diff options
author | Felix Fietkau <nbd@openwrt.org> | 2006-10-13 22:51:49 +0200 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2016-03-20 17:29:15 +0100 |
commit | 60c1f0f64d23003a19a07d6b9638542130f6641d (patch) | |
tree | 8fb2787f4c49baded97cd55e0c371fe1cffce2b6 /package/iptables/files | |
parent | d58a09110ccfa95f06c983fe796806f2e035c9d2 (diff) | |
parent | b3ce218b51746d3a576221ea542facf3a1703ab2 (diff) | |
download | mtk-20170518-60c1f0f64d23003a19a07d6b9638542130f6641d.zip mtk-20170518-60c1f0f64d23003a19a07d6b9638542130f6641d.tar.gz mtk-20170518-60c1f0f64d23003a19a07d6b9638542130f6641d.tar.bz2 |
finally move buildroot-ng to trunk
Diffstat (limited to 'package/iptables/files')
21 files changed, 673 insertions, 0 deletions
diff --git a/package/iptables/files/firewall.awk b/package/iptables/files/firewall.awk new file mode 100644 index 0000000..902c7b1 --- /dev/null +++ b/package/iptables/files/firewall.awk @@ -0,0 +1,64 @@ +# Copyright (C) 2006 OpenWrt.org + +BEGIN { + print "ifname=\"$WAN\"" + print "[ -z \"$ifname\" ] && exit" + print "" + print "iptables -X input_$ifname 2>&- >&-" + print "iptables -N input_$ifname" + print "iptables -X forward_$ifname 2>&- >&-" + print "iptables -N forward_$ifname" + print "iptables -t nat -X prerouting_$ifname 2>&- >&-" + print "iptables -t nat -N prerouting_$ifname" + print "" + print "iptables -A input_rule -i \"$ifname\" -j input_$ifname" + print "iptables -A forwarding_rule -i \"$ifname\" -j forward_$ifname" + print "iptables -t nat -A prerouting_rule -i \"$ifname\" -j prerouting_$ifname" + print "" + FS=":" +} + +($1 == "accept") || ($1 == "drop") || ($1 == "forward") { + delete _opt + str2data($2) + if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) { + _opt[0] = " -p tcp" + _opt[1] = " -p udp" + } else { + _opt[0] = "" + } +} + +($1 == "accept") { + target = " -j ACCEPT" + for (o in _opt) { + print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target + print "iptables -A input_$ifname " _opt[o] str2ipt($2) target + print "" + } +} + +($1 == "drop") { + for (o in _opt) { + print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) " -j DROP" + print "" + } +} + +($1 == "forward") { + target = " -j DNAT --to " $3 + fwopts = "" + if ($4 != "") { + if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) { + if (_l["proto"] != "") fwopts = " -p " _l["proto"] + fwopts = fwopts " --dport " $4 + target = target ":" $4 + } + else fwopts = "" + } + for (o in _opt) { + print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target + print "iptables -A forward_$ifname " _opt[o] " -d " $3 fwopts " -j ACCEPT" + print "" + } +} diff --git a/package/iptables/files/firewall.config b/package/iptables/files/firewall.config new file mode 100644 index 0000000..1b92954 --- /dev/null +++ b/package/iptables/files/firewall.config @@ -0,0 +1,48 @@ +# Copyright (C) 2006 OpenWrt.org + +# RULE SYNTAX: +# +# forward:<match>:<target>[:<port>] +# - forwards all packets matched by <match> to <target>, +# optionally changing the port to <port> +# +# accept:<match> +# - accepts all traffic matched by <match> +# +# drop:<match> +# - drops all traffic matched by <match> +# +# +# MATCHING OPTIONS: +# +# src=<ip> +# - match the source ip <ip> +# +# dest=<ip> +# - match the destination ip <ip> +# +# proto=<proto> +# - match the protocol by name or number +# +# sport=<port(s)> +# - match the source port(s), see below for syntax +# +# dport=<port(s)> +# - match the destination port(s), see below for syntax +# +# +# +# PORT SYNTAX: +# +# You can enter an arbitrary list of ports and port ranges in the following format: +# - 22,53,993,1000-1024 +# +# If you don't set the protocol to tcp or udp, it will apply to both +# +# +# +# EXAMPLES: +# +# drop:dport=22 src=1.3.3.7 +# accept:proto=tcp dport=22 +# forward:dport=60168:192.168.1.2:60169 diff --git a/package/iptables/files/firewall.init b/package/iptables/files/firewall.init new file mode 100755 index 0000000..731485b --- /dev/null +++ b/package/iptables/files/firewall.init @@ -0,0 +1,115 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006 OpenWrt.org + +## Please make changes in /etc/firewall.user + +start() { + include /lib/network + scan_interfaces + + config_get WAN wan ifname + config_get LAN lan ifname + + ## CLEAR TABLES + for T in filter nat; do + iptables -t $T -F + iptables -t $T -X + done + + iptables -N input_rule + iptables -N output_rule + iptables -N forwarding_rule + + iptables -t nat -N prerouting_rule + iptables -t nat -N postrouting_rule + + iptables -N LAN_ACCEPT + [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN + iptables -A LAN_ACCEPT -j ACCEPT + + ### INPUT + ### (connections with the router as destination) + + # base case + iptables -P INPUT DROP + iptables -A INPUT -m state --state INVALID -j DROP + iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A INPUT -j input_rule + + # allow + iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces + iptables -A INPUT -p icmp -j ACCEPT # allow ICMP + iptables -A INPUT -p gre -j ACCEPT # allow GRE + + # reject (what to do with anything not allowed earlier) + iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + + ### OUTPUT + ### (connections with the router as source) + + # base case + iptables -P OUTPUT DROP + iptables -A OUTPUT -m state --state INVALID -j DROP + iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A OUTPUT -j output_rule + + # allow + iptables -A OUTPUT -j ACCEPT #allow everything out + + # reject (what to do with anything not allowed earlier) + iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable + + ### FORWARDING + ### (connections routed through the router) + + # base case + iptables -P FORWARD DROP + iptables -A FORWARD -m state --state INVALID -j DROP + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A FORWARD -j forwarding_rule + + # allow + iptables -A FORWARD -i br0 -o br0 -j ACCEPT + [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT + + # reject (what to do with anything not allowed earlier) + # uses the default -P DROP + + ### MASQ + iptables -t nat -A PREROUTING -j prerouting_rule + iptables -t nat -A POSTROUTING -j postrouting_rule + [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE + + ## USER RULES + [ -f /etc/firewall.user ] && . /etc/firewall.user + [ -n "$WAN" -a -e /etc/config/firewall ] && { + awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash + } +} + +stop() { + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -F + iptables -t nat -P PREROUTING ACCEPT + iptables -t nat -P POSTROUTING ACCEPT + iptables -t nat -P OUTPUT ACCEPT + iptables -t nat -F +} diff --git a/package/iptables/files/firewall.user b/package/iptables/files/firewall.user new file mode 100644 index 0000000..5f295ba --- /dev/null +++ b/package/iptables/files/firewall.user @@ -0,0 +1,28 @@ +#!/bin/sh +# Copyright (C) 2006 OpenWrt.org + +iptables -F input_rule +iptables -F output_rule +iptables -F forwarding_rule +iptables -t nat -F prerouting_rule +iptables -t nat -F postrouting_rule + +### BIG FAT DISCLAIMER +## The "-i $WAN" is used to match packets that come in via the $WAN interface. +## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able +## to see the effects from within the LAN. + +### Open port to WAN +## -- This allows port 22 to be answered by (dropbear on) the router +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT +# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT + +### Port forwarding +## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 +# iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT + +### DMZ +## -- Connections to ports not handled above will be forwarded to 192.168.1.2 +# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT diff --git a/package/iptables/files/l7/aim.pat b/package/iptables/files/l7/aim.pat new file mode 100644 index 0000000..9768dbb --- /dev/null +++ b/package/iptables/files/l7/aim.pat @@ -0,0 +1,27 @@ +# AIM - AOL instant messenger (OSCAR and TOC) +# Pattern quality: good notsofast +# Usually runs on port 5190 +# +# This may also match ICQ traffic. +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +aim +# See http://gridley.acns.carleton.edu/~straitm/final (and various other places) +# The first bit matches OSCAR signon and data commands, but not sure what +# \x03\x0b matches, but it works apparently. +# The next three bits match various parts of the TOC signon process. +# The third one is the magic number "*", then 0x01 for "signon", then up to four +# bytes ("up to" because l7-filter strips out nulls) which contain a sequence +# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), +# then 0x01 for the version number (not sure if there ever has been another +# version) +# The fourth one is a command string, followed by some stuff, then the +# beginning