Hello, I have a problem with this rule, I want to block with a string .mp3, and I have this rules,
/sbin/iptables -I INPUT 1 -m string --string ".mp3" --algo bm -j REJECT /sbin/iptables -I OUTPUT 1 -m string --string ".mp3" --algo bm -j REJECT /sbin/iptables -I FORWARD 1 -m string --string ".mp3" --algo bm -j REJECT Why is it I can still download with .mp3? any advice or further explanation with my rules in iptables? [EMAIL PROTECTED] etc]# iptables --list Chain INPUT (policy DROP) target prot opt source destination REJECT all -- anywhere anywhere STRING match ".mp3" ALGO name bm TO 65535 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere eth0_in all -- anywhere anywhere eth1_in all -- anywhere anywhere eth2_in all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Drop all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination REJECT all -- anywhere anywhere STRING match ".mp3" ALGO name bm TO 65535 reject-with icmp-port-unreachable eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere eth2_fwd all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Drop all -- anywhere anywhere DROP all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination REJECT all -- anywhere anywhere STRING match ".mp3" ALGO name bm TO 65535 reject-with icmp-port-unreachable REJECT all -- anywhere anywhere STRING match ACCEPT all -- anywhere anywhere eth0_out all -- anywhere anywhere eth1_out all -- anywhere anywhere eth2_out all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Drop all -- anywhere anywhere DROP all -- anywhere anywhere Chain Drop (5 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid all -- anywhere anywhere DROP udp -- anywhere anywhere multiport dports epmap,microsoft-ds DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 DROP tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere udp dpt:ssdp dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain Reject (0 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid all -- anywhere anywhere reject udp -- anywhere anywhere multiport dports epmap,microsoft-ds reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 reject tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere udp dpt:ssdp dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain all2all (7 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Drop all -- anywhere anywhere DROP all -- anywhere anywhere Chain dropBcast (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast DROP all -- anywhere anywhere PKTTYPE = multicast Chain dropInvalid (2 references) target prot opt source destination DROP all -- anywhere anywhere state INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN Chain dynamic (6 references) target prot opt source destination Chain eth0_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW net2all all -- anywhere 192.168.35.0/24 net2all all -- anywhere 192.168.71.0/24 Chain eth0_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW net2fw all -- anywhere anywhere Chain eth0_out (1 references) target prot opt source destination fw2net all -- anywhere anywhere Chain eth1_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW loc2net all -- 192.168.35.0/24 anywhere all2all all -- 192.168.35.0/24 192.168.71.0/24 Chain eth1_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW loc2fw all -- 192.168.35.0/24 anywhere Chain eth1_out (1 references) target prot opt source destination all2all all -- anywhere 192.168.35.0/24 Chain eth2_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW loc12net all -- 192.168.71.0/24 anywhere all2all all -- 192.168.71.0/24 192.168.35.0/24 Chain eth2_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW loc12fw all -- 192.168.71.0/24 anywhere Chain eth2_out (1 references) target prot opt source destination all2all all -- anywhere 192.168.71.0/24 Chain fw2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere multiport dports domain,rsync,ipp ACCEPT tcp -- anywhere anywhere multiport dports domain,rsync,ircd,distinct,rockwell-csp2 ACCEPT tcp -- anywhere anywhere multiport dports pop3,ldap,nntp,hosts2-ns ACCEPT tcp -- anywhere anywhere multiport dports imap,imap3,imaps,sip ACCEPT tcp -- anywhere anywhere multiport dports http,https,ssh,smtp ACCEPT udp -- anywhere anywhere udp dpts:33435:33535 ACCEPT udp -- anywhere anywhere multiport dports imaps,sip ACCEPT tcp -- anywhere 192.168.35.0/24 multiport dports distinct,ipp,netbios-ssn,microsoft-ds,sunrpc ACCEPT udp -- anywhere 192.168.35.0/24 multiport dports rlzdbase,sunrpc ACCEPT udp -- anywhere 192.168.35.0/24 udp spt:mdbs_daemon ACCEPT tcp -- anywhere 192.168.71.0/24 multiport dports distinct,ipp,netbios-ssn,microsoft-ds,sunrpc ACCEPT udp -- anywhere 192.168.71.0/24 multiport dports rlzdbase,sunrpc ACCEPT udp -- anywhere 192.168.71.0/24 udp spt:mdbs_daemon ACCEPT udp -- anywhere ns2.dil.bti.net.ph udp spt:blackjack dpt:ddt ACCEPT tcp -- anywhere anywhere multiport dports pgpkeyserver,webcache ACCEPT tcp -- anywhere anywhere tcp dpt:http all2all all -- anywhere anywhere Chain loc12fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere multiport dports ssh,smtp,auth,distinct ACCEPT tcp -- anywhere anywhere multiport dports imap,imap3,imaps ACCEPT udp -- anywhere anywhere multiport dports snmp,ntp,microsoft-ds ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere anywhere tcp dpt:squid all2all all -- anywhere anywhere Chain loc12net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain loc2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere multiport dports ssh,smtp,auth,distinct ACCEPT tcp -- anywhere anywhere multiport dports imap,imap3,imaps ACCEPT udp -- anywhere anywhere multiport dports snmp,ntp,microsoft-ds ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere anywhere tcp dpt:squid all2all all -- anywhere anywhere Chain loc2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain logdrop (0 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logdrop:DROP:' DROP all -- anywhere anywhere Chain logreject (0 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:' reject all -- anywhere anywhere Chain net2all (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Drop all -- anywhere anywhere DROP all -- anywhere anywhere Chain net2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere multiport dports ssh,auth ACCEPT tcp -- anywhere anywhere multiport dports smtp,distinct DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s ACCEPT tcp -- anywhere anywhere tcp dpt:sip ACCEPT udp -- anywhere anywhere udp dpt:sip ACCEPT udp -- ns2.dil.bti.net.ph anywhere udp dpt:ddt ACCEPT udp -- ns2.skyinet.net anywhere udp spt:domain net2all all -- anywhere anywhere Chain reject (7 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- 255.255.255.255 anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination Chain smurfs (0 references) target prot opt source destination LOG all -- 202.78.84.63 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- 202.78.84.63 anywhere LOG all -- 203.177.104.47 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- 203.177.104.47 anywhere LOG all -- 192.168.35.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- 192.168.35.255 anywhere LOG all -- 192.168.71.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- 192.168.71.255 anywhere LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- 255.255.255.255 anywhere LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere [EMAIL PROTECTED] etc]# _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
