$ telnet misie.k.pl 25
> Trying 156.17.236.105...
> Connected to misie.k.pl.
> Escape character is '^]'.
> 220 misie.k.pl ESMTP Exim 4.10 Mon, 04 Nov 2002 11:11:18 +0100
> xyztest
> 500 unrecognized command
>
> - Nov 4 11:11:20 arm kernel: xyztest: IN=eth0 OUT= MAC=00:10:22:fe:5a:91:00:02:44:1f:f3:b4:08:00 SRC=156.17.235.253 DST=156.17.236.105 LEN=61 TOS=0x10 PREC=0x00 TTL=62 ID=53540 DF PROTO=TCP SPT=2637 DPT=25 WINDOW=5840 RES=0x00 ACK PSH URGP=0
> (logged packet which contains xyztest packet)
>
> tralala
> 500 unrecognized command
>
> - nothing logged
>
> Why is this not working - there is ESTABILISHED,RELATED rule - any ideas?
> (I have conntrack modules loaded).
I do not see your problem. You want to log packets that :
. contains string "xyztest"
AND
. are NEW, ESTABLISHED or RELATED
The first packet logued matches, but not the second as it does not
contains string "xyztest".
So, WTF ? :)))
If you want to log the whole session that follows a packet containing
string "xyztest", then it will be a little more tricky. You have to use
the patch-o-matic CONNMARK patch (extra section) which provides a target
to set per connection mark, and a connmark match to match against it.
By the way, I did not tested it...
--
Cédric Blancher <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE