Score:0

How to block dots "." in an iptables rule?

vn flag

I have this rule in my iptables to block domains ending with .watch:

sudo iptables -A OUTPUT -j DROP -m string --string ".watch" --algo kmp

But the problem is that the . cannot be matched. So the line above does not match anything. But if I remove the dot from .watch to watch it works okay.

How can I block the dots "." in iptables rules?

us flag
This is not the proper way for doing this. If you are expecting to block DNS queries for the domain, there are no dots to match in the query packets because of the way DNS protocol is implemented.
light9876 avatar
vn flag
Thank you @Tero. Do you know a better way of doing it than using `Dnsmasq`?
Score:3
jp flag

Syntactically, this seems correct, but your approach is not suitable for this purpose. The string patch matches a string anywhere in the packet:

  • You are dropping any packet that has watch or .watch anywhere. This is likely to cause false positives, and even introduces a new vector for denial of service attacks.
  • It cannot handle encrypted traffic. It is unable to block majority of web traffic.
  • Although you have relatively good options for the matching algorithm (bm Boyer–Moore & kmp Knuth–Pratt–Morris), the use of the string filter can still be compute intensive.

The documentation explicitly warns against this, too:

Please do use this match with caution. A lot of people want to use this match to stop worms, along with the DROP target. This is a major mistake. It would be defeated by any IDS evasion method.

In a similar fashion, a lot of people have been using this match as a mean to stop particular functions in HTTP like POST or GET by dropping any HTTP packet containing the string POST. Please understand that this job is better done by a filtering proxy. Additionally, any HTML content with the word POST would get dropped with the former method. This match has been designed to be able to queue to userland interesting packets for better analysis, that's all. Dropping packet based on this would be defeated by any IDS evasion method.

There are better alternatives for what you are trying to achieve:

  • DNS based filtering. Any DNS server can do this. E.g., Dnsmasq is a common lightweight DNS forwarder: you could just add address=/watch/0.0.0.0 to its configuration.
  • Web proxy based filtering.
light9876 avatar
vn flag
Thank you. What I am really trying to say is that the `.` cannot be blocked. For example, blocking string `"com"` blocks `serverfault.com`; but using `".com"` does not block the same website.
jp flag
I can understand that. What I am trying to tell is that you should stop enhancing your hammer for screwing and use a screwdriver, instead. :)
light9876 avatar
vn flag
It turned out that `/etc/hosts.deny` is deprecated. https://askubuntu.com/a/23225
jp flag
Thanks! I removed that.
Score:0
mo flag

DNS names are encoded as length prefixed labels (see rfc 1035 for details), so you need to use --hex-string "|05|watch|00|" to match names ending in .watch (note that the length is written as 2 hexadecimal digits, eg serverfault.com would be encoded as "|0b|serverfault|03|com|00|"). Note that this should be combined with -p udp and --destination-port 53 (or 5353 if matching .local addresses), otherwise it's likely to match lots of other unrelated packets.

DNS queries can also be made over TCP, but filtering TCP is more complex and existing comments about encrypted requests, and suggestions about using application level filtering with a DNS and/or web proxy still apply.

Nikita Kipriyanov avatar
za flag
Not only encryption obscures TCP, but fragmentation and segmentation already enough to defeat string match like this. Send the TCP request in at least two segments split in the middle of the word "watch" and you're done.
normanr avatar
mo flag
See also https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ for other ways to match DNS packets
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.