IpTables Rope 20051223

ROPE is a "match module" for Linux IpTables that allows packets to be matched.

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!
send us
an update
GPL (GNU General Public License) 
Chris Lowth
ROOT \ System \ Monitoring
ROPE is a "match module" for Linux IpTables that allows packets to be matched using highly flexible rules, written in a simple purpose-designed scripting language. It was written initially to provide support for the next phase of the P2PWall project for controlling various styles of peer-to-peer application traffic, but is much broader than this in it's possible uses. See the Basics page for a tutorial-style overview.

The match modules of iptables allow rules to take actions depending on whether packets match certain criteria or not. The standard distribution of netfilter / IpTables provides a range of useful modules of this type. These typically allow protocol types (TCP or UDP), source and destination addresses and ports etc to be checked.

There is also a set of interesting "extras" than can be compiled into the kernel to provide some extended packet matching features. One such example is the "string" module that allows packets to be matched on the basis of the existance (or otherwise) of specified strings anywhere in the data payload portion of the packets. There are a number of other hidden treasures that can be used to significantly extend the features of the system.

In order to use ROPE to build a match rule, you first need to write the ROPE scriptlet that encodes your match criteria. As an example, we could look for the "Content-length" header of an HTTP download and check that the length does not exceed 1000000 bytes using the following script..

This script has the following steps in order to make it work:

1. Searches the data payload of the packet for the string "Content-length: ", but ignores letter case as it searches.
2. If the string is not found, the script stops and returns a "not matched" status to netfilter.
3. If the string is found, the script takes the digits that follow it, and stores them as a string in the register $n.
4. The string in $n is converted to an integer and compared against the number 1000000. If $n is large than 1000000 then the script terminates and returns a "matched" status to IpTables.
5. Otherwise, the script terminates with a "not matched" status.

The language in which scripts like this are written is based on the idea of ReversePolish notation but extended to handle the concept of AnchorBrackets. The language is documented in detail in LanguageReference.

Last updated on July 12th, 2006

#iptables match #matching modules #iptables mangle #mangle #iptables #matching #match

Add your review!