I'm currently trying to learn about advanced setups with iptables on a xubuntu gateway. I found out that it's possible to filter on specific byte values within packets with the u32 module. For example I can detect a TLS 1.2 Client Hello message coming through the gateway with the next command
sudo iptables -I FORWARD 1 \
-p tcp \! -f --dport 443 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C@ 12>>26&0x3C@ 0 & 0xFFFFFF00=0x16030100 && \
0>>22&0x3C@ 12>>26&0x3C@ 2 & 0xFF=0x01 && \
0>>22&0x3C@ 12>>26&0x3C@ 7 & 0xFFFF=0x0303" \
-j LOG --log-prefix "TLS 1.2 Client Hello detected: "
However, sometimes it is better to use the PREROUTING table (e.g. for messages that should not being forwarded). But if I try
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -m u32 --u32 \
"0>>22&0x3C@ 12>>26&0x3C@ 0 & 0xFFFFFF00=0x16030100 && \
0>>22&0x3C@ 12>>26&0x3C@ 2 & 0xFF=0x01 && \
0>>22&0x3C@ 12>>26&0x3C@ 7 & 0xFFFF=0x0303"
-j LOG --log-prefix "tls 1.2 detected"
I don't see any new lines coming in the log file, although client hello messages are visible in Wireshark. Does anyone know what I'm doing wrong or why u32 doesn't working with the PREROUTING table?
nat table is only consulted with the first packet of a connection. Check this response