From Power Up to Bash Prompt
[..in a nutshell..
loading vmlinuz
loading initrd.gz
booting kernel
]
1. POST
2. LILO
- This reads the configuration file /etc/lilo.conf. The main thing in lilo.conf is one entry for each thing that lilo is set up to boot. For a Linux entry, this includes where the kernel is, and what disk partition to mount as the root filesystem.
3. Kernel -
Config:
--------
Most of the configuration of the kernel is done when you build it, using make menuconfig, or make xconfig in /usr/src/linux/ (or wherever your Linux kernel source is). You can reset the default video mode, root filesystem, swap device and RAM disk size using rdev. These parameters and more can also be passed to the kernel from lilo. You can give lilo parameters to pass to the kernel either in lilo.conf, or at the lilo prompt. For example if you wanted to use hda3 as your root file system instead of hda2, you might type
LILO: linux root=/dev/hda3
4. init
The next thing that happens as your computer starts up is that init is loaded and run. However, init, like almost all programs, uses functions from libraries.
In fact, you can put any program you like in /sbin/init, and the kernel will run it when it has finished loading.
It is init's job to get everthing running the way it should be. It checks that the file systems are ok and mounts them. It starts up 'daemons' to log system messages, do networking, serve web pages, listen to your mouse and so on. It also starts the getty processes that put the login prompts on your virtual terminals.
Init reads the file /etc/inittab, which tells it what to do. Typically, the first thing it is told to do is to run an initialisation script. The program that executes (or interprets) this script is bash, the same program that gives you a command prompt. In Debian systems, the initialisation script is /etc/init.d/rcS, on Red Hat, /etc/rc.d/rc.sysinit. This is where the filesystems get checked and mounted, the clock set, swap space enabled, hostname gets set etc.
Next, another script is called to take us into the default run-level. This just means a set of subsystems to start up. There is a set of directories /etc/rc.d/rc0.d, /etc/rc.d/rc1.d, ..., /etc/rc.d/rc6.d in Red Hat, or /etc/rc0.d, /etc/rc1.d, ..., /etc/rc6.d in Debian, which correspond to the run-levels. If we are going into runlevel 3 on a Debian system, then the script runs all the scripts in /etc/rc3.d that start with `S' (for start). These scripts are really just links to scripts in another directory usually called init.d.
So our run-level script was called by init, and it is looking in a directory for scripts starting with `S'. It might find S10syslog first. The numbers tell the run-level script which order to run them in. So in this case S10syslog gets run first, since there were no scripts starting with S00 ... S09. But S10syslog is really a link to /etc/init.d/syslog which is a script to start and stop the system logger. Because the link starts with an `S', the run-level script knows to execute the syslog script with a ``start'' parameter. There are corresponding links starting with `K' (for kill), which specify what to shut down and in what order when leaving the run-level.
To change what subsystems start up by default, you must set up these links in the rcN.d directory, where N is the default runlevel set in your inittab.
/etc/inittab is the top level configuration file for init.
The rcN.d directories, where N = 0, 1, ..., 6 determine what subsystems are started.
Somewhere in one of the scripts invoked by init, the mount -a command will be issued. This means mount all the file systems that are supposed to be mounted. The file /etc/fstab defines what is supposed to be mounted. If you want to change what gets mounted where when your system starts up, this is the file you will need to edit. There is a man page for fstab.
5. File system
In Linux, you 'mount' a disk filesystem onto the system's filesystem.
In the previous section I mentioned that init scripts check and mount the filesystems. The commands that do this are fsck and mount respectively.
6. Kernel Daemons
The information for ps aux (or top) command comes from the /proc filesystem that I mentioned in the previous section. Note that init is process number one. Processes 2, 3, 4 and 5 are kflushd, kupdate, kpiod and kswapd.
The kernel daemons are started after init, so they get process numbers like normal processes do. But their code and data lives in the kernel's part of the memory.
There are brackets around the entries in the command column because the /proc filesystem does not contain command line information for these processes.
7. System Logger
Init starts the syslogd and klogd daemons. They write messages to logs. The kernel's messages are handled by klogd, while syslogd handles log messages from other processes. The main log is /var/log/messages. This is a good place to look if something is going wrong with your system.
The file /etc/syslog.conf tells the loggers what messages to put where. Messages are identified by which service they come from, and what priority level they are. This configuration file consists of lines that say messages from service x with priority y go to z, where z is a file, tty, printer, remote host or whatever.
NOTE: Syslog requires the /etc/services file to be present. The services file allocates ports
8. Getty and Login
Getty is the program that enables you to log in through a serial device such as a virtual terminal, a text terminal, or a modem. It displays the login prompt. Once you enter your username, getty hands this over to login which asks for a password, checks it out and gives you a shell.