of the "roasted" password + +# This pattern is too slow! + +^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x diff --git a/package/iptables/files/l7/bittorrent.pat b/package/iptables/files/l7/bittorrent.pat new file mode 100644 index 0000000..c1804ee --- /dev/null +++ b/package/iptables/files/l7/bittorrent.pat @@ -0,0 +1,14 @@ +# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com +# Pattern quality: great veryfast +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +bittorrent + +# Does not attempt to match the HTTP download of the tracker +# 0x13 is the length of "bittorrent protocol" +# Second two bits match UDP wierdness, commented out until it's tested +#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]) +^\x13bittorrent protocol diff --git a/package/iptables/files/l7/edonkey-dl.pat b/package/iptables/files/l7/edonkey-dl.pat new file mode 100644 index 0000000..d344d16 --- /dev/null +++ b/package/iptables/files/l7/edonkey-dl.pat @@ -0,0 +1,8 @@ +# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com +# Pattern quality: good veryfast overmatch usepacket + +edonkey-dl + +^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2] + + diff --git a/package/iptables/files/l7/edonkey.pat b/package/iptables/files/l7/edonkey.pat new file mode 100644 index 0000000..efbc3f3 --- /dev/null +++ b/package/iptables/files/l7/edonkey.pat @@ -0,0 +1,29 @@ +# eDonkey2000 - P2P filesharing - http://edonkey2000.com +# Pattern quality: good veryfast overmatch +# +# Please post to l7-filter-developers@lists.sf.net as to whether this pattern +# works for you or not. If you believe it could be improved please post your +# suggestions to that list as well. You may subscribe to this list at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# Thanks to Matt Skidmore <fox AT woozle.org> + +edonkey + +# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 +# +# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5 +# +# God this is a mess. What an irritating protocol. +# This will match about 1% of streams with random data in them! + +^[\xe3\xc5\xe5\xd4](....)?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5b\x5c\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) + +# matches everything and too much +# ^(\xe3|\xc5|\xd4) + +# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. + +# bandwidtharbitrator uses +# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey +# no comments to explain what all the mush is, of course... diff --git a/package/iptables/files/l7/fasttrack.pat b/package/iptables/files/l7/fasttrack.pat new file mode 100644 index 0000000..46295c6 --- /dev/null +++ b/package/iptables/files/l7/fasttrack.pat @@ -0,0 +1,25 @@ +# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) +# Pattern quality: good notsofast +# +# Tested with Kazaa Lite Resurrection 0.0.7.6F +# +# This appears to match the download connections well, but not the search +# connections (I think they are encrypted :-( ). +# +# Please post to l7-filter-developers@lists.sf.net as to whether it works +# for you or not. If you believe it could be improved please post your +# suggestions to that list as well. You may subscribe to this list at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +fasttrack +# while this is a valid http request, this will be caught because +# the http pattern matches the response (and therefore the next packet) +# Even so, it's best to put this match earlier in the chain. +# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup + +# This pattern is kinda slow, but not too bad. +^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? + +# This isn't much faster: +#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? + diff --git a/package/iptables/files/l7/ftp.pat b/package/iptables/files/l7/ftp.pat new file mode 100644 index 0000000..9593ffd --- /dev/null +++ b/package/iptables/files/l7/ftp.pat @@ -0,0 +1,34 @@ +# FTP - File Transfer Protocol - RFC 959 +# Pattern quality: great fast +# +# Usually runs on port 21. Note that the data stream is on a dynamically +# assigned port, which means that you will need the FTP connection +# tracking module in your kernel to usefully match FTP data transfers. +# +# This pattern is well tested. