ÀÌ Àý¿¡¼, »õ·Î¿î netfilter matchesÀÇ »ç¿ë¹ýÀ» ¼³¸íÇÒ °ÍÀÌ´Ù. ÀÌ ÆÐÄ¡µéÀº ¾ËÆÄºª ¼ø¼·Î ³ªÅ¸³¾ °ÍÀÌ´Ù. ºÎ°¡ÀûÀ¸·Î, ¿µÇâÀ» ¹ÌÄ¡´Â ´Ù¸¥ ÆÐÄ¡¿¡ ´ëÇÑ ¼³¸íÀº ¾ø´Ù. ÀÌ´Â ´ÙÀ½ ¹öÀü ¹®¼¿¡ Æ÷Ç﵃ °ÍÀÌ´Ù.
ÀϹÝÀûÀ¸·Î, ´ÙÀ½°ú °°ÀÌ ÇÏ¸é Æ¯º°ÇÑ ¸ðµâ·ÎºÎÅÍ ÈùÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
# iptables -m the_match_you_want --help |
ÀÌ´Â º¸ÅëÀÇ iptables µµ¿ò¸»À» º¸¿©ÁÖ°í, °Å±â¿¡ ´õÇØ¼ ³¡¿¡ ¸í½ÃµÈ ``¿øÇÏ´Â match''¿¡ ÇØ´çµÇ´Â µµ¿ò¸»À» º¸¿©ÁØ´Ù.
ÀÌ ÆÐÄ¡´Â Yon Uriarte <yon@astaro.de>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾ú°í ´ÙÀ½ÀÇ 2°¡Áö »õ·Î¿î matches¸¦ ÇÑ °ÍÀÌ´Ù :
``ah'' : Security Parameter Index (SPI)¿¡ ±âÃÊÇÑ AH ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.
``esp'' : SPI¿¡ ±âÃÊÇÑ ESP ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.
ÀÌ ÆÐÄ¡´Â SPI¿¡ ±âÃÊÇÑ ¿¬°áµéÀ» ±¸ºÐÁþ°íÀÚ IPSECÀ» »ç¿ëÇÏ´Â »ç¶÷µé¿¡°Ô À¯¿ëÇÒ ¼ö ÀÖ´Ù.
¿¹¸¦ µé¾î, ´ÙÀ½°ú °°ÀÌ Çϸé 500°ú ÀÏÄ¡ÇÏ´Â SPI¸¦ °¡Áö´Â ¸ðµç AH ÆÐŶÀ» µå·Ó½Ãų¼ö ÀÖ´Ù.
# iptables -A INPUT -p 51 -m ah --ahspi 500 -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP ipv6-auth-- anywhere anywhere ah spi:500 |
ah match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--ahspi [!] spi[:spi] -> match spi (range)
esp matchµµ ¶È°°ÀÌ ÀÛ¿ëÇÑ´Ù.
# iptables -A INPUT -p 50 -m esp --espspi 500 -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP ipv6-crypt-- anywhere anywhere esp spi:500 |
esp match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--espspi [!] spi[:spi] -> match spi (range)
ah ¶Ç´Â esp match¸¦ »ç¿ëÇÒ¶§, ¶Ç´Â ¸í¹éÇÑ ÀÌÀ¯·Î ·ê ÷°¡¸¦ Áß´ÜÇϰíÀÚ ÇÒ¶§, ``-p 50'' ¶Ç´Â ``-p 51'' (esp & ah °¢°¢)À» ÅëÇØ ÀûÀýÇÑ ÇÁ·ÎÅäÄÝÀ» ¸í½ÃÇÏ´Â °ÍÀ» ÀØÁö ¸»¾Æ¾ß ÇÑ´Ù.
