1

Topic: Are not filtered IP packets with the help iptables+string and u32

Good afternoon.
The task to find out connection from the browser on iptables (well or http-connections - too a comprehensible variant) arrived to me.
I used string unit for part search user-agent'a - "Mozilla", but unsuccessfully - packets at all .
Decided to try u32 - to find out in tcp-payload in 1 4 bytes "GET". The used rules more low:

 root@mailsrv:/home/apostle# iptables-t nat-L-v
Chain PREROUTING (policy ACCEPT 6 packets, 300 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG tcp! f any any anywhere anywhere connbytes 0:255 connbytes mode bytes connbytes direction original u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x47455420" LOG level warning prefix "HTTP found:"
0 0 LOG all - any any anywhere anywhere STRING match "Mozilla" ALGO name bm TO 65535 LOG level warning prefix "Mozilla found:" 

I understand that there can be a situation when the part user-agent'a comes in one packet, another - in other, but in this case I sent short requests and fixed tcpdump' packets:
[spoiler= an IP-package]
[pre] 22:45:35.411119 IP (tos 0x0, ttl 64, id 18137, offset 0, flags [DF], proto TCP (6), length 899)
10.80.0.10.56599> 213.196.34.228.http: Flags [P.], cksum 0xd3c2 (correct), seq 0:847, ack 1, win 4128, options [nop, nop, TS val 1162492511 ecr 2937045181], length 847: HTTP, length: 847
GET / HTTP/1.1
Host: bash.im
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: __utma=266749469.1793131494.1502820966.1502820966.1502820966.1; __ utmb=266749469.26.10.1502820966; __ utmc=266749469; __ utmz=266749469.1502820966.1.1.utmcsr = (direct) |utmccn = (direct) |
utmcmd = (none); _ym_isad=2; _ym_uid=1502820967166369670; _ym_visorc_18640348=w; abyss=1502820965; ls_abyssbest=%7B%22ts%22%3A1502824542%2C%22cnt%22%3A4637%2C%22id%22%3A298624%7D; ls_comics = % 7B%22ts %
22%3A1502744399%2C%22cnt%22%3A1570%2C%22id%22%3A20170814%7D; ls_index=%7B%22ts%22%3A1502824880%2C%22cnt%22%3A64149%2C%22id%22%3A446283%7D
Connection: keep-alive
Accept-Language: ru
User-Agent: Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G36 Safari/601.1
0x0000: 4500 0383 46d9 4000 4006 ed99 0a50 000a E... F...... P.
0x0010: d5c4 22e4 dd17 0050 d9ac f21a e09c 59a2. ".... P...... Y.
0x0020: 8018 1020 d3c2 0000 0101 080a 454a 3a5f............ EJ:_
0x0030: af0f c0bd 4745 5420 2f20 4854 5450 2f31.... GET./.HTTP/1
0x0040: 2e31 0d0a 486f 7374 3a20 6261 7368 2e69.1. Host:.bash.i
0x0050: 6d0d 0a41 6363 6570 742d 456e 636f 6469 m. Accept-Encodi
0x0060: 6e67 3a20 677a 6970 2c20 6465 666c 6174 ng:.gzip.deflat
0x0070: 650d 0a41 6363 6570 743a 2074 6578 742f e. Accept:.text/
0x0080: 6874 6d6c 2c61 7070 6c69 6361 7469 6f6e html, application
0x0090: 2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69/xhtml+xml, appli
0x00a0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml; q=0.9
0x00b0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 436f 6f6b, */*; q=0.8. Cook
