0

Example

let's say I'm with iptables or nftables

I want to allow a certain traffic like the following one:

iptables -A OUTPUT -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.1.1 -p udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

can be the first rule be expanded including also the inspection of the packet containing the dns query and allowing only the packet containing *.wetransfer.com as query requested otherwise drop?

I think this should fall in what is called Deep Packet Inspection, but how can be done in terms of iptables/nftables?

Improve this question

1 Answer 1

Reset to default
3

iptables does not understand DNS natively, but it should be possible using string match:

-p udp --dport 53 -m string --algo kmp --hex-string "|0A|wetransfer|03|com|00|" --icase

Note that DNS names on the wire do not use dots – they're sent as a series of length-prefixed components; e.g. ".com" is sent as 0x03 c o m.

You must use a case-insensitive match (--icase) because clients might send the query in mixed-case (sometimes deliberately).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .