Iptables String Matching for Advanced Firewalling.

Introduction.

When it comes to any server or network connected to the internet, security from malicious files and hack attempts is a matter of concern for any administrator. Linux provides its own firewall from the early releases itself. The current iptables firewall maintained by the netfilter team is advancing to more powerful security and network management tool with the recent releases.It will be a topic of interest for any linux based server/network administrator. This article covers effective configuration and optimization of the iptables firewall system in 2.6.x kernels in order to more effectively defend against TCP attacks and to drop unwanted packets without messing them up with your business critical services!!

Kernels from 2.6 include support for matching strings present in IP packets, inspecting the entire packet data. Earlier kernels supported matching at the IP header level only, which was a limitation as the rules can be formed only based on header values like IP addresses, ports, packet state etc. The netfilter iptables firewall system has undergone great advancements in the latest kernels, with the modified string matching option being more interesting among them for server administrators. The rules, based on string matching functions, are very easy to implement. This guide intends to introduce the method to users with a basic understanding of networking and iptables.

System Requirements.

  1. Preferred kernel version : 2.6.18 or later.
  2. The iptables program(1.3.5 or later) installed on your machine.
  3. The kernel should be compiled with string matching support. To do this, the following line should be added to the .config file prior to compiling the kernel:
    CONFIG_NETFILTER_XT_MATCH_STRING=m
    

If you use a pre-complied kernel, check for this option in the config file with the appropriate version of the kernel in your /boot directory. If present, it means that netfilter string matching is compiled as a module. Make sure that the module is loaded (using the lsmod command or by looking for the appropriate entry in the /proc/modules file). The minimum requirement is a 2.6.14 kernel, however it is a bit difficult to get it working on kernels before 2.6.18. Customising the kernel and iptables is required in that case. Suggested configuration options for older kernels can be detailed in another article, if there is demand.

Formating the Rules.

If iptables is installed with string matching support, its man page can be found with the following command:

iptables -m string -help
Here is the relevant section from the iptables(8) man page:

   string

         This  modules  matches  a  given string by using some
pattern matching strategy. It requires a linux kernel >= 2.6.14.

        --algo  bm|kmp

              Select the pattern matching strategy. (bm = Boyer-
Moore, kmp = Knuth-Pratt-Morris)


        --from offset

              Set the offset from which it starts looking for any
matching. If not passed, default is 0.

        --to offset

              Set the offset to which it starts looking for any
matching. If not passed, default  is  the

              packet size.

        --string pattern

              Matches the given pattern.  --hex-string pattern
Matches the given pattern in hex notation.


In iptables 1.3.5, you need to specify the algorithm to use for string matching using the --algo option. We may limit the search by specifying the offset values as well. Two algorithms can be used, Boyer-Moore and Knuth-Morris-Pratt. More information regarding these algorithms can be found at Wikipedia - for Boyer-Moore the URL is:

http://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm

and for Knuth-Morris-Pratt the URL is:

http://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm

Boyer-Moore is efficient and fast and is preferable in most cases.

Common Applications and Useful Example Rules:

1) To prevent an intrusion attempt.

In case, a suspecious URL upload using the webserver was detected, You could frame similar rules as follows.
iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP
The rule blocks all packets to port 80 containing the string cmd.exe. Mod_security is an option for the same, but it can be an overload to your busy webservers.

2) To defend DDOS to a service.

It is a common case where we need to drop requests to a domain when it is under DDOS. mod_dosevasive is an option, but it really overloads the webserver. String matching option can be utilized here without overloading the webserver.

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP
The rule, blocks all web requests to domain.com. These rules can also be used in conjunction with other iptables matches and options depending on what is required.

3) To Defend against E-mail Spoofing.

We can make use of the string matching option in numerous cases to drop intruder and spam packets before they enter the server. Another instance for example is, if the mail server is receiving many spoofed e-mails with a common 'Subject'.If the spammer is using a unique IP address, it is very easy to block him using RBLs, conventional iptables rules etc. But when the spammer is using different IP addresses, it makes things difficult for the administrator.In such a case, the following string based rule can be added to the firewall so that the mail server will not get overloaded by the spoofed mails.
iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP

**Do it now with an optimised rule!

The same rule might be modified to one with less overhead (that is, it uses less resources) by limiting the search specifying offset values, and by assuming that the SMTP subject header will be within an offset limit of 15000 in the packet.
iptables -I INPUT -p tcp --dport 25 -m string --string "Subject"  --algo bm --to 15000 -j DROP

4) Other general cases.

Apart from the instances discussed above, you can make use of the string matching options, wherever you need to manage the packets entering a server or network,based on strings like URLs, file names, file contents etc.

Conclusion.

The string matching option can be effectively utilized when a network needs to be filtered using strings. We can block the packets right at the kernel level itself without overloading your server applications. However, there is a higher overhead involved for the kernel with string matching, compared to other ordinary iptables matchings. Offset limits should be specified for searching wherever possible in order to reduce this overhead.

About Author

I am Krishnakumar, Freelance Linux server administrator. You can reach me at krishnakumarmec99@gmail.com.