0x00c0: 6965 3a20 5f5f 7574 6d61 3d32 3636 3734 ie:. __ utma=26674
0x00d0: 3934 3639 2e31 3739 3331 3331 3439 342e 9469.1793131494.
0x00e0: 3135 3032 3832 3039 3636 2e31 3530 3238 1502820966.15028
0x00f0: 3230 3936 362e 3135 3032 3832 3039 3636 20966.1502820966
0x0100: 2e31 3b20 5f5f 7574 6d62 3d32 3636 3734.1;. __ utmb=26674
0x0110: 3934 3639 2e32 362e 3130 2e31 3530 3238 9469.26.10.15028
0x0120: 3230 3936 363b 205f 5f75 746d 633d 3236 20966;. __ utmc=26
0x0130: 3637 3439 3436 393b 205f 5f75 746d 7a3d 6749469;. __ utmz =
0x0140: 3236 3637 3439 3436 392e 3135 3032 3832 266749469.150282
0x0150: 3039 3636 2e31 2e31 2e75 746d 6373 723d 0966.1.1.utmcsr =
0x0160: 2864 6972 6563 7429 7c75 746d 6363 6e3d (direct) |utmccn =
0x0170: 2864 6972 6563 7429 7c75 746d 636d 643d (direct) |utmcmd =
0x0180: 286e 6f6e 6529 3b20 5f79 6d5f 6973 6164 (none);. _ym_isad
0x0190: 3d32 3b20 5f79 6d5f 7569 643d 3135 3032 =2;. _ym_uid=1502
0x01a0: 3832 3039 3637 3136 3633 3639 3637 303b 820967166369670;
0x01b0: 205f 796d 5f76 6973 6f72 635f 3138 3634. _ym_visorc_1864
0x01c0: 3033 3438 3d77 3b20 6162 7973 733d 3135 0348=w;.abyss=15
0x01d0: 3032 3832 3039 3635 3b20 6c73 5f61 6279 02820965;.ls_aby
0x01e0: 7373 6265 7374 3d25 3742 2532 3274 7325 ssbest = % 7B%22ts %
0x01f0: 3232 2533 4131 3530 3238 3234 3534 3225 22%3A1502824542 %
0x0200: 3243 2532 3263 6e74 2532 3225 3341 3436 2C%22cnt%22%3A46
0x0210: 3337 2532 4325 3232 6964 2532 3225 3341 37%2C%22id%22%3A
0x0220: 3239 3836 3234 2537 443b 206c 735f 636f 298624%7D;.ls_co
0x0230: 6d69 6373 3d25 3742 2532 3274 7325 3232 mics = % 7B%22ts%22
0x0240: 2533 4131 3530 3237 3434 3339 3925 3243 %3A1502744399%2C
0x0250: 2532 3263 6e74 2532 3225 3341 3135 3730 %22cnt%22%3A1570
0x0260: 2532 4325 3232 6964 2532 3225 3341 3230 %2C%22id%22%3A20
0x0270: 3137 3038 3134 2537 443b 206c 735f 696e 170814%7D;.ls_in
0x0280: 6465 783d 2537 4225 3232 7473 2532 3225 dex = % 7B%22ts%22 %
0x0290: 3341 3135 3032 3832 3438 3830 2532 4325 3A1502824880%2C %
0x02a0: 3232 636e 7425 3232 2533 4136 3431 3439 22cnt%22%3A64149
0x02b0: 2532 4325 3232 6964 2532 3225 3341 3434 %2C%22id%22%3A44
0x02c0: 3632 3833 2537 440d 0a43 6f6e 6e65 6374 6283%7D. Connect
0x02d0: 696f 6e3a 206b 6565 702d 616c 6976 650d ion:.keep-alive.
0x02e0: 0a41 6363 6570 742d 4c61 6e67 7561 6765.Accept-Language
0x02f0: 3a20 7275 0d0a 5573 6572 2d41 6765 6e74:.ru. User-Agent
0x0300: 3a20 4d6f 7a69 6c6c 612f 352e 3020 2869:.Mozilla/5.0. (i
0x0310: 5061 643b 2043 5055 204f 5320 395f 335f Pad;.CPU.OS.9_3_
0x0320: 3520 6c69 6b65 204d 6163 204f 5320 5829 5.like. Mac. OS.X) [/pre] [/spoiler]
I ask to help and prompt, where I could be mistaken.

2

Re: Are not filtered IP packets with the help iptables+string and u32

apostle :
Chain PREROUTING
I ask to help and prompt, where I could be mistaken.

The packets sent from the local machine (instead of come of a network) do not get in PREROUTING.

