iptables string match

Discussion in 'Linux Networking' started by buck, Apr 1, 2013.

  1. buck

    buck Guest

    Is it possible to match a string in nat table PREROUTING? I suspect
    PREROUTING only sees new connections, so the content of the packet cannot
    be examined.

    If not in nat, can mangle be used to mark packets matching a string> If
    so, can such a marked patcket be DNATted? How?
    buck, Apr 1, 2013
    1. Advertisements

  2. PREROUTING sees all packets before routing, however, the nat table sees
    only the first packet of each connection.
    Should work.
    Yes and no. What do you want to achieve? If it is not the first packet of
    a "connection", DNATting proabably does not do what you want.

    Martijn Lievaart, Apr 1, 2013
    1. Advertisements

  3. buck

    buck Guest


    This may sound foolish, but there is very good reason for it.

    I run IBM OmniFInd, which is the same crawler engine as Yahoo! uses to
    index web pages. I need to serve a substitute robots.txt when OmniFind
    asks a remote host for its robots.txt. The reason is that this is the
    fastest and most reliable way to purge from OmniFind those links that are
    404 or 410 (not found / gone).

    I have no control over when OmniFind requests robots.txt from that
    particular remote host, so debugging is difficult.

    What I've done is to set up a small web server on my gateway box that
    listens on port 1080 and serves only robots.txt (containing 559 bad links
    right now). I hope that something like

    iptables -t mangle -I PREROUTING -p tcp -m string --string robots.txt \
    -j MARK --set-mark 0x2
    iptables -t nat -I OUTPUT -p tcp -m mark --mark 0x2 -j REDIRECT \
    --to-ports 1080

    will cause the marked packets to be sent to my web server. And
    accomplish the objective...

    Note that the iptables "mangle" line above has been edited in hopes that
    removing a bunch of "stuff" will improve clarity with respect to what I'm
    trying to accomplish.
    buck, Apr 1, 2013
  4. This will never work. You cannot DNAT a connection that is already set up.

    0) The above will (try to) redirect all requests for robots.txt, why not
    just replace it on the target webserver?
    1) If OmniFind has a fixed IP, DNAT that (but that will redirect all
    requests, not just robots.txt)
    2) Put a transparant proxy on the gateway that redirects requests
    robots.txt to your webserver and all other requests to the target

    Other stuff that may give you building blocks for a solution:
    - Does OmniFind have a unique agent identifier?
    - Target webserver is Apache? Many moduless can customize what is

    Martijn Lievaart, Apr 2, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.