ÀÌ ÆÐÄ¡´Â Gerd Knorr <kraxel@bytesex.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ƯÁ¤ È£½ºÆ®³ª ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ TCP ¿¬°á °¹¼ö¸¦ ¾î¶»°Ô Á¦ÇÑÇÏ´ÂÁö¿¡ ´ëÇÑ »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ÇÑ IP ÁÖ¼Ò¿¡ ÀÇÇÑ HTTP ¿¬°á °¹¼ö·Ñ 4°³·Î Á¦ÇÑÇÏ·Á°í Çϸé :
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN #conn/32 > 4 reject-with icmp-port-unreachable |
¶Ç´Â ¿¹¸¦ µé¾î class A ÀüüÀÇ ¿¬°á °¹¼ö¸¦ Á¦ÇÑÇϱ⸦ ¿øÇÑ´Ù¸é :
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-mask 8 --iplimit-above 4 -j REJECT # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN #conn/8 > 4 reject-with icmp-port-unreachable |
iplimit patch°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[!] --iplimit-above n -> ÇöÀç tcp ¿¬°á °¹¼ö¸¦ n°³ ÀÌ»óÀ¸·Î ÇÏ·Á¸é (ÇÏÁö ¾ÊÀ¸·Á¸é)
--iplimit-mask n -> subnet mask¸¦ »ç¿ëÇÏ´Â ±×·ì È£½ºÆ®µé
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ¼³Á¤µÈ IP ¿É¼Ç¿¡ ÀÇÇØ ÆÐŶÀ» matchÇÒ ¼ö ÀÖ°Ô ÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, IP ¿É¼Ç¿¡ ¼³Á¤µÈ record-route ¶Ç´Â timestamp¸¦ °¡Áø ¸ðµç ÆÐŶÀ» µå·ÓÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù :
# iptables -A INPUT -m ipv4options --rr -j DROP # iptables -A INPUT -m ipv4options --ts -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere IPV4OPTS RR DROP all -- anywhere anywhere IPV4OPTS TS |
ipv4options match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--ssrr -> strict source routing flag¿¡ matchµÇ´Â.
--lsrr -> loose source routing flag¿¡ matchµÇ´Â.
--no-srr -> source routingÀ» °¡ÁöÁö ¾Ê´Â ÆÐŶ¿¡ matchµÇ´Â.
--rr -> record route flag¿¡ matchµÇ´Â.
[!] --ts -> timestamp flag¿¡ matchµÇ´Â.
[!] --ra -> router-alert option¿¡ matchµÇ´Â.
[!] --any-opt -> Àû¾îµµ ÇϳªÀÇ IP ¿É¼Ç(¶Ç´Â !ÀÌ ¼±ÅõÇÁö ¾ÊÀº ¸ðµç IP ¿É¼Ç) À» °¡Áø ÆÐŶ¿¡ matchµÇ´Â.
ÀÌ ÆÐÄ¡´Â James Morris <jmorris@intercode.com.au>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ±æÀÌ¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖ°Ô »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, 85 ¹ÙÀÌÆ®º¸´Ù Å« ÆÐŶ Å©±â¸¦ °¡Áø ¸ðµç ping packetÀ» µå·ÓÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÑ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 85:0xffff -j DROP # ptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- anywhere anywhere icmp echo-request length 85:65535 |
length match¿¡ ´ëÇÑ ºÎ°¡ÀûÀÎ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[!] --length length[:length] -> value ¶Ç´Â valueÀÇ ¹üÀ§¿¡ ´ëÇÑ ÆÐŶ ±æÀÌ¿¡ ÇØ´çÇÏ´Â.
Ç¥ÇöµÇÁö ¾ÊÀº valueÀÇ ¹üÀ§´Â ³»Æ÷µÇ¾î ÀÖÀ» °ÍÀÌ´Ù. ³»Æ÷µÈ value´Â ÃÖ¼Ò 0, ÃÖ°í 65535ÀÌ´Ù.
ÀÌ ÆÐÄ¡´Â Andreas Ferber <af@devcon.net>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, TCP, UDP ¿¬°á¿¡ ´ëÇØ ´ÜÀÏÆ÷Æ®¿Í Æ÷Æ®¹üÀ§¸¦ Á¶ÇÕÇØ¼ Æ÷Æ®¸¦ ¸í½ÃÇÒ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ÇÑ ¶óÀο¡¼ ftp, ssh, telnet, http¸¦ ¸·±â¸¦ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p tcp -m mport --ports 20:23,80 -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere mport ports ftp-data:telnet,http |
mport match¿¡ ´ëÇÑ ºÎ°¡ÀûÀÎ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--source-ports port[,port:port,port...] -> source port(s)¿¡ matchµÈ´Ù.
--sports port[,port:port,port...] -> source port(s)¿¡ matchµÈ´Ù.
--destination-ports port[,port:port,port...] -> destination port(s)¿¡ matchµÈ´Ù.
