我面临一个不寻常的问题,即特定的 TCP 流没有被 iptables 丢弃;相反,它就像 iptables 只是删除那些特定的数据包。
我们得到以下流量:
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_wCsFbzYvU4RoBXK6fFpOyk7gT3cCl8 HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_orvy148BFILOSVYbeilptwz2BEHLOR HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_uqIxPsKm2UxPs7Z2UjCeuM2HjzRg9O HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_HKMPRTWYadfhkmpsuxz1368ADFIKMP HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_JKKKKKKKKLLLLLLLLLLLLLMMMMMMMM HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_8CJMQTXaehkoswz37AEHKOSVZchlpt HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_KRYfmu18FMSZgov29FMTahpw39GNUb HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_y26AEIMQUYcgkptx159DHLPTXbfjos HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_HHHHIIIIIIIIIIIIIJJJJJJJJJJJJJ HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_CCDDDDDDDDDDDDDDDDDDDDDEEEEEEE HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
我们尝试用以下方法阻止它:
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m string --string ".*CtrlFunc_.*" --algo bm -j DROP
和:
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m conntrack --ctstate INVALID,NEW,ESTABLISHED,RELATED --ctstatus EXPECTED,ASSURED,CONFIRMED,NONE -m string --string "CtrlFunc_" --algo bm -j DROP
然而,发生的情况如下:
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
是否可以使用 iptables 阻止基于 TCP 的流?
答案1
这是使用基于流的数据包过滤器的微妙之处之一。
如果您使用目标-j REJECT,则会发回一个RST数据包,从而终止连接。