Ben's

for i in `cat LIST2` do iptables -t nat -A PREROUTING -d $i -p tcp --dport 3389 -j DNAT --to-destination $i:4989 done

-j, --jump target This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used), then matching the rule will have no eff..

* 일반 iptables 의 STRING match 모듈은 웹로그에 찍히는 패턴만 등록이 가능하기 때문에 방어가 제한적입니다. 그러나 아래와 같은 경우에서 hex-string 모듈을 이용하면 방어가 가능합니다. 61.98.219.208 - - [23/Jun/2009:11:55:26 +0900] "GET /images/700.exe HTTP/1.1" 403 300 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" T 61.98.219.208:38333 -> xxx.xxx.xxx.xx:80 [AP] GET /images/700.exe HTTP/1.1..Accept: */*..Cache-Control: no-cache..Ryeol-Magic: My Magic..