--dports port[,port:port,port...] -> destination port(s)¿¡ matchµÈ´Ù.
--ports port[,port:port,port] -> source and destination port(s) ¸ðµÎ¿¡ matchµÈ´Ù.
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ·ê¿¡ ÀÇÇØ ¹ÞÀº ƯÁ¤ N¹øÂ° ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ¸Å 2¹øÂ° ÇÎ ÆÐŶÀ» µå·ÓÇÏ±æ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -m nth --every 2 -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- anywhere anywhere icmp echo-request every 2th |
ÀÌ ÆÐÄ¡´Â Richard Wagner <rwagner@cloudnet.com>¿¡ ÀÇÇØ È®ÀåµÇ¾ú´Âµ¥, ÀÌ´Â inbound¿Í outbound ¿¬°á¿¡ ´ëÇÑ ·Îµå ¹ë·±½ÌÀ» Á¦°øÇÏ´Â ½±°í ºü¸¥ ¹æ¹ýÀ» ¸¸µé ¼ö ÀÖ°Ô ÇØÁØ´Ù.
¿¹¸¦ µé¾î, 10.0.0.5, 10.0.0.6, 10.0.0.7ÀÇ 3°³ ÁÖ¼Ò¿¡ ´ëÇÑ ·Îµå ¹ë·±½ÌÀ» ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5 # iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6 # iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7 # iptables -t nat --list Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- anywhere anywhere every 3th packet #0 to:10.0.0.5 SNAT all -- anywhere anywhere every 3th packet #1 to:10.0.0.6 SNAT all -- anywhere anywhere every 3th packet #2 to:10.0.0.7 |
nth match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--every Nth -> ¸ðµç N¹øÂ° ÆÐŶ°ú ÀÏÄ¡
[--counter] num -> Ä«¿îÅÍ 0-15 (µðÆúÆ®°©:0) »ç¿ë.
[--start] num -> 0 ´ë½Å `num'À¸·Î Ä«¿îÅ͸¦ ÃʱâÈ. ÀÌ numÀº 0¿¡¼ (Nth-1) »çÀÌ¿©¾ß ÇÑ´Ù.
[--packet] num -> `num' ÆÐŶ°ú ÀÏÄ¡. 0 ~ (Nth-1) »çÀÌ¿©¾ß ÇÑ´Ù. `--packet'ÀÌ Ä«¿îÅÍ·Î »ç¿ëµÈ´Ù¸é 0¿¡¼ (Nth-1)»çÀÌÀÇ ¸ðµç value¸¦ ó¸®Çϱâ À§ÇØ --packet ·ê¿¡ N¹øÂ° number°¡ ÀÖ¾î¾ß ÇÑ´Ù.
ÀÌ ÆÐÄ¡´Â Michal Ludvig <michal@logix.cz>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, È£½ºÆ®/ºê·Îµåij½ºÆ®/¸ÖƼij½ºÆ® µî ±× ŸÀÔ¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ¸ðµç ºê·Îµåij½ºÆ® ÆÐŶÀ» Á¶¿ëÈ÷ µå·Ó½ÃŰ±æ ¿øÇÑ´Ù¸é :
# iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast |
pkttype match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--pkt-type [!] packettype -> ÆÐŶ ŸÀÔÀÌ ´ÙÀ½Áß ÇϳªÀÏ °æ¿ì ÆÐŶ ŸÀÔÀ» ÀÏÄ¡½ÃŲ´Ù.
host -> ¸ðµÎ
broadcast -> Àüü
multicast -> ±×·ì
Patrick Schaaf <bof@bof.de>.¿¡ ÀÇÇØ ÆÐÄ¡µÇ¾ú°í, Joakim Axelsson and Patrick¿¡ ÀÇÇØ ÀçÀÛ¼ºÁß¿¡ ÀÖ´Ù. ±×·¯¹Ç·Î ÀÌ ºÎºÐÀº °ð ¹Ù²ð °ÍÀÌ´Ù.
ÀÌ ÆÐÄ¡´Â Dennis Koslowski <dkoslowski@astaro.de>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Æ÷Æ® ½ºÄµÀ» ŽÁöÇϴµ¥ °üÇÑ »õ·Î¿î matchÀÌ´Ù.