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# Matches the first two things a server should say. Most servers say +# something after 220, even though they don't have to, and it usually +# includes the string "ftp" (l7-filter is case insensitive). +# This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof +# FTP Server, and whatever ftp.microsoft.com uses. Just in case, the next +# thing the server sends is a 331. All the above servers also send +# something including "password" after this code. +ftp +# actually, let's just do the first for now, it's faster +^220[\x09-\x0d -~]*ftp + +# This is ~10x faster if the stream starts with "220" +#^220.*ftp + +# This will match more, but much slower +#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password + +# This pattern is more precise, but takes longer to match. (3 packets vs. 1) +#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 + +# same as above, but slightly less precise and only takes 2 packets. +#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a diff --git a/package/iptables/files/l7/gnutella.pat b/package/iptables/files/l7/gnutella.pat new file mode 100644 index 0000000..ebbd5c6 --- /dev/null +++ b/package/iptables/files/l7/gnutella.pat @@ -0,0 +1,36 @@ +# Gnutella - P2P filesharing +# Pattern quality: good fast +# +# This should match both Gnutella and "Gnutella2" ("Mike's protocol") +# +# Various clients use this protocol including Mactella, Shareaza, +# GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh. +# +# This is tested with gtk-gnutella and Shareaza. +# +# Please report on how this pattern works for you at +# l7-filter-developers@lists.sf.net . If you can improve on this +# pattern, please also post to that list. You may subscribe at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver +# http://rfc-gnutella.sf.net/ +# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification +# http://en.wikipedia.org/wiki/Shareaza + +gnutella + +# The first part matches UDP messages - All start with "GND", then have +# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes +# that can be anything, then a fragment number, which must start at 1. +# The rest matches TCP first client message or first server message (in case +# we can't see client messages). Some parts of this are empirical rather than +# document based. Assumes version is between 0.0 and 2.9. (usually is +# 0.4 or 0.6). I'm guessing at many of the user-agents. +# The last bit is emprical and probably only matches Limewire. +^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime) + +# Needlessly precise, at the expense of time +#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) + + diff --git a/package/iptables/files/l7/http.pat b/package/iptables/files/l7/http.pat new file mode 100644 index 0000000..520e7fe --- /dev/null +++ b/package/iptables/files/l7/http.pat @@ -0,0 +1,28 @@ +# HTTP - HyperText Transfer Protocol - RFC 2616 +# Pattern quality: great notsofast +# Usually runs on port 80 +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# this intentionally catches the response from the server +# rather than the request so that other protocols which use +# http (like kazaa) can be caught based on specific http requests +# regardless of the ordering of filters... +# also matches posts + +# Sites that serve really long cookies may break this by pushing the +# server response too far away from the beginning of the connection. To +# fix this, increase the kernel's data buffer length. + +http +# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) +# As specified in rfc 2616 a status code is preceeded and followed by a +# space. +http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] +# A slightly faster version that might be good enough: +#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] +# old pattern(s): +#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) diff --git a/package/iptables/files/l7/ident.pat b/package/iptables/files/l7/ident.pat new file mode 100644 index 0000000..672b075 --- /dev/null +++ b/package/iptables/files/l7/ident.pat @@ -0,0 +1,14 @@ +# Ident - Identification Protocol - RFC 1413 +# Pattern quality: good veryfast +# Usually runs on port 113 +# +# This pattern is believed to work. