iptables -I OUTPUT -p tcp -m string --string "qq.com" --algo bm -j DROP

 iptables -I OUTPUT -p udp -m string --string "qq.com" --algo bm -j DROP

Common Applications and Useful Example Rules

1) To prevent an intrusion attempt.

In case, when a suspecious URL upload using the webserver is detected, You could frame similar rules as follows.

 

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP

 

 

The rule blocks all packets to port 80 containing the string cmd.exe. Mod_security is an option for the same, but it can be an overload to your busy webservers.

2) To defend DDOS to a service.

It is a common case where we need to drop requests to a domain URL when it is under DDOS. mod_dosevasive is an option, but it really overloads the webserver. String matching option can be utilized here without overloading the webserver.

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP

The rule, blocks all web requests to domain.com. These rules can also be used in conjunction with other iptables matches and options depending on what is required.

3) To Defend against E-mail Spoofing.

We can make use of the string matching option in numerous cases to drop intruder and spam packets before they enter the server. Another instance for example is, if the mail server is receiving many spoofed e-mails with a common ‘Subject’.If the spammer is using a unique IP address, it is very easy to block him using RBLs, conventional iptables rules etc. But when the spammer is using different IP addresses, it makes things difficult for the administrator.In such a case, the following string based rule can be added to the firewall so that the mail server will not get overloaded by the spoofed mails.

 

iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP

 

 

**Do it now with an optimised rule!

The same rule might be modified to one with less overhead (that is, it uses less resources) by limiting the search specifying offset values, and by assuming that the SMTP subject header will be within an offset limit of 15000 in the packet.

 

iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm --to 15000 -j DROP

 

 

4) Other general cases.

Apart from the instances discussed above, you can make use of the string matching options, wherever you need to manage the packets entering a server or network,based on strings like URLs, file names, file contents etc.

Conclusion.

The string matching option can be effectively utilized wherever a network needs to be filtered using strings. We can block the packets right at the kernel level itself without overloading your server applications. However, there is a higher overhead involved for the kernel with string matching, compared to other ordinary iptables matchings. Offset limits should be specified for searching wherever possible in order to reduce this overhead.