°¡Àå °£´ÜÇÑ ÇüÅ·Î, psd match´Â ´ÙÀ½°ú °°ÀÌ »ç¿ëµÉ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m psd -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1 |
psd match°¡ Á¦°øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[--psd-weight-threshold threshold] -> Portscan ŽÁö °¡ÁßÄ¡
[--psd-delay-threshold delay] -> Portscan ŽÁö Áö¿¬Ä¡
[--psd-lo-ports-weight lo] -> well-known Æ÷Æ®(privileged port) °¡ÁßÄ¡
[--psd-hi-ports-weight hi] -> user Æ÷Æ®(High ports) °¡ÁßÄ¡
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÁÖ¾îÁø È®·ü¿¡ ±âÃÊÇÑ ÆÐŶÀ» ·£´ýÇÏ°Ô °è»êÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, 50%ÀÇ ÇÎ ÆÐŶÀ» ·£´ýÇÏ°Ô µå·ÓÇϱ⸦ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- anywhere anywhere icmp echo-request random 50% |
random patch°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[--average] percent -> match %¿¡ ´ëÇÑ È®·ü »ý·«µÈ´Ù¸é, 50%ÀÇ È®·üÀÌ ¼¼ÆÃµÈ´Ù. ÆÛ¼¾Æ®´Â 1°ú 99»çÀÌÀÇ ¼ýÀÚ¿©¾ß ÇÑ´Ù.
ÀÌ ÆÐÄ¡´Â Sampsa Ranta <sampsa@netsonic.fi>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÆÐŶ ºÐ·ùÀÚ¿¡ ³ªÅ¸³ª´Â Ű¿Í À¯»çÇÑ ±âÁذú ÀÏÄ¡ÇÏ´Â °ÍÀ¸·Î½á ¶ó¿ìÆÃ ¿µ¿ª ۸¦ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, 10°³ÀÇ ¿µ¿ª¿¡¼ ¿ÜºÎ·Î ÇâÇÏ´Â ÆÐŶÀ» ¸ðµÎ ·Î±×¿¡ ±â·ÏÇÏ·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A OUTPUT -m realm --realm 10 -j LOG # iptables --list Chain OUTPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere REALM match 0xa LOG level warning |
realm match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--realm [!] value[/mask] -> ¿µ¿ª ÀÏÄ¡
ÀÌ ÆÐÄ¡´Â Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, È¿°úÀûÀÎ RPC ÇÊÅ͸µÀ» Çã¿ëÇϱâ À§ÇØ ÆÐŶ ¼Ò½º°¡ ÀÌÀü¿¡ portmapper¸¦ ÅëÇØ Æ÷Æ®¸¦ ¿äûÇßÀ» °æ¿ì, ¶Ç´Â portmapper¿¡ ´ëÇÑ »õ·Î¿î GET ¿äûÀÏ °æ¿ì matchÇÏ´Â µ¥ ´ëÇÑ »õ·Î¿î matchÀÌ´Ù.
RPC ¿¬°á ÃßÀû Á¤º¸¸¦ matchÇϱâ À§ÇØ, °£´ÜÈ÷ ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m record_rpc -j ACCEPT # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere |
record_rpc match´Â ¾î¶°ÇÑ ¿É¼Çµµ °¡ÁöÁö ¾Ê´Â´Ù.
match Á¤º¸°¡ ¾ø´Ù°í ¿°·ÁÇÒ °ÍÀº ¾ø´Ù. ÀÌ match¿¡ ´ëÇÑ print() functionÀÌ ºñ¾îÀֱ⠶§¹®¿¡ ÀÌ´Â °£´ÜÇÏ´Ù.
