- Posts: 1
- Thank you received: 0
Accept only a specific protocol with iptables/l7filter ?
16 years 2 days ago #28229
by cassiodk
Replied by cassiodk on topic Re: Accept only a specific protocol with iptables/l7filter ?
I had the same problem. This happens because l7-filter doesn't know the type of traffic in the first packet, and it drops it.
When you create a tcp connection, there are 3 packets necessary to open the connection, which are independently of the high level protocol. These packets are dropped with the rules of your example.
The documentation says that the l7-filter identifies the content of http response. As l7-filter doesn't identify the http request, this packet is dropped too.
To solve this problem, you need to create a rule that accepts "unset" protocol (l7-filter marks unmatched connections that it is still trying to match as "unset")
iptables -A FORWARD -m layer7 --l7proto unset -j ACCEPT
Remember that you must accept packets of both directions.
The problem with this is that the first 10 packets (in default configuration) of all connections will be accept. Then, you should include other constraints like port numbers.
In my tests, I need to create first the rules accepting http, followed by the rules accepting unset. If you change the order, it doesn't work.
One last thing: this worked for me using the kernel version of l7-filter. I didn't have success with userspace version.
When you create a tcp connection, there are 3 packets necessary to open the connection, which are independently of the high level protocol. These packets are dropped with the rules of your example.
The documentation says that the l7-filter identifies the content of http response. As l7-filter doesn't identify the http request, this packet is dropped too.
To solve this problem, you need to create a rule that accepts "unset" protocol (l7-filter marks unmatched connections that it is still trying to match as "unset")
iptables -A FORWARD -m layer7 --l7proto unset -j ACCEPT
Remember that you must accept packets of both directions.
The problem with this is that the first 10 packets (in default configuration) of all connections will be accept. Then, you should include other constraints like port numbers.
In my tests, I need to create first the rules accepting http, followed by the rules accepting unset. If you change the order, it doesn't work.
One last thing: this worked for me using the kernel version of l7-filter. I didn't have success with userspace version.
Time to create page: 0.119 seconds