IpTables Doesn't Do What I Expect

[Fatcatpro]

IPTables has me running in circle. What I am trying to do is accept all requests on my web server port 80 that are directed at my domain name and block all requests directed at the direct IP address.
I’m pretty sure the commands are right but my understanding of IPTables must be wrong because it’s not doing what I expect.

For troubleshooting this is what I have:

Code: Select all

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LOGGING

-A INPUT -p tcp -m tcp --dport 80 -m string --string vm1.mydomain.com --algo bm -j LOGGING
-A INPUT -p tcp -m tcp --dport 80 -j REJECT

-A LOGGING -m limit --limit 20/min -j LOG --log-prefix "IPTables-Passed-4:"
-A LOGGING -j ACCEPT

When I point my browser at my vm1.mydomain.com I get an immediate failure saying that I can’t connect (clearly being rejected) and no information in the log.

When I change it to this:

Code: Select all

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LOGGING

-A INPUT -p tcp -m tcp --dport 80 -m string --string vm1.mydomain.com --algo bm -j LOGGING
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A LOGGING -m limit --limit 20/min -j LOG --log-prefix "IPTables-Passed-4:"
-A LOGGING -j ACCEPT

It connects as you would expect (because all traffic to port 80 is now accepted) but I also get the connection in the log with my prefix, so the string matching is working.

Why does the string matching work when set to accept all but now when set to reject?
Shouldn’t it match the first line of input, be moved to the logging chain, logged and then accepted? Shouldn’t the second input rule have no effect on it?

Where is my logic wrong?

[Fatcatpro]

Correction:
Have been testing with -P INPUT ACCEPT

[Whoever]

In the first case, you don't have a rule that ACCEPTs the packets that contain the string.

What you are trying to achieve is better done using your Apache config. Read the comments here:
http://www.netfilter.org/documentation/ ... tml#ss3.18

[Fatcatpro]

Thanks,
My end goal is to do this for a couple separate services, which is why I am trying to do it in IPTables, I'm just starting with the web server.

Even simplified down to:

Code: Select all

-A INPUT -p tcp -m tcp --dport 80 -m string --string "vm1.mydomain.com" --algo bm --to 65535 -j LOG --log-prefix "String-Mathced_ThenAccepted" 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Results in a connection and a log message: String-Mathced_ThenAccepted

Code: Select all

-A INPUT -p tcp -m tcp --dport 80 -m string --string "vm1.mydomain.com" --algo bm --to 65535 -j LOG --log-prefix "String-Mathced_ThenDROP" 
-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable 

Results in a rejected connection but no log message.

I don't understand why the first line would be effected by the second. They should be processed in order right?
CentOS 6.5

[Whoever]

Looks like I misread your original posting.

I think that the problem is that the initial connection packets don't include the string that you are looking for. The string is only in the subsequent packets which are only sent if there is a successful connection.

[dmunk]

Hello,

I agree with Whoever, do this in apache man. Using iptables to block using string matches is going to be a nightmare to manage and apache is just better at dealing with layer 4 any ways for web request. Set a default domain in apache and any calls to some.ip.address:80 will bounce to that. If your looking to drop on a domain you can just do a DENY in the vhost file for the domain / web service you want to drop.

[dmunk]

I doubt highly that the below is even matching. Your rule layout is not using a RETURN or anything conditional anyways.

Code: Select all

-A INPUT -p tcp -m tcp --dport 80 -m string --string "vm1.mydomain.com" --algo bm --to 65535 -j LOG --log-prefix "String-Mathced_ThenDROP" 

So, that is great; however, why not just do the following ( strictly sticking to what your asking for rather than how its not really a good idea and no idea if that string is even matching ) :

Code: Select all

-N APACHE_DROP
-A INPUT -p tcp -m tcp --dport 80 -m string --string "vm1.mydomain.com" --algo bm --to 65535 -j APACHE_DROP
-A APACHE_DROP -p tcp -m tcp --dport 80 -m string --string "vm1.mydomain.com" --algo bm --to 65535 -j LOG --log-prefix "String-Mathced_ThenDROP"
-A APACHE_DROP -p tcp -m tcp --dport 80 -m string --string "vm1.mydomain.com" --algo bm --to 65535 -j REJECT --reject-with icmp-net-prohibited
-A APACHE_DROP -j LOG --log-prefix "CATCHALL APACHE DROP"
-A APACHE_DROP -j DROP

The way iptables works is first come first served. If you dont see a log... the packet did not match the LOG jump. I bet you end up seeing "CATCHALL APACHE DROP" in your logs and not "String-Mathced_ThenDROP" using the above.