try this rule.
iptables -I OUTPUT -m string --string ".mp3" -p tcp --tcp-flags ACK ACK -j DROP
iptables -I FORWARD -m string --string ".mp3" -p tcp --tcp-flags ACK ACK -j DROP
iptables -I INPUT -m string --string ".mp3" -p tcp --tcp-flags ACK ACK -j DROP
"Allan T. Parreno" <[EMAIL PROTECTED]> wrote:
Hello,
I have a problem with this rule, I want to block with a string .mp3, and I
have this rules,
/sbin/iptables -I INPUT 1 -m string --string ".mp3" --algo bm -j REJECT
/sbin/iptables -I OUTPUT 1 -m string --string ".mp3" --algo bm -j REJECT
/sbin/iptables -I FORWARD 1 -m string --string ".mp3" --algo bm -j REJECT
Why is it I can still download with .mp3? any advice or further
explanation with my rules in iptables?
[EMAIL PROTECTED] etc]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
REJECT all -- anywhere anywhere STRING match
".mp3" ALGO name bm TO 65535 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
eth2_in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
REJECT all -- anywhere anywhere STRING match
".mp3" ALGO name bm TO 65535 reject-with icmp-port-unreachable
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- anywhere anywhere STRING match
".mp3" ALGO name bm TO 65535 reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere STRING match
ACCEPT all -- anywhere anywhere
eth0_out all -- anywhere anywhere
eth1_out all -- anywhere anywhere
eth2_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain Drop (5 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:ssdp
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp
spt:domain
Chain Reject (0 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:ssdp
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp
spt:domain
Chain all2all (7 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
net2all all -- anywhere 192.168.35.0/24
net2all all -- anywhere 192.168.71.0/24
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
net2fw all -- anywhere anywhere
Chain eth0_out (1 references)
target prot opt source destination
fw2net all -- anywhere anywhere
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
loc2net all -- 192.168.35.0/24 anywhere
all2all all -- 192.168.35.0/24 192.168.71.0/24
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
loc2fw all -- 192.168.35.0/24 anywhere
Chain eth1_out (1 references)
target prot opt source destination
all2all all -- anywhere 192.168.35.0/24
Chain eth2_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
loc12net all -- 192.168.71.0/24 anywhere
all2all all -- 192.168.71.0/24 192.168.35.0/24
Chain eth2_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
loc12fw all -- 192.168.71.0/24 anywhere
Chain eth2_out (1 references)
target prot opt source destination
all2all all -- anywhere 192.168.71.0/24
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport
dports domain,rsync,ipp
ACCEPT tcp -- anywhere anywhere multiport
dports domain,rsync,ircd,distinct,rockwell-csp2
ACCEPT tcp -- anywhere anywhere multiport
dports pop3,ldap,nntp,hosts2-ns
ACCEPT tcp -- anywhere anywhere multiport
dports imap,imap3,imaps,sip
ACCEPT tcp -- anywhere anywhere multiport
dports http,https,ssh,smtp
ACCEPT udp -- anywhere anywhere udp
dpts:33435:33535
ACCEPT udp -- anywhere anywhere multiport
dports imaps,sip
ACCEPT tcp -- anywhere 192.168.35.0/24 multiport
dports distinct,ipp,netbios-ssn,microsoft-ds,sunrpc
ACCEPT udp -- anywhere 192.168.35.0/24 multiport
dports rlzdbase,sunrpc
ACCEPT udp -- anywhere 192.168.35.0/24 udp
spt:mdbs_daemon
ACCEPT tcp -- anywhere 192.168.71.0/24 multiport
dports distinct,ipp,netbios-ssn,microsoft-ds,sunrpc
ACCEPT udp -- anywhere 192.168.71.0/24 multiport
dports rlzdbase,sunrpc
ACCEPT udp -- anywhere 192.168.71.0/24 udp
spt:mdbs_daemon
ACCEPT udp -- anywhere ns2.dil.bti.net.ph udp
spt:blackjack dpt:ddt
ACCEPT tcp -- anywhere anywhere multiport
dports pgpkeyserver,webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:http
all2all all -- anywhere anywhere
Chain loc12fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport
dports ssh,smtp,auth,distinct
ACCEPT tcp -- anywhere anywhere multiport
dports imap,imap3,imaps
ACCEPT udp -- anywhere anywhere multiport
dports snmp,ntp,microsoft-ds
ACCEPT udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:squid
all2all all -- anywhere anywhere
Chain loc12net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport
dports ssh,smtp,auth,distinct
ACCEPT tcp -- anywhere anywhere multiport
dports imap,imap3,imaps
ACCEPT udp -- anywhere anywhere multiport
dports snmp,ntp,microsoft-ds
ACCEPT udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:squid
all2all all -- anywhere anywhere
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:logdrop:DROP:'
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:logreject:REJECT:'
reject all -- anywhere anywhere
Chain net2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport
dports ssh,auth
ACCEPT tcp -- anywhere anywhere multiport
dports smtp,distinct
DROP tcp -- anywhere anywhere tcp
dpt:ms-sql-s
ACCEPT tcp -- anywhere anywhere tcp dpt:sip
ACCEPT udp -- anywhere anywhere udp dpt:sip
ACCEPT udp -- ns2.dil.bti.net.ph anywhere udp dpt:ddt
ACCEPT udp -- ns2.skyinet.net anywhere udp
spt:domain
net2all all -- anywhere anywhere
Chain reject (7 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- 202.78.84.63 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 202.78.84.63 anywhere
LOG all -- 203.177.104.47 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 203.177.104.47 anywhere
LOG all -- 192.168.35.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 192.168.35.255 anywhere
LOG all -- 192.168.71.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 192.168.71.255 anywhere
LOG all -- 255.255.255.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
[EMAIL PROTECTED] etc]#
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
---------------------------------
You rock. That's why Blockbuster's offering you one month of Blockbuster Total
Access, No Cost._________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
