I log and drop packets send to specific IP/domain name. I would like to be able to log url parameters for these dropped packet.
This is an example url:
http://somedomain.com/test.php?param1=test1¶m2=test2
This is what i'm doing e.g:
iptables -A OUTPUT -p tcp -d somedomain.com --dport 80 -m string --string 'param1=' --algo bm -j LOGGING
In LOGGING chain:
iptables -A LOGGING -j LOG --log-prefix "somedomain.com Packet Dropped: " --log-level 7
I tried these options without any success:
--log-ip-options
--log-tcp-options
Basically, i'd like to be able to get same relevant info as from tcpdump
but because i drop packets, you know the story, i cannot use tcpdump here (as i understand it)…
Is it possible using iptables log (to a text file?!) to get URL query string of dropped packet? In this example, it would be:
param1=test1¶m2=test2
My knwoledge about all of this is near the zero so excuse me if it's a silly question.
Thx
Best Answer
You won't be able to achieve that correctly with iptables alone, if only for the fact that the request URL might be fragmented across several packets.
Since you are filtering on OUTPUT, probably a more robust and easier way would be to install a local HTTP proxy, such as Squid, and add your filtering rules to squid.
For the sake of completeness, you can then use iptables to block everything but the squid proxy to connect to this forbidden host.
According to the following Config example, you should have in your
squid.conf
and then intercept requests with
The first rule is required so that squid itself can proxy the request to the original host, if you want to let some through.
You can observe the URLs of the requests by consulting the default
access.log
file produced by squid. For actually blocking URLs you should setup some ACLs insquid.conf
: