[Firewall] Possible to Block POST Attacks by User Agent String?

Alex Aune lists at aewne.net
Fri Sep 13 11:30:21 CEST 2013

On 13.09.2013 10:17, Wijatmoko U. Prayitno wrote:
> On Fri, 13 Sep 2013 08:10:28 +0200
> Alex Aune <lists at aewne.net> wrote:
>> the moment, but I've used something similar for
>> filtering torrents based on their headers before. That
> what string do you use to block torrent? i'm considered to
> block torrent traffic since it consume a lot bandwidth.

I use a combination of these two:
iptables -t raw -A PREROUTING -m string --algo bm --hex-string 
"|13426974546f7272656e742070726f746f636f6c|" -j CONNMARK --set-mark 
iptables -t mangle -A PREROUTING -m ipp2p --bit -j CONNMARK --set-mark 
(I use the connmark targets to route this traffic over a different 

Mind you, the only reason I still run with this ruleset is because I 
haven't had time to set up proper layer 7 filtering.

See these links for more info:

Also, Gentoo has a working ebuild for the userspace tools.


More information about the Firewall mailing list