LARTC - Aug 2003 - Layer 7 application blocking via tc/iptables?

Hi All,


I hope this is the correct place to ask about this, but can someone give
me an example of blocking a certain application via the layer 7 patch
and iproute/iptables? 

For more of a specific example, I''m trying to block certain instant
messaging clients on my network, and I have yet to find a way to do it (using
mark or otherwise).

Any help would be greatly appreciated!

Thanks,
Derek
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 27 August 2003 22:25, Derek wrote:
> Hi All,
>
>
> I hope this is the correct place to ask about this, but can someone give
> me an example of blocking a certain application via the layer 7 patch
> and iproute/iptables?
>
> For more of a specific example, I''m trying to block certain
instant
> messaging clients on my network, and I have yet to find a way to do it
> (using mark or otherwise).
>
> Any help would be greatly appreciated!
Iptables can look at the packet contents.  If you know how the clients are 
negotiating with the servers, you can block these packets.  Or try to find 
out the ports and ip addresses and block these.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene <stef.coene@docum.org> 
wrote:
> On Wednesday 27 August 2003 22:25, Derek wrote:
>> Hi All,
>>
>>
>> I hope this is the correct place to ask about this, but can someone
give
>> me an example of blocking a certain application via the layer 7 patch
>> and iproute/iptables?
>>
>> For more of a specific example, I''m trying to block certain
instant
>> messaging clients on my network, and I have yet to find a way to do it
>> (using mark or otherwise).
>>
>> Any help would be greatly appreciated!
> Iptables can look at the packet contents.  If you know how the clients 
> are negotiating with the servers, you can block these packets.  Or try to 
> find out the ports and ip addresses and block these.
>
> Stef
>
In patch-o-matic there is a module called string which match if a string is 
present into payload.
Maybe you could use that but i can''t say if it''s stable or
not.

-- 
Julien Gateaud
Security Keepers S.A.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

From the docs I''ve read, the U32 classifier itself can do this. May be
worthwhile investigating.

Mohan

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Julien Gateaud
Sent: Friday, August 29, 2003 1:07 PM
To: Stef Coene; Derek; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?


On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene <stef.coene@docum.org> 
wrote:
> On Wednesday 27 August 2003 22:25, Derek wrote:
>> Hi All,
>>
>>
>> I hope this is the correct place to ask about this, but can someone
give
>> me an example of blocking a certain application via the layer 7 patch
>> and iproute/iptables?
>>
>> For more of a specific example, I''m trying to block certain
instant
>> messaging clients on my network, and I have yet to find a way to do it
>> (using mark or otherwise).
>>
>> Any help would be greatly appreciated!
> Iptables can look at the packet contents.  If you know how the clients 
> are negotiating with the servers, you can block these packets.  Or try to 
> find out the ports and ip addresses and block these.
>
> Stef
>
In patch-o-matic there is a module called string which match if a string is 
present into payload.
Maybe you could use that but i can''t say if it''s stable or
not.

-- 
Julien Gateaud
Security Keepers S.A.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Friday 29 August 2003 10:26, S Mohan wrote:
> From the docs I''ve read, the U32 classifier itself can do this.
May be
> worthwhile investigating.
Better, there is a patch so you can do layer 7 filtering directly.  And it 
uses also netfilter for connection tracking.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Fri, 29 Aug 2003 13:56:58 +0530, S Mohan <smohan@vsnl.com> wrote:
yes but its not simple because u32 can match at most 32 bits at a fixed 
offset. So if you want to check a string in layer 7 datas you must know at 
which position
 it may appear, convert the string you what to check in hexa numbers and 
create a filter like this :

string : "isthisstringpresent?"
hexadecimal representation : 69 73 74 68   69 73 73 74   72 69 6e 67   70 
72 65 73   65 6e 74 3f   0a

filter :

tc filter add dev eth0 parent 1:0 prio 1 u32 \
	match u32 0x69737468 0xffffffff at nexthdr+position \
	match u32 0x69737374 0xffffffff at nexthdr+position+4 \
	match u32 0x72696e67 0xffffffff at nexthdr+position+8 \
	match u32 0x70726573 0xffffffff at nexthdr+position+12 \
	match u32 0x656e743f 0xffffffff at nexthdr+position+16 \
	match u8  0x0a	   0xff	  at nexthdr+position+20 \
	protocol tcp \
	flowid ...

