Daniel Chemko dchemko at smgtec.com
Mon Sep 20 21:44:46 CEST 2004

> You can try using ipt_string, but you will run into serious
>   limitations. ipt_string operates on single packet.  If the string
> you are trying to match is (for whatever reason) broken into multiple
> packet, ipt_string will not find it.  Also, ipt_string does not know
> anything about application level protocols (such as HTTP).  If it
> finds ".exe" anywhere in the packet's payload, it will match (whereas
> Squid will match only if it is part of URL, and you can specify that
> it must be at the end of the URL).
> If I were you, I'd stick with Squid to do application level filtering.

Or even better, use Snort-inline to detect infiltrations and use its
built-in response engine to drop the packets.

More information about the netfilter mailing list