We help IT Professionals succeed at work.

iptables string matching failure

Dr. Klahn
Dr. Klahn asked
on
2,621 Views
Last Modified: 2008-01-09
I am having some trouble getting string matching to work.  Attempting a string match returns "Invalid argument."

Trying "iptables -m string --help" works as shown below.
Trying "iptables --string "foo" --help" fails as shown below.

String matching should be available in this (custom) kernel,

config-2.6.18.1:CONFIG_NETFILTER_XT_MATCH_STRING=y

but the error message seems to imply that it is not.

Am I correct in assuming that only part of string matching is available in my kernel, and that I need to rebuild with more support, or am I missing something simple?

(Further information discovered by accident:  Messages in syslog.  Appended at bottom.)



# iptables -m string --help
iptables v1.2.11
<much text removed>
STRING match v1.2.11 options:
--string [!] string          Match a string in a packet
--hex-string [!] string      Match a hex string in a packet
# iptables -X
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
# iptables -v -t filter -N RobotLockouts
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RobotLockouts (0 references)
target     prot opt source               destination
# iptables -v -j REJECT -t filter -A RobotLockouts -p tcp --dport 80 -m string --string "Wget"
REJECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 STRING match "Wget" reject-with icmp-port-unreachable
iptables: Invalid argument
# iptables -v -v -j REJECT -t filter -A RobotLockouts -p tcp --dport 80 -m string --string "Wget"
REJECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 STRING match "Wget" reject-with icmp-port-unreachable
libiptc v1.2.11.  7 entries, 1428 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = 0/0/148/296/0
Underflows: pre/in/fwd/out/post = 0/0/148/296/0
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 360037 packets, 126909677 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT

Entry 1 (148):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT

Entry 2 (296):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 372020 packets, 122661953 bytes
Cache: 00000000
Target name: `' [36]
verdict=NF_ACCEPT

Entry 3 (444):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`RobotLockouts'

Entry 4 (620):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00004420 UNKNOWN IP_PROTO IP_DST_PT
Match name: `tcp'
Match name: `string'
Target name: `REJECT' [36]

Entry 5 (1104):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [36]
verdict=RETURN

Entry 6 (1252):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'

iptables: Invalid argument
# iptables --string "foo" --help
iptables v1.2.11: Unknown arg `--string'
Try `iptables -h' or 'iptables --help' for more information.

=============================

# tail syslog
Jan 23 01:20:54  last message repeated 2 times
Jan 23 01:22:29  last message repeated 2 times
Jan 23 01:23:42  last message repeated 3 times
Jan 23 01:24:47  kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:28:00  kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:29:17  kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:30:21  last message repeated 4 times
Jan 23 01:32:27  last message repeated 2 times
Jan 23 01:34:14  kernel: ip_tables: string match: invalid size 160 != 260
Jan 23 01:38:19  last message repeated 3 times

Comment
Watch Question

system administrator
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Author

Commented:
Per Isaac Asimov, "O. Dam"

I would have expected something like "Module not loaded" or "Feature not available" instead of a syntax error.  Peculiar that the parser knows about the string matching though the module is not installed.
Artysystem administrator
Top Expert 2007

Commented:
I have had 'invalid argument' error also when incorrect iptables was used.

Let me explain. There are two kind of modules when you work with 'iptables'.
1) Kernel modules, you may find them in /lib/modules/`uname -r`/kernel/net/netfilter
2) iptables modules, that you may find in /lib/iptables/

If you have *_string* in both directories, most probably everithing is correctly installed, but you have incorrect syntax. If you have no /lib/iptables/libipt_string.so, but have /lib/modules/`uname -r`/kernel/net/netfilter/xt_string.ko, then you should patch iptables with patch-o-matic and install new iptables binary+libs.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.