All of lore.kernel.org
 help / color / mirror / Atom feed
* iptables http problems
@ 2006-04-27  9:38 Paolo Cerrito
  2006-04-27 12:02 ` David Vogt
  2006-04-28  6:05 ` Amin Azez
  0 siblings, 2 replies; 3+ messages in thread
From: Paolo Cerrito @ 2006-04-27  9:38 UTC (permalink / raw)
  To: netfilter-devel

Hi, i'm writing a userspace application, using nfnetlink_queue. Can i  
write a rule for iptables that send on a queue http packets? the problem  
is that i have to distinguish the packets for apllication layer protocols.  
Is there a way for that?

-- 
Creato con il rivoluzionario client e-mail di Opera:  
http://www.opera.com/mail/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: iptables http problems
  2006-04-27  9:38 iptables http problems Paolo Cerrito
@ 2006-04-27 12:02 ` David Vogt
  2006-04-28  6:05 ` Amin Azez
  1 sibling, 0 replies; 3+ messages in thread
From: David Vogt @ 2006-04-27 12:02 UTC (permalink / raw)
  To: Paolo Cerrito; +Cc: netfilter-devel

2006/4/27, Paolo Cerrito <paolo.cerrito@tin.it>:
> Hi, i'm writing a userspace application, using nfnetlink_queue. Can i
> write a rule for iptables that send on a queue http packets? the problem
> is that i have to distinguish the packets for apllication layer protocols.
> Is there a way for that?

I am not sure if I understand correctly. Something like this?

$IPTABLES -t mangle -INPUT -p TCP --sport 80 -j NFQUEUE --queue-num 1

David

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: iptables http problems
  2006-04-27  9:38 iptables http problems Paolo Cerrito
  2006-04-27 12:02 ` David Vogt
@ 2006-04-28  6:05 ` Amin Azez
  1 sibling, 0 replies; 3+ messages in thread
From: Amin Azez @ 2006-04-28  6:05 UTC (permalink / raw)
  To: netfilter-devel

Paolo Cerrito wrote:
> Hi, i'm writing a userspace application, using nfnetlink_queue. Can i
> write a rule for iptables that send on a queue http packets? the problem
> is that i have to distinguish the packets for apllication layer
> protocols. Is there a way for that?

You could look at: http://l7-filter.sourceforge.net/
Which is an iptables module that recognizes application layer protocols.

Be aware that it is hard to do reliable patterns for some applications,
and also that in order to recognize a layer 7 application iptables must
be monitoring the connection when it starts.

Any connections already active before the rule is active might not be
recognized.

Further realize, that it takes a few packets sometimes to gather enough
data to recognize the application layer protocol, especially if someone
is trying to hide their traffic by using very very small packets, and so
you may not recognize the application layer on the first packet, so you
may not be able to use this for totally blocking data based on
application layer as some packets may get through before classification
is complete.

Sam

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-04-28  6:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-04-27  9:38 iptables http problems Paolo Cerrito
2006-04-27 12:02 ` David Vogt
2006-04-28  6:05 ` Amin Azez

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.