Search code examples
iptablestcpdumpnetfilter

How to get the from..to offset from tcpdump output to use with iptables string match module

I'm trying to get the 'from' and 'to' offset to use in my iptables rule with the string match module. Here is my output packet from the tcpdump tool:

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:49:49.631211 IP xxx.xxx.xxx.xxx.57625 > xxx.xxx.xxx.xxx.13333: Flags [S],   seq 1036987151, win 29200, options [mss 1460,sackOK,TS val 770422252 ecr 0,nop,wscale 7], length 0
0x0000:  4514 003c 9ee3 4000 3a06 9772 bca5 2e4d  E..<..@.:..r...M
0x0010:  b009 6f56 e119 2f4f 3dcf 2b0f 0000 0000  ..oV../O=.+.....
0x0020:  a002 7210 6e7e 0000 0204 05b4 0402 080a  ..r.n~..........
0x0030:  2deb b5ec 0000 0000 0103 0307            -...........

The hex units i'm looking for their start-end position are :

bca5 2e4d b009 6f56

My aim is to get this iptables rule to work properly: 

 iptables -A INPUT -p tcp --dport 13333 -m string --from xx --to yy --algo bm --hex-string "|bca52e4db0096f56|" -j DROP

By the way my rule is already working fine without using the from-to offset.

Any help will be appreciated. Best regards.

Solution

  • To answer your original question, you may use :

     iptables -A INPUT -p tcp --dport 13333 -m string --from 12 --to 20 --algo bm --hex-string "|bca52e4db0096f56|" -j DROP

    But, there is more to get the final answer as you want to improve the efficiency of iptables by adding these two options.

    What I found is a little disappointing, it seems that --to option doesn't work.

    I paste the original related content of man iptables in CentOS release 6.5 (Final):

    --from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset from which it starts looking for any matching. If not passed, default is the packet size.

    As you see, the description of option --to is wrong, so is the result of my experiment use --to option. However, --from option works fine as the description.

    The final answer is that the part of the bad packet represents src ip and dest ip of ip protocol, so you may use (I don't use the ip in your packet content in your question for your privacy issue, but the ip is already exposed, so maybe you can change your question) :

     iptables -A INPUT -p tcp --dport 13333 -s xx.xx.xx.xx -d xx.xx.xx.xx -j DROP

    Update, use module u32:

    iptables -A INPUT -p tcp --dport 13333 -m u32 --u32 "12=0xbca52e4d && 16=0xb0096f56" -j DROP