User Tools

Site Tools


Block TCP/UDP packets by string content using iptables

On *nix we can use iptables to block packets by it's clear content or string. This won't work on encrypted connections (unless you match an exact string that repeats on the encrypted connection)

In this example, we block the output to a syslog UDP endpoint that contains “closed keepalive connection”

iptables -I OUTPUT -p udp --dport 514 -m string --string "closed keepalive connection" --algo kmp -j DROP

Use -m string –string STRING –algo kmp the times you need to match multiple strings in the same packet.

docu/csheet/net/iptables/block_packets_by_content.txt · Last modified: 2021/02/02 11:04 by admin