using the string iptables module is much easier and dont require to know 
strings position.
> From the docs I''ve read, the U32 classifier itself can do this.
May be
> worthwhile investigating.
>
> Mohan
>
> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> Behalf Of Julien Gateaud
> Sent: Friday, August 29, 2003 1:07 PM
> To: Stef Coene; Derek; lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?
>
>
> On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene <stef.coene@docum.org>
> wrote:
>
>> On Wednesday 27 August 2003 22:25, Derek wrote:
>>> Hi All,
>>>
>>>
>>> I hope this is the correct place to ask about this, but can someone
>>> give
>>> me an example of blocking a certain application via the layer 7
patch
>>> and iproute/iptables?
>>>
>>> For more of a specific example, I''m trying to block
certain instant
>>> messaging clients on my network, and I have yet to find a way to do
it
>>> (using mark or otherwise).
>>>
>>> Any help would be greatly appreciated!
>> Iptables can look at the packet contents.  If you know how the clients 
>> are negotiating with the servers, you can block these packets.  Or try 
>> to find out the ports and ip addresses and block these.
>>
>> Stef
>>
> In patch-o-matic there is a module called string which match if a string 
> is present into payload.
> Maybe you could use that but i can''t say if it''s stable
or not.
>


-- 
Julien Gateaud
Security Keepers S.A.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hmm, I don''t think I was clear enough in what I was asking (but thank
you for the responses, still very informative).

I have a router/firewall running debian with a 2.5.75 kernel and the
layer7 patch. Basically, I was wondering if someone could give me an
example of blocking packets using the tc/ip/iptables commands based on
the protocols in the layer7 patch. Something like


Client sends AOL IM login request.
It gets to the firewall and gets dropped because the layer7 patch
recognized it as an AOL packet.







-- 
Derek 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Sat, 2003-08-30 at 03:34, Derek wrote:
> Hmm, I don''t think I was clear enough in what I was asking (but
thank
> you for the responses, still very informative).
> 
> I have a router/firewall running debian with a 2.5.75 kernel and the
> layer7 patch. Basically, I was wondering if someone could give me an
> example of blocking packets using the tc/ip/iptables commands based on
> the protocols in the layer7 patch. Something like
> 
> 
> Client sends AOL IM login request.
> It gets to the firewall and gets dropped because the layer7 patch
> recognized it as an AOL packet.
I think you were clear, but perhaps no-one here is familiar with this
layer7 patch.  I received many blank stares (I imagine) with my
questions about iproute2 to begin with.

The u32 filter will do the job, but you will need to spend some time
reading the docs, and pulling packets apart with ethereal.

u32 basically is a bit-filter.  It will filter on any byte sequence that
you specify, allowing great flexibility, while requiring a complete
understanding of u32 /and/ the protocol you are acting on...
unfortunately..  8-)


/steve




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Thanks, Steve,

	After I got the byte patterns and such, how might I go about
blocking that? I can''t very well set the rate to 0k or anything like
that, so Ive been scratching my head on how to actually _block_
something with iproute2. Hmm, If I pull together enough info, maybe
I''ll
throw together a HOWTO or something. 

Thanks Again
Derek


-- 
Derek F


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Sat, 2003-08-30 at 08:07, Derek wrote:
> Thanks, Steve,
> 
> 	After I got the byte patterns and such, how might I go about
> blocking that? I can''t very well set the rate to 0k or anything
like
> that, so Ive been scratching my head on how to actually _block_
> something with iproute2. Hmm, If I pull together enough info, maybe
I''ll
> throw together a HOWTO or something. 
I don''t know enough to spoonfeed you on this.

Google will help.  keywords ;

u32 examples iptables block match pattern


Try http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH06.web.html 
(see 6.4.4 u32 filter)

Consider using u32 to add a fwmark, and then an iptables entry to block
all with that fwmark.  You can place the fwmark on one machine, and then
iptables block it on another if necessary.


HTH,
Steve



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Sat, Aug 30, 2003 at 08:28:38AM +1200, Steve Wright
wrote:
> > After I got the byte patterns and such, how might I go about
> > blocking that? I can''t very well set the rate to 0k or
anything like
> > that, so Ive been scratching my head on how to actually _block_
> > something with iproute2. Hmm, If I pull together enough info, maybe
I''ll
> > throw together a HOWTO or something. 
> 
> I don''t know enough to spoonfeed you on this.
> 
> Google will help.  keywords ;
> 
> u32 examples iptables block match pattern
If you change some keywords and use

layer 7 filtering iptables

after some clicking, you''ll get at http://l7-filter.sourceforge.net/ 
which is somewhat less ugly than trying to parse packets using the u32
etc filters.

