I am trying to filter out the Nimda virus with the following rule: iptables -t filter -A INPUT -i $EXT_IFACE -p tcp -d $IP --dport http \ -m string --string ".exe?/c+dir" -j REJECT --reject-with tcp-reset
My understanding is that when this rule sees a packet matching ".exe?c+dir", it is supposed to send a TCP RST packet back to the sender that will close the connection. The packet is being blocked, but the TCP RST packet doesn't appear to go out. When I try this in practice, the connection stays in an ESTABLISHED state for about 5 minutes before the connection is dropped. I was working with a friend of mine using tcpdump and it doesn't look like a RST packet is actually being sent out. Is this by design, or is my interpretation of the REJECT target wrong? I received one response to use Snort, but that doesn't answer why the REJECT target isn't working. Regards, Seann P.S. I am running Linux 2.4.13 with iptables 1.2.4 in case that makes a difference.
