Setting an iptables rule to drop a UDP that contain a string followed by two numbers betwen 10-89 in one rule

crixu

4/21/24, 9:25 PM

anyone knows if is possible to use only one rule to drop any UDP packet that contain a fixed characters followed by any number between 13 and 90. I tried string, hex-string, had a look at u32 but the offset inside the packet can be anything between 150-300...my understanding is that I can't do it if I don't have a specific one. No luck on setting numbers. At one point I just wanted to drop anything that contains two digits or two characters after that sequence.

iptables -I FORWARD -p udp --dport 3388:3389 -m string --string 'ichannel":-[1-8][0-9]' --algo bm -j DROP

This rule won't match anything. ichannel":- is the fixed text followed by 1, 2 or 3 numbers.

Any help is greatly appreciated. Thank you!

0 + 4

iptables

wildcard

djdomi

4/22/24, 7:44 PM

for the numbers could be used somekind of regex like a ? or *

A.B

4/23/24, 10:18 AM

With the limited scope of 2 numbers you could do a [loop unrolling](https://en.wikipedia.org/wiki/Loop_unrolling) and do ~ 80 string searches. With some optimization the worst number of tests could be shortened somewhat (~ 8+10 instead of ~ 8x10). Else you can filter traffic in userland with NFQUEUE but this requires creating such userland filter. Being exhaustive requires to test ten times more (a total of ~ 800 but possibly only 8+10+10 runtime done): to verify that for each 2 digits match, there's not a 3rd.

crixu

4/23/24, 5:15 PM

@djdomi no regex, I've tried but I don't have the module and can't install it, however I've read that's isn't the best option resource wise. Thanks for suggestion.

crixu

4/23/24, 5:18 PM

@A.B I had a look at the loop but is too much over my understanding. I need one line or a reduced number of lines because is annoying having over 80 lines and I have to scroll, re-scroll, etc. Thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Setting an iptables rule to drop a UDP that contain a string followed by two numbers betwen 10-89 in one rule

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.