A Mind-Blowing Use For IPTables

A coworker was investigating why HTTPs requests using a specific user agent would throw immediate 503 errors. After some troubleshooting, we found something very interesting in the iptables ruleset and in bash history.

iptables -t raw -A PREROUTING -m string --algo bm --string "User Agent String" -j DROP

I guess I haven’t been keeping up on the latest features of IPTables. I can block network requests based on a text pattern? This is pretty awesome!

Warning- this type of deep-packet-inspection is really expensive on the CPU. Don’t use it unless you run out of options.

Dialogue & Discussion