Dr. Klahn
asked on
iptables string matching failure
I am having some trouble getting string matching to work. Attempting a string match returns "Invalid argument."
Trying "iptables -m string --help" works as shown below.
Trying "iptables --string "foo" --help" fails as shown below.
String matching should be available in this (custom) kernel,
config-2.6.18.1:CONFIG_NET FILTER_XT_ MATCH_STRI NG=y
but the error message seems to imply that it is not.
Am I correct in assuming that only part of string matching is available in my kernel, and that I need to rebuild with more support, or am I missing something simple?
(Further information discovered by accident: Messages in syslog. Appended at bottom.)
# iptables -m string --help
iptables v1.2.11
<much text removed>
STRING match v1.2.11 options:
--string [!] string Match a string in a packet
--hex-string [!] string Match a hex string in a packet
# iptables -X
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -v -t filter -N RobotLockouts
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RobotLockouts (0 references)
target prot opt source destination
# iptables -v -j REJECT -t filter -A RobotLockouts -p tcp --dport 80 -m string --string "Wget"
REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 STRING match "Wget" reject-with icmp-port-unreachable
iptables: Invalid argument
# iptables -v -v -j REJECT -t filter -A RobotLockouts -p tcp --dport 80 -m string --string "Wget"
REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 STRING match "Wget" reject-with icmp-port-unreachable
libiptc v1.2.11. 7 entries, 1428 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = 0/0/148/296/0
Underflows: pre/in/fwd/out/post = 0/0/148/296/0
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 360037 packets, 126909677 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT
Entry 1 (148):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT
Entry 2 (296):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 372020 packets, 122661953 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT
Entry 3 (444):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`RobotLockouts'
Entry 4 (620):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00004420 UNKNOWN IP_PROTO IP_DST_PT
Match name: `tcp'
Match name: `string'
Target name: `REJECT' [36]
Entry 5 (1104):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [36]
verdict=RETURN
Entry 6 (1252):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'
iptables: Invalid argument
# iptables --string "foo" --help
iptables v1.2.11: Unknown arg `--string'
Try `iptables -h' or 'iptables --help' for more information.
========================== ===
# tail syslog
Jan 23 01:20:54 last message repeated 2 times
Jan 23 01:22:29 last message repeated 2 times
Jan 23 01:23:42 last message repeated 3 times
Jan 23 01:24:47 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:28:00 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:29:17 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:30:21 last message repeated 4 times
Jan 23 01:32:27 last message repeated 2 times
Jan 23 01:34:14 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:38:19 last message repeated 3 times
Trying "iptables -m string --help" works as shown below.
Trying "iptables --string "foo" --help" fails as shown below.
String matching should be available in this (custom) kernel,
config-2.6.18.1:CONFIG_NET
but the error message seems to imply that it is not.
Am I correct in assuming that only part of string matching is available in my kernel, and that I need to rebuild with more support, or am I missing something simple?
(Further information discovered by accident: Messages in syslog. Appended at bottom.)
# iptables -m string --help
iptables v1.2.11
<much text removed>
STRING match v1.2.11 options:
--string [!] string Match a string in a packet
--hex-string [!] string Match a hex string in a packet
# iptables -X
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -v -t filter -N RobotLockouts
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RobotLockouts (0 references)
target prot opt source destination
# iptables -v -j REJECT -t filter -A RobotLockouts -p tcp --dport 80 -m string --string "Wget"
REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 STRING match "Wget" reject-with icmp-port-unreachable
iptables: Invalid argument
# iptables -v -v -j REJECT -t filter -A RobotLockouts -p tcp --dport 80 -m string --string "Wget"
REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 STRING match "Wget" reject-with icmp-port-unreachable
libiptc v1.2.11. 7 entries, 1428 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = 0/0/148/296/0
Underflows: pre/in/fwd/out/post = 0/0/148/296/0
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 360037 packets, 126909677 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT
Entry 1 (148):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT
Entry 2 (296):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 372020 packets, 122661953 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT
Entry 3 (444):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`RobotLockouts'
Entry 4 (620):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00004420 UNKNOWN IP_PROTO IP_DST_PT
Match name: `tcp'
Match name: `string'
Target name: `REJECT' [36]
Entry 5 (1104):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [36]
verdict=RETURN
Entry 6 (1252):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'
iptables: Invalid argument
# iptables --string "foo" --help
iptables v1.2.11: Unknown arg `--string'
Try `iptables -h' or 'iptables --help' for more information.
==========================
# tail syslog
Jan 23 01:20:54 last message repeated 2 times
Jan 23 01:22:29 last message repeated 2 times
Jan 23 01:23:42 last message repeated 3 times
Jan 23 01:24:47 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:28:00 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:29:17 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:30:21 last message repeated 4 times
Jan 23 01:32:27 last message repeated 2 times
Jan 23 01:34:14 kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:38:19 last message repeated 3 times
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have had 'invalid argument' error also when incorrect iptables was used.
Let me explain. There are two kind of modules when you work with 'iptables'.
1) Kernel modules, you may find them in /lib/modules/`uname -r`/kernel/net/netfilter
2) iptables modules, that you may find in /lib/iptables/
If you have *_string* in both directories, most probably everithing is correctly installed, but you have incorrect syntax. If you have no /lib/iptables/libipt_strin g.so, but have /lib/modules/`uname -r`/kernel/net/netfilter/x t_string.k o, then you should patch iptables with patch-o-matic and install new iptables binary+libs.
Let me explain. There are two kind of modules when you work with 'iptables'.
1) Kernel modules, you may find them in /lib/modules/`uname -r`/kernel/net/netfilter
2) iptables modules, that you may find in /lib/iptables/
If you have *_string* in both directories, most probably everithing is correctly installed, but you have incorrect syntax. If you have no /lib/iptables/libipt_strin
ASKER
I would have expected something like "Module not loaded" or "Feature not available" instead of a syntax error. Peculiar that the parser knows about the string matching though the module is not installed.