/* Prints out the union ipt_matchinfo. */ static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric) { } |
ÀÌ ÆÐÄ¡´Â Emmanuel Roger <winfield@freegates.be>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÆÐŶÀÇ ÇÑ ¹®ÀÚ¿À» matchÇÏ´Â °Í¿¡ ´ëÇÑ »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, ``cmd.exe'' ¹®ÀÚ¿À» Æ÷ÇÔÇϰí ÀÖ´Â ÆÐŶÀ» matchÇϰí userland IDS·Î º¸³»·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m string --string 'cmd.exe' -j QUEUE # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination QUEUE all -- anywhere anywhere STRING match cmd.exe |
Á¶½É½º·´°Ô ÀÌ match¸¦ »ç¿ëÇØ¾ß ÇÑ´Ù. ¸¹Àº »ç¶÷µéÀÌ DROP taget¿¡ µû¶ó¼ ¿ú ¹ÙÀÌ·¯½º¸¦ ¸ØÃß±â À§ÇØ ÀÌ match¸¦ »ç¿ëÇÏ±æ ¿øÇÑ´Ù. ÀÌ´Â Áß¿äÇÑ ½Ç¼öÀÌ´Ù. ƯÁ¤ IDS ħÀÔ ¹æ¹ýÀº À̸¦ ¹«·ÂÈÇÒ¼ö ÀÖ´Ù.
À¯»çÇÑ °æÇâÀ¸·Î, ¸¹Àº »ç¶÷µéÀº POST ¹®ÀÚ¿À» Æ÷ÇÔÇÏ´Â HTTP ÆÐŶÀ» µå·ÓÇÔÀ¸·Î½á POST³ª GET°°Àº HTTPÀÇ Æ¯Á¤ ±â´ÉÀ» ¸ØÃß±â À§ÇÑ ¼ö´ÜÀ¸·Î ÀÌ match¸¦ »ç¿ëÇϱ⸦ ¿øÇß¾ú´Ù. ÀÌ·¯ÇÑ ÀÛ¾÷Àº proxy¸¦ ÇÊÅ͸µÇÏ´Â °ÍÀÌ ´õ ÁÁÀº ¹æ¹ýÀÓÀ» ÀÌÇØÇ϶ó. ºÎ°¡ÀûÀ¸·Î POST¶õ ´Ü¾î¸¦ °¡Áö°í ÀÖ´Â HTML content´Â ÀÌÀü ¹æ¹ý(¼³Á¤)¿¡ ÀÇÇØ µå·ÓµÉ °ÍÀÌ´Ù. ÀÌ match´Â ´õ ÁÁÀº ºÐ¼®À» À§ÇØ À¯Àú¿µ¿ªÀÇ °ü½ÉÀÖ´Â ÆÐŶÀ» Å¥À×ÇÒ¼ö ÀÖ°Ô Çϱâ À§ÇØ ¼³°èµÇ¾ú´Ù. À̰ÍÀÌ ÀüºÎÀÌ´Ù. ÀÌ ¹æ¹ý¿¡ ÀÇÇØ ÆÐŶÀ» µå·ÓÇÏ´Â °ÍÀº ƯÁ¤ IDS ħÀÔ ¹æ¹ý¿¡ ÀÇÇØ ¹«·Â鵃 ¼ö ÀÖ´Ù.
string match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--string [!] string -> ÆÐŶÀÇ ¹®ÀÚ¿À» ÀÏÄ¡½ÃŲ´Ù.
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Ãâ¹ß ȤÀº µµÂø (·ÎÄÿ¡¼ »ý¼ºµÈ ÆÐŶ) ½Ã°£¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, ¿ù¿äÀϺÎÅÍ ±Ý¿äÀϱîÁö 8:00ºÎÅÍ 18:00±îÁö µµÂø ½Ã°£À» °¡Áø ÆÐŶÀ» Çã¿ëÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere TIME from 8:0 to 18:0 on Mon,Tue,Wed,Thu,Fri |
time match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--timestart value -> ÃÖ¼Ò HH:MM
--timestop value -> ÃÖ´ë HH:MM
--days listofdays -> Àû¿ëµÇ´Â ¿äÀÏ ¸®½ºÆ®, (´ë¼Ò¹®ÀÚ ±¸ºÐ)
Mon
Tue
Wed
Thu
Fri
Sat
Sun
ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, TTL¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, TTLÀÌ 5º¸´Ù ÀûÀº ÆÐŶÀ» ·Î±×¿¡ ±â·ÏÇÏ·Á¸é, ´ç½ÅÀº ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m ttl --ttl-lt 5 -j LOG # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere TTL match TTL < 5 LOG level warning |
ttl match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù.
--ttl-eq value -> time to live °ª°ú ÀÏÄ¡
--ttl-lt value -> TTL < value ÇÑ °Í°ú ÀÏÄ¡
--ttl-gt value -> TTL > value ÇÑ °Í°ú ÀÏÄ¡