Hi,
I recently installed kamikaze on my WRT54GL for the purpose of being able to do content filtering on packets. I.e. I want to intercept all packets and then decide on whether to let them through based on a static filter list.
Now I can read all packets going through the router via TCPdump, but I can only sniff them as they go by and not block them. I'm rather unsure on where and how to begin to modify the software to do the above.
Any pointers or help of any kind would be much appreciated.
Thank you.
Topic: filtering packets based on content
The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
actual data content, or just the packet headers?
if headers (ip address, mac address, tcp/udp port, ip protocol type, etc), use iptables firewall rules.
if not:
http://l7-filter.sourceforge.net/ - read the faq, the focus of this is more on classification for qos, rather then outright blocking, and it's hard to identify a protocol before the connection is established and data is being sent.
if you want to filter content for a particular protocol, use a proxy (like squid for http) with it's own rules
Hi grinner,
you've just embarked on a long but exciting journey. There's a lot to learn about what packages to let into your homely network and how to find out which is which.
But fear not: you have a wise companion named Google. (On a sidenote: he's not really wise, just an attention whore who adopts the opinion of anyone out there screaming the loudest, but I digress...)
I talked to him just the other minute, only to make sure: the words "linux ip content filtering" were sufficient to provide fun for many long nights (more than 200,000 links).
He kept mumbling about "squidGuard", so pr'aps this is a point to focus on ...
(answer provided in a true "grinning" fashion )
(Last edited by MKunert on 28 Nov 2007, 10:56)
I'm trying to filter actual data content regardless of traffic type. Specifically I'm want to scan packets for specific cleartext and mark these packets. At least for now that's all I need to do, it's a project in a security class in the uni and I'm quite new to all of this stuff.
Level 7 Filter looks pretty good and I'm sure I can steal some ideas from there
I'll check out this mr. google guy everyone keeps rambling on about. Maybe he actually can help me
So far my first problem has been where to start within the router so I can actually control traffic. I mean the basic routing functionality is built in pretty deep and I'm not sure if I can just turn it off, or if I have to replace it completely.
Any pointers or ideas there would be great, as that would get me started and I'm kinda lost right now...
Thanks a lot.
I'm trying to filter actual data content regardless of traffic type. Specifically I'm want to scan packets for specific cleartext and mark these packets. (..)
just install qos-scripts then create file 'example.pat' containing your searching phrase in /etc/l7-protocols. After that edit /etc/config/qos/ and add your match eg:
config classify
option target "Bulk"
option layer7 "example"
and it will mark all connections with your searching phrase and will put it on the lowest (Bulk) qos class.
If you don't want to use qos you can install required packages (just install qos-scripts and remove /etc/init.d/qos) and mark connections manually:
iptables -t mangle -A POSTROUTING -o $WAN -m layer7 --l7proto example -j MARK --set-mark 1
The discussion might have continued from here.