특정 TCP 흐름이 iptables에 의해 삭제되지 않는 특이한 문제에 직면해 있습니다. 대신 iptables가 해당 특정 패킷을 삭제하는 것과 같습니다.
다음과 같은 트래픽이 발생합니다.
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_wCsFbzYvU4RoBXK6fFpOyk7gT3cCl8 HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_orvy148BFILOSVYbeilptwz2BEHLOR HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_uqIxPsKm2UxPs7Z2UjCeuM2HjzRg9O HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_HKMPRTWYadfhkmpsuxz1368ADFIKMP HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_JKKKKKKKKLLLLLLLLLLLLLMMMMMMMM HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_8CJMQTXaehkoswz37AEHKOSVZchlpt HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_KRYfmu18FMSZgov29FMTahpw39GNUb HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_y26AEIMQUYcgkptx159DHLPTXbfjos HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_HHHHIIIIIIIIIIIIIJJJJJJJJJJJJJ HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_CCDDDDDDDDDDDDDDDDDDDDDEEEEEEE HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
우리는 다음을 통해 이를 방지하려고 노력합니다.
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m string --string ".*CtrlFunc_.*" --algo bm -j DROP
그리고:
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m conntrack --ctstate INVALID,NEW,ESTABLISHED,RELATED --ctstatus EXPECTED,ASSURED,CONFIRMED,NONE -m string --string "CtrlFunc_" --algo bm -j DROP
그러나 일어나는 일은 다음과 같습니다.
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
iptables를 사용하여 TCP 기반 흐름을 차단할 수 있습니까?
답변1
이는 흐름 기반 패킷 필터 사용의 미묘함 중 하나입니다.
대상을 사용하는 경우 패킷이 -j REJECT다시 전송되어 연결이 종료됩니다.RST