# Iptables string matching help

## KaratemanTJ

Greeting,

I am fairly new to iptables and am having issues getting string matching working.  I think I have enabled everything in the kernel that I need, but I can't figure it out.   :Embarassed: 

I was hoping someone could walk me through enabling the required modules, etc. and figuring out what I'm missing.

Thanks in advance!

*Trevor

----------

## PaulBredbury

A code sample:

```
ipt=/usr/sbin/iptables

...

# http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/

# http://spamcleaner.org/en/misc/w00tw00t.html

# man iptables-extensions

$ipt -N httphack

$ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "

# Add to blacklist and drop

$ipt -A httphack -m recent --name blacklist --set -j DROP

$ipt -N httpcheck

# If in blacklist, then drop

$ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP

for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do

    $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack

done

$ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack

# Check already-set-up HTTP connections (much more difficult to spoof)

$ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck
```

----------

## KaratemanTJ

```

Trevor-VPN-65 ~ # cat ipt_code_sample

ipt=/sbin/iptables

# http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/

# http://spamcleaner.org/en/misc/w00tw00t.html

# man iptables-extensions

$ipt -N httphack

$ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "

# Add to blacklist and drop

$ipt -A httphack -m recent --name blacklist --set -j DROP

$ipt -N httpcheck

# If in blacklist, then drop

$ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP

for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do

    $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack

done

$ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack

# Check already-set-up HTTP connections (much more difficult to spoof)

$ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck

Trevor-VPN-65 ~ # . ipt_code_sample

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

Trevor-VPN-65 ~ #

```

 :Sad: 

```

Trevor-VPN-65 ~ # iptables -F

Trevor-VPN-65 ~ # $ipt -N httphack

iptables: Chain already exists.

Trevor-VPN-65 ~ # $ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "

Trevor-VPN-65 ~ # $ipt -A httphack -m recent --name blacklist --set -j DROP

iptables: No chain/target/match by that name.

Trevor-VPN-65 ~ # $ipt -N httpcheck

iptables: Chain already exists.

Trevor-VPN-65 ~ # $ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "

Trevor-VPN-65 ~ # $ipt -A httphack -m recent --name blacklist --set -j DROP

iptables: No chain/target/match by that name.

Trevor-VPN-65 ~ # $ipt -N httpcheck

iptables: Chain already exists.

Trevor-VPN-65 ~ # $ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP

iptables: No chain/target/match by that name.

Trevor-VPN-65 ~ # for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do

> $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack

> done

Trevor-VPN-65 ~ # $ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack

Trevor-VPN-65 ~ # $ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck

Trevor-VPN-65 ~ #

```

So it looks like string matching is working...? Just not the "recent" matching.  Does that sound right?

----------

## PaulBredbury

 *KaratemanTJ wrote:*   

> Trevor-VPN-65 ~ # $ipt -N httpcheck
> 
> iptables: Chain already exists.

 

You want:  iptables -X

man iptables will show what this does.

I think you need the kernel option:  NETFILTER_XT_MATCH_RECENT

----------

## KaratemanTJ

Thanks for the help! Using a custom chain had solved the "No chain/target/match by that name." issues I was having before for a bit, but my issue is now that it seems to not actually be using the string match like it should.  I'm trying to do some NAT routing based on strings (HOST: hostnamehere).  If there's a nicer way of doing that I'd be interested in hearing about it, but until then I'll keep following this route...

My original method was by port and was setup like so:

```

Trevor-VPN-65 trevor # $ipt -t nat -A POSTROUTING -j MASQUERADE

Trevor-VPN-65 trevor # $ipt -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.9.7.4:80

```

This works nicely and forwards port 8080 to my webserver.  I have similar rules that forward other ports to different port on different servers/computers.  I would like to be able to forward based on strings in the packet.

I would assume something like this should work, but I'm having issues.

```

Trevor-VPN-65 trevor # $ipt -t nat -F

Trevor-VPN-65 trevor # $ipt -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

Trevor-VPN-65 trevor # $ipt -t nat -N httpRedir

Trevor-VPN-65 trevor # $ipt -t nat -A PREROUTING -p tcp --dport 80 -j httpRedir

Trevor-VPN-65 trevor # $ipt -t nat -A POSTROUTING -j MASQUERADE

Trevor-VPN-65 trevor # $ipt -t nat -A httpRedir -p tcp -m string --string "teststring" --algo bn -j DNAT --to-destination 10.9.7.4:80

iptables: No chain/target/match by that name.

Trevor-VPN-65 trevor #

```

I'm pretty sure at one point I got a rule like that to work, or at least it didn't complain when I added it, but even then it wasn't actually working.

Any thoughts?  Thanks again for all your help, ipt is beginning to make a lot more sense than it used to! =)

*Trevor

----------

## KaratemanTJ

Help..? =(

Anyone have any advice?  I don't know where to go from here.

*Trevor

----------

