iptables - drop packet in FORWARD chain based on string match not working

perlwle

11/15/22, 5:02 PM

I am trying to forward traffic from one host to another. It's working but I want to add url whitelist. The following iptables-save rules still block visits like http://host:8383/api/test

What am I missing?

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [7:517]
:POSTROUTING ACCEPT [2:161]
-A PREROUTING -p tcp -m tcp --dport 8383 -j DNAT --to-destination x.x.x.x:8001
-A POSTROUTING ! -s 127.0.0.1/32 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A FORWARD -p tcp  -m string --string "GET /api" --algo bm --icase -j ACCEPT
-P FORWARD DROP

COMMIT

sudo iptables -nvL
Chain INPUT (policy ACCEPT 49 packets, 2356 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 5 packets, 200 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "GET /api" ALGO name bm TO 65535 ICASE

Chain OUTPUT (policy ACCEPT 38 packets, 3060 bytes)
 pkts bytes target     prot opt in     out     source               destination

0 + 6

iptables

Tom Yan

11/15/22, 5:42 PM

Here is the `tcpdump` of a simple curl from another host to my lighttpd server: https://paste.ubuntu.com/p/FCHsg4PmBR/, so no, you can't really "whitelist" it like that. That's not how TCP or HTTP works.

Tom Yan

11/15/22, 5:46 PM

You might be able to *blacklist* certain `GET` with that kind of approach though.

perlwle

11/16/22, 1:20 AM

setting policy to ACCEPT then blacklist works but that's not what I want. Any other ideas?

Tero Kilkanen

11/16/22, 11:26 AM

IPTables matches only IP packets. To reach your target, you need TCP level interception. Maybe the easiest one would be to create a transparent HTTP proxy with Squid.

perlwle

11/16/22, 5:46 PM

There seems to have other options. Squid as suggested. I think a forward proxy using nginx might work too. May have problem with https protocol though.

djdomi

11/25/22, 11:32 AM

you having a classical x and y problem, what do you really want to solve?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: iptables - drop packet in FORWARD chain based on string match not working

TH: iptables - วางแพ็กเก็ตใน FORWARD chain ตามการจับคู่สตริงไม่ทำงาน

RO: iptables - aruncarea pachetului în lanțul FORWARD bazat pe potrivirea șirurilor nu funcționează

RU: iptables - отбросить пакет в цепочке FORWARD на основе совпадения строк, не работает

VI: iptables - thả gói trong chuỗi FORWARD dựa trên khớp chuỗi không hoạt động

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.