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +ident +# "number , numberCRLF" possibly without the CR and/or LF. +# ^$ is appropriate because the first packet should never have anything +# else in it. +^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ diff --git a/package/iptables/files/l7/irc.pat b/package/iptables/files/l7/irc.pat new file mode 100644 index 0000000..6643f6c --- /dev/null +++ b/package/iptables/files/l7/irc.pat @@ -0,0 +1,20 @@ +# IRC - Internet Relay Chat - RFC 1459 +# Pattern quality: good veryfast +# +# Usually runs on port 6666 or 6667 +# Note that chat traffic runs on these ports, but IRC-DCC traffic (which +# can use much more bandwidth) uses a dynamically assigned port, so you +# must have the IRC connection tracking module in your kernel to classify +# this. +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +irc +# First thing that happens is that the client sends NICK and USER, in +# either order. This allows MIRC color codes (\x02-\x0d instead of +# \x09-\x0d). +^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) + diff --git a/package/iptables/files/l7/jabber.pat b/package/iptables/files/l7/jabber.pat new file mode 100644 index 0000000..7a0c684 --- /dev/null +++ b/package/iptables/files/l7/jabber.pat @@ -0,0 +1,24 @@ +# Jabber (XMPP) - an open instant messenger protocol - http://jabber.org +# Pattern quality: good fast +# +# This pattern has been tested with Gaim and Gabber. It is only tested +# with non-SSL mode Jabber with no proxies. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# Thanks to Jan Hudec for some improvements. + +# Jabber seems to take a long time to set up a connection. I'm +# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets +# is this: +# <stream:stream to='12jabber.com' xmlns='jabber:client' +# xmlns:stream='http://etherx.jabber.org/streams'><?xml +# version='1.0'?><stream:stream +# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951' +# xmlns='jabber:client' from='12jabber.com'> +# +# No mention of my username or password yet, you'll note. + +jabber +<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber diff --git a/package/iptables/files/l7/msnmessenger.pat b/package/iptables/files/l7/msnmessenger.pat new file mode 100644 index 0000000..e07f71f --- /dev/null +++ b/package/iptables/files/l7/msnmessenger.pat @@ -0,0 +1,15 @@ +# MSN Messenger - Microsoft Network chat client +# Pattern quality: good veryfast +# +# Usually uses port 1863 +# http://www.hypothetic.org/docs/msn/index.php +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +msnmessenger +# ver: allow versions up to 99. +# usr (in case ver didn't work): +^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*) diff --git a/package/iptables/files/l7/ntp.pat b/package/iptables/files/l7/ntp.pat new file mode 100644 index 0000000..b7e443e --- /dev/null +++ b/package/iptables/files/l7/ntp.pat @@ -0,0 +1,17 @@ +# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 +# Pattern quality: good veryfast overmatch +# +# This pattern is tested and is believed to work. If this does not work +# for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . Subscribe at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# client|server +# Requires the server's timestamp to be in the present or future (of 2005). +# Tested with ntpdate on Linux. +# Assumes version 2, 3 or 4. + +# Note that ntp packets are always 48 bytes, so you should match on that too. + +ntp +^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff]) diff --git a/package/iptables/files/l7/pop3.pat b/package/iptables/files/l7/pop3.pat new file mode 100644 index 0000000..f6bb630 --- /dev/null +++ b/package/iptables/files/l7/pop3.pat @@ -0,0 +1,50 @@ +# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 +# Pattern quality: good veryfast +# +# This pattern has been tested somewhat. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# this is a difficult protocol to match because of the relative lack of +# distinguishing information. Read on. +pop3 + +# this the most conservative pattern. It should definitely work. +#^(\+ok|-err) + +# this pattern assumes that the server says _something_ after +ok or -err +# I think this is probably the way to go. +^(\+ok |-err ) + +# more that 90% of servers seem to say "pop" after "+ok", but not all. +#^(\+ok .