iptables drop packet by hex string match

Posted by Flint on Server Fault See other posts from Server Fault or by Flint
Published on 2012-07-02T14:47:23Z Indexed on 2012/07/02 15:17 UTC
Read the original article Hit count: 305

Filed under:

iptables

|

tcpdump

|

packet

I got this packet captured with tcpdump but I'm not sure how to use the --hex-string param to match the packet. Can someone show me how to do it?

11:18:26.614537 IP (tos 0x0, ttl 17, id 19245, offset 0, flags [DF], proto UDP (17), length 37)
    x.x.187.207.1234 > x.x.152.202.6543: [no cksum] UDP, length 9
        0x0000:  f46d 0425 b202 000a b853 22cc 0800 4500  .m.%.....S"...E.
        0x0010:  0025 4b2d 4000 1111 0442 5ebe bbcf 6701  .%[email protected]^...g.
        0x0020:  98ca 697d 6989 0011 0000 ffff ffff 5630  ..i}i.........V0
        0x0030:  3230 3300 0000 0000 0000 0000            203.........

© Server Fault or respective owner

Related posts about iptables

Sometimes this script fails to update the iptables

as seen on Server Fault - Search for 'Server Fault'
It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error. The iptables is structured as look-up tree (long repeated sections snipped): #!/bin/sh iptables -t… >>> More
My current iptable configuration doesn't work [on hold]

as seen on Server Fault - Search for 'Server Fault'
sudo chkconfig iptables off /etc/init.d/iptables on ### Clear/flush iptables sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT ### Allow SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables… >>> More
L2TP iptables port forward

as seen on Server Fault - Search for 'Server Fault'
Hi all, I'm setting up port forwarding for an L2TP VPN connection to the local Windows 2003 VPN server. The router is a simpel Debian machine with iptables. The VPN server works perfect. But I cannot log in from the WAN. I'm missing something. The VPN server is using a pre-shared key (L2TP) and… >>> More
iptables -P FORWARD DROP makes port forwarding slow

as seen on Server Fault - Search for 'Server Fault'
I have three computers, linked like this: box1 (ubuntu) box2 router & gateway (debian) box3 (opensuse) [10.0.1.1] ---- [10.0.1.18,10.0.2.18,10.0.3.18] ---- [10.0.3.15] | box4, www [10.0.2.1] Among other… >>> More
IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

as seen on Server Fault - Search for 'Server Fault'
I was thinking initially needing to do a reverse proxy or something so I could get some SSL/TLS traffic look like it is being terminated at a server and IP address in the AWS cloud, and then that traffic is forwarded onto our actual web servers that aren't in the cloud... I've not done much iptables… >>> More

Related posts about tcpdump

Packet loss rate with iperf and tcpdump

as seen on Server Fault - Search for 'Server Fault'
I tested a line for its link quality with iperf. The measured speed (UDP port 9005) was 96Mbps, which is fine, because both servers are connected with 100Mbps to the internet. On the other hand the datagram loss rate was shown to be 3.3-3.7%, which I found a little too much. Using a high-speed transfer… >>> More
tcpdump filter that excludes private ip traffic

as seen on Server Fault - Search for 'Server Fault'
For a generic filter to exclude all traffic in my dump that is between private IP address, I came up with the following: sudo tcpdump -n ' (not ( (src net 172.16.0.0/20 or src net 10.0.0.0/8 or src net 192.168.0.0/16) and (dst net 172.16.0.0/20 or dst net 10.0.0.0/8 or dst… >>> More
How to Break Up Large tcpdump Files

as seen on Server Fault - Search for 'Server Fault'
Is there something that can break up tcpdump file after the captuure and make sure the breaks are on the border of packet data? Like -C but after the fact. >>> More
tcpdump on dd-wrt router

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to capture packets from two devices on my network. I have tcpdump installed on my dd-wrt router and working correctly. However, the only packets I capture are broadcast packets when using a tcpdump statement that states only those two devices ./tcpdump -w /tmp/capture.pcap dst 192.168… >>> More
How can I log all traffic with its exact length?

as seen on Server Fault - Search for 'Server Fault'
I want to process all packets with their size going through our gateway server (running Debian 4.0). My idea is to use tcpdump, but I have two questions. The command I'm currently thinking of is tcpdump -i iface -n -t -q. Is it guaranteed that tcpdump will process all packets? What happens if… >>> More