1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exclude ports with -- string module [HELP]

Discussion in 'Tomato Firmware' started by kthaddock, Jul 30, 2013.

  1. kthaddock

    kthaddock Network Guru Member

    I'm trying to exclude ports when I use -- string module. There seems not to be any good way to do that. String block everything and t:ex when sending email which include some matched string packet, that packet is not be sent. Ex port to be excluded: 25,80,443,587,995
    I'm using this example rules to show.
    String only support this rule sets:
    Have you guy's any suggestion, sulution to this ?

    kthaddock
     
  2. koitsu

    koitsu Network Guru Member

    Add an iptables ... -p tcp --dport xxx -j ACCEPT rule that precedes (i.e. comes before) the string rules, which matches the port number you want. Or use --sport instead of --dport (depends on what you're doing/what you're trying to match).

    All this does is cause the firewalling layer to say "okay allow this packet" and never allow it to reach the subsequent string rules.

    This is how you add "exceptions" in any firewalling layer/model. It is a universal concept.

    P.S. -- I tried to warn you people who wanted the strings module about the repercussions of using it. I'm glad to see you're now experiencing the pain I warned you of. ;-)
     
  3. kthaddock

    kthaddock Network Guru Member

    Thank you, I was aware of that but I have to block torrent download here. So I must use both TCP and UDP rules. Then I feel that ruleset become a massive ruleset.
     
  4. koitsu

    koitsu Network Guru Member

    The port numbers you gave are all for TCP-based protocols:

    25 = SMTP
    80 = HTTP
    443 = HTTP+SSL
    587 = SMTP submission
    995 = POP3+SSL

    So use -m multiport to allow the traffic, e.g. iptables ... -m multiport -p tcp --dports 25,80,443,587,995 -j ACCEPT. One line. And again: it may be --sports depending on what you're trying to exclude and how the underlying application protocol behaves/works.

    And if you need to exclude some UDP traffic, it's the same methodology just with -p udp.

    The only way you're going to "trump" a block/reject rule in a firewall is to add an appropriate permit/accept rule that precedes it. That's how firewalls work. :)

    Edit: replaced ALLOW with ACCEPT. That one always gets me. Damn Linux. ;P
     
  5. kthaddock

    kthaddock Network Guru Member

    Okey I got that I have done ACCEPT rules like this:
    and put that together:

    I want to reduce size of all rules. I want all string match words in a file/raw with $string like this:

    Then I can use one INPUT and one FORWARD rule to save nvram space.
     
  6. shibby20

    shibby20 Network Guru Member

    try

    iptables -I INPUT -m string --string "announce" --algo bm --from 1 --to 600 -m multiport ! --dport 25,80,443,110,587,995 -j REJECT
    iptables -I FORWARD -m string --string "announce" --algo bm --from 1 --to 600 -m multiport ! --dport 25,80,443,110,587,995 -j REJECT
     
  7. kthaddock

    kthaddock Network Guru Member

    Thank you Shibby, I gone test that. I have in my setup 7 INPUT and 7 FORWARD rules.
    I need to save space some way.
    Is this the right way to use $string= "announce1 announce2 announce3 announce4" ?
     
  8. shibby20

    shibby20 Network Guru Member

    propably you cannot. One string for one iptables rule.
    You don`t have to make iptables rule for INPUT. Input it`s only for router. But it can be done shorter:

     
  9. kthaddock

    kthaddock Network Guru Member

    Thank you Shibby ! I gone testing when all nerds not playing and torrenting :) and big thanks for new 112 builds !!!
     

Share This Page