*pop) + +# Here's another tack. I think this is my second favorite. +#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) + +# this matches the server saying "you have N messages that are M bytes", +# which the client probably asks for early in the session (not tested) +#\+ok [0-9]+ [0-9]+ + +# some sample servers: +# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> +# mail.dreamhost.com: +OK Hello there. +# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) +# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> +# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> +# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready +# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready +# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready +# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) +# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. +# mail.mac.com: +OK Netscape Messaging Multiplexor ready + +# various error strings: +#-ERR Invalid command. +#-ERR invalid command +#-ERR unimplemented +#-ERR Invalid command, try one of: USER name, PASS string, QUIT +#-ERR Unknown AUTHORIZATION state command +#-ERR Unrecognized command +#-ERR Unknown command: "sadf'". diff --git a/package/iptables/files/l7/smtp.pat b/package/iptables/files/l7/smtp.pat new file mode 100644 index 0000000..1bab7a1 --- /dev/null +++ b/package/iptables/files/l7/smtp.pat @@ -0,0 +1,39 @@ +# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) +# Pattern quality: great fast +# usually runs on port 25 +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +smtp +# As usual, no text is required after "220", but all known servers have some +# there. It (almost?) always has string "smtp" in it. The RFC examples +# does not, so we match those too, just in case anyone has copied them +# literally. +^220[\x09-\x0d -~]* (e?smtp|simple mail) + +# This is ~3x faster if the stream starts with "220" +#^220.* (e?smtp|simple mail) + +# Some examples: +# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 +# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 +# 220 mail.ut.caldera.com ESMTP +# 220 persephone.pmail.gen.nz ESMTP server ready. +# 220 smtp1.superb.net ESMTP +# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready +# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 +# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 +# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) +# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 +# 220-mail.email-scan.com ESMTP +# 220 smaug.dreamhost.com ESMTP +# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) +# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) +# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 +# +# RFC examples: +# 220 xyz.com Simple Mail Transfer Service Ready (RFC example) +# 220 dbc.mtview.ca.us SMTP service ready diff --git a/package/iptables/files/l7/ssl.pat b/package/iptables/files/l7/ssl.pat new file mode 100644 index 0000000..ab5f62c --- /dev/null +++ b/package/iptables/files/l7/ssl.pat @@ -0,0 +1,15 @@ +# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 +# Pattern quality: good fast +# Usually runs on port 443 +# +# This is a superset validcertssl. For it to match, it must be first. +# +# This pattern has been tested and is believed to work well. If it does not +# work for you, or you believe it could be improved, please post to +# l7-filter-developers@lists.sf.net . This list may be subscribed to at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +ssl +# Client Hello | Server Hello with certificate +# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 +^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) diff --git a/package/iptables/files/l7/vnc.pat b/package/iptables/files/l7/vnc.pat new file mode 100644 index 0000000..35bfbd4 --- /dev/null +++ b/package/iptables/files/l7/vnc.pat @@ -0,0 +1,23 @@ +# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer +# Pattern quality: good fast +# http://www.realvnc.com/documentation.html +# +# This pattern has been verified with vnc v3.3.7 on WinXP and Linux +# Please report on how this pattern works for you at +# l7-filter-developers@lists.sf.net . If you can improve on this pattern, +# please also post to that list. You may subscribe at +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern. + +vnc +# Assumes single digit major and minor version numbers +# This message should be all alone in the first packet, so ^$ is appropriate +^rfb 00[1-9]\.00[0-9]\x0a$ + +# This is a more restrictive version which assumes the version numbers +# are ones actually in existance at the time of this writing, i.e. 3.3, +# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be +# slightly faster, but probably not worth the extra maintenance. +# ^rfb 003\.00[3578]\x0a$ + |