3

Re: Are not filtered IP packets with the help iptables+string and u32

SergVV
Thanks for idea, but are not present - sending goes on a network from another lips-va.
[s] In a case with u32 I had an idea that the fool - I delivered a flag to look only 1 a connection packet, and it will be TCP SYN, in k-rum yet will not be HTTP GET, i.e. it is necessary to look on the contrary or all packets, or everything, except 1) [/s]

4

Re: Are not filtered IP packets with the help iptables+string and u32

It is not necessary to use tools with a view of for which they are not intended. It not unix way.
filter , user-agent the proxy, for example nginx is filtered.

5

Re: Are not filtered IP packets with the help iptables+string and u32

apostle
The task to find out connection from the browser on iptables (well or http-connections - too a comprehensible variant)
The port () + flag SYN will be not enough?

6

Re: Are not filtered IP packets with the help iptables+string and u32

September
Just the purpose - to redirect a web traffic (a source k-rogo will be only browsers) on a proxy, and all remaining to pass the invariable.
For this purpose it is required to find out a web traffic.
~wildwind ~
It is supposed that on the same target ports can go not-http (s) the traffic, k-ryj "is not on friendly terms" with a proxy.

7

Re: Are not filtered IP packets with the help iptables+string and u32

apostle
Well nginx' and , in what a problem?
Whence where traffic? Can the task completely describe?

8

Re: Are not filtered IP packets with the help iptables+string and u32

September
Clients are connected to the vpn-server, k-ryj is installed by a router by default for them. All traffic on tcp 80 and 443 "is wrapped" on squid.
But there are applications, k-rye use these ports, but thus incorrectly work with squid. In rez it is necessary to define http (and like as https - but here at me while ideas are not present) and only it to send on squid, and all remaining traffic to pass directly.

9

Re: Are not filtered IP packets with the help iptables+string and u32

apostle
Well nginx' and , in what a problem?
Whence where traffic? Can the task completely describe?
upd.
intercept proxy? On squid?
In it also make an exception, for addresses not on friendly terms with a proxy.

 always_direct allow dolbaniy_bank_client 

10

Re: Are not filtered IP packets with the help iptables+string and u32

September
[i] In it also make an exception, for [/i addresses not on friendly terms with a proxy
It violates conditions  smile:
- The client should  when uses http/https
- The client should be passed, directly, when uses not http/https; for example, "breaks" on ssh on non-standard tcp 80 port. An example of one of problem applications is skype, but with it at me already absolutely other question - to analyze the scrambled traffic I cannot.

11

Re: Are not filtered IP packets with the help iptables+string and u32

apostle
The client should be passed, directly
always _ direct - the selected part in translation into Russian means - directly. It also is necessary to you, try.
To analyze the scrambled traffic I cannot
Can. For a long time all invented. https://wiki.squid-cache.org/Features/SslPeekAndSplice

12

Re: Are not filtered IP packets with the help iptables+string and u32

September
always_direct - the selected part in translation into Russian means - directly. It also is necessary to you, try.
I understand, and it is questions not , but the purpose in that the exception was up to standard of applications, instead of ip-addresses of clients.
Whether truly I understand, what in your variant it is supposed, what in exceptions ip-addresses of the clients using problem on are brought?
Can. For a long time all invented
Thanks, I will familiarize. I assumed squid' to use on the side mitm, but in this case I need to define https before its transmission in squid.
Judging by article (while looked only on a diagonal) I can be guided on TCP CONNECT

13

Re: Are not filtered IP packets with the help iptables+string and u32

apostle
Times at you such inhomogeneous environment, do not try to make a proxy to transparent. Register it explicitly in browsers and in Skajpe (including through an autoconfiguration).

14

Re: Are not filtered IP packets with the help iptables+string and u32

apostle
Whether truly I understand, what in your variant it is supposed, what in exceptions ip-addresses of the clients using problem on are brought?
Though so though .
squid very floppy.

15

Re: Are not filtered IP packets with the help iptables+string and u32

[off] ~wildwind ~
Times at you such inhomogeneous environment, do not try to make a proxy to transparent. Register it explicitly in browsers and in Skajpe (including through an autoconfiguration).
The configuration is defined not by me. [/off]