特定のTCPフローがiptablesによって削除されないという珍しい問題に直面しています。代わりに、iptablesがその特定のパケットをドロップするのと同じです。
次のトラフィックが発生します。
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_wCsFbzYvU4RoBXK6fFpOyk7gT3cCl8 HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_orvy148BFILOSVYbeilptwz2BEHLOR HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_uqIxPsKm2UxPs7Z2UjCeuM2HjzRg9O HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_HKMPRTWYadfhkmpsuxz1368ADFIKMP HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_JKKKKKKKKLLLLLLLLLLLLLMMMMMMMM HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_8CJMQTXaehkoswz37AEHKOSVZchlpt HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_KRYfmu18FMSZgov29FMTahpw39GNUb HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_y26AEIMQUYcgkptx159DHLPTXbfjos HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_HHHHIIIIIIIIIIIIIJJJJJJJJJJJJJ HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:16 -0400] "POST /?CtrlFunc_CCDDDDDDDDDDDDDDDDDDDDDEEEEEEE HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
私たちは次のことを避けようとします。
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m string --string ".*CtrlFunc_.*" --algo bm -j DROP
そして:
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m conntrack --ctstate INVALID,NEW,ESTABLISHED,RELATED --ctstatus EXPECTED,ASSURED,CONFIRMED,NONE -m string --string "CtrlFunc_" --algo bm -j DROP
しかし、起こっていることは次のとおりです。
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:34 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
x.x.x.x - - [27/Jul/2013:11:52:35 -0400] "POST / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
iptablesを使用してTCPベースのフローをブロックできますか?
ベストアンサー1
これは、フローベースのパケットフィルタの使用の微妙さの1つです。
宛先を使用している場合は、パケットが-j REJECT再送信され、接続が終了します。RST