Haven''t tried it yet though, but this has far more potential.

VrGr,
-- 
Jasper Spaans               http://jsp.vs19.net/contact/

<==       You ask questions, we make insults...        ==>
<==              http://www.insultant.nl/              ==>

>  You can place the fwmark on one machine, and then
> iptables block it on another if necessary.
Can you do that? 
AFAIK, the fwmark disappears when it leaves the machine.

Nicolas Nappe

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

: >  You can place the fwmark on one machine, and then
 : > iptables block it on another if necessary.
 :
 : Can you do that?

No.

 : AFAIK, the fwmark disappears when it leaves the machine.

This is accurate.  The fwmark is metadata and is only available on the box
where the packet has been marked.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Sat, 2003-08-30 at 11:24, Martin A. Brown wrote:
>  : >  You can place the fwmark on one machine, and then
>  : > iptables block it on another if necessary.
>  :
>  : Can you do that?
> 
> No.
> 
>  : AFAIK, the fwmark disappears when it leaves the machine.
> 
> This is accurate.  The fwmark is metadata and is only available on the box
> where the packet has been marked.
woops.

thanks for the correction, Folks.


cheers,
Steve


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi there Derek,

There are two approaches to dropping traffic once you have identified it.
I''ll assume you have identified with an fwmark the traffic you wish to
drop.

 : After I got the byte patterns and such, how might I go about blocking
 : that? I can''t very well set the rate to 0k or anything like that, so
 : Ive been scratching my head on how to actually _block_ something with
 : iproute2.

You can route it to a blackhole or you can create a policer with a drop
action.

Here are some examples, assuming an fwmark of 7:

# echo "7 blackhole" >> /etc/iproute2/rt_tables
# ip route add blackhole default table blackhole
# ip rule add fwmark 7 table blackhole

This creates a routing table number 7 called "blackhole", which
contains
exactly one route, a default route to a blackhole.  Now, simply add a rule
to your RPDB to select this routing table for packets with fwmark 7, and
you are dropping all of these packets.

If you''d prefer to use a policer, you can use something like this
(untested):

# tc filter add dev ppp0 parent 1:1 protocol ip \
>  handle 6 fw flowid 1:8 \
>  police rate 1bps burst 1 action drop/drop
With that said, why don''t you just use a -j DROP netfilter target?
Wouldn''t that be easier if you are already using netfilter?

Best of luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Just thought I would throw in one warning about the string match, which I
haven''t seen raised so far in this thread.

Netfilter only works on a per packet basis, not on a stream basis. If you
want to do any work on an application layer level, and remain certain that
this policy will always be in effect... don''t use the string match in
netfilter:).

One simple way of getting around that match is to simply set the MTU
sufficiently small to not allow the whole string to be matched inside a
single packet, and the rule/policy has been negated. And there are more
ways, of course.

Anyways, just thought I should point this out if it is important to you
that the policy is not broken.

On Fri, 29 Aug 2003, Martin A. Brown wrote:
>
> Hi there Derek,
>
> There are two approaches to dropping traffic once you have identified it.
> I''ll assume you have identified with an fwmark the traffic you
wish to
> drop.
>
>  : After I got the byte patterns and such, how might I go about blocking
>  : that? I can''t very well set the rate to 0k or anything like
that, so
>  : Ive been scratching my head on how to actually _block_ something with
>  : iproute2.
>
> You can route it to a blackhole or you can create a policer with a drop
> action.
>
> Here are some examples, assuming an fwmark of 7:
>
> # echo "7 blackhole" >> /etc/iproute2/rt_tables
> # ip route add blackhole default table blackhole
> # ip rule add fwmark 7 table blackhole
>
> This creates a routing table number 7 called "blackhole", which
contains
> exactly one route, a default route to a blackhole.  Now, simply add a rule
> to your RPDB to select this routing table for packets with fwmark 7, and
> you are dropping all of these packets.
>
> If you''d prefer to use a policer, you can use something like this
> (untested):
>
> # tc filter add dev ppp0 parent 1:1 protocol ip \
> >  handle 6 fw flowid 1:8 \
> >  police rate 1bps burst 1 action drop/drop
>
> With that said, why don''t you just use a -j DROP netfilter target?
> Wouldn''t that be easier if you are already using netfilter?
>
> Best of luck,
>
> -Martin
>
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/