There are many getty's available. Some distributions, including Red Hat use a very small one called mingetty that only works with virtual terminals.
The login program is part of the util-linux package, which also contains a getty called agetty, which works fine. This package also contains mkswap, fdisk, passwd, kill, setterm, mount, swapon, rdev, renice, more (the program) and more (ie more programs).
9. Bash
If you give login a valid username and password combination, it will check in /etc/passwd to see which shell to give you. In most cases on a Linux system this will be bash. It is bash's job to read your commands and see that they are acted on. It is simultaneously a user interface, and a programming language interpreter.
The file /etc/profile controls the system-wide behaviour of bash. What you put in here will affect everybody who uses bash on your system. It will do things like add directories to the PATH, set your MAIL directory variable.
Once bash has read the system-wide configuration file, it looks for your personal configuration file. It checks in your home directory for .bash_profile, .bash_login and .profile. It runs the first one of these it finds. If you want to change the way bash behaves for you, without changing the way it works for others, do it here.
Monday, July 6, 2009
IPTables Intro
Six pre-defined "chain" rules are available:
* INPUT
* OUTPUT
* FORWARD
* PREROUTING
* POSTROUTING
* User defined chains (give it a new name)
General /sbin/iptables format to add rules:
---------------------------------------------------
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy
Options:
----------
1. --table [-t]
filter - the default table
nat - NAT table
mangle - used for QoS and preferential treatment
raw - enables optimization
2. Command (use only one - mutualy exclusive)
--append [-A] - append rule to chain
--delete [-D] - delete rule from chain
--insert [-I] - insert at the begining or at specified position in chain
--replace [-R] - replace rule
--flush [-F] - flush all rules
--zero [-Z] - Zero byte counters in all chains ????
--list [-L] - list all rules. use option --line-numbers for rule number
--new-chain [-N] - create new
--delete-chain [-X] - delete user defined chain
--policy [-P] - set default policy for chain
--rename-chain [-E] - rename
3. Command Option(s)
--source [-s] - source address of packet
--destination [-d] - destination address
--in-interface [-i] - interface packet is arriving from
--out-interface [-o] - interface packet is going to
--jump [-j] - target to send packet to
--fragment [-f] - fragment matching
--set-counters [-c] - set packet/byte counter
--protocol [-p] - protocol:
*udp
*icmp
*mac
*tcp
--sport port [:port]
--dport port [:port]
--syn
--match tcp[-m tcp]
*--source-port port[:port](port # or range #:#)
*--destination-port port[:port]
*--tcp-flags
--match state [-m state]
--state
*ESTABLISHED
*RELATED
*NEW
*INVALID
(push content, not expected to recieve this packet)
4. Defined Policies
ACCEPT - accept
DROP - deny packet with no reply
REJECT - deny packet and notify sender
RETURN - handled by default targets
MARK - used for error response.
MASQUERADE - used with NAT table and DHCP
ULOG - Log to file and specify userspace logging messages
SNAT -valid in PREROUTING chain. used by nat
REDIRECT - used with nat table. output
DNAT - valid in POSTROUTING chain. output
QUEUE - pass packet to userspace
LOG - Log to file and specify message:
*--log-level #
*--log-prefix "prefix"
*--log-tcp-sequence
*--log-tcp-options
*--log-ip-options
* INPUT
* OUTPUT
* FORWARD
* PREROUTING
* POSTROUTING
* User defined chains (give it a new name)
General /sbin/iptables format to add rules:
---------------------------------------------------
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy
Options:
----------
1. --table [-t]
filter - the default table
nat - NAT table
mangle - used for QoS and preferential treatment
raw - enables optimization
2. Command (use only one - mutualy exclusive)
--append [-A] - append rule to chain
--delete [-D] - delete rule from chain
--insert [-I] - insert at the begining or at specified position in chain
--replace [-R] - replace rule
--flush [-F] - flush all rules
--zero [-Z] - Zero byte counters in all chains ????
--list [-L] - list all rules. use option --line-numbers for rule number
--new-chain [-N] - create new
--delete-chain [-X] - delete user defined chain
--policy [-P] - set default policy for chain
--rename-chain [-E] - rename
3. Command Option(s)
--source [-s] - source address of packet
--destination [-d] - destination address
--in-interface [-i] - interface packet is arriving from
--out-interface [-o] - interface packet is going to
--jump [-j] - target to send packet to
--fragment [-f] - fragment matching
--set-counters [-c] - set packet/byte counter
--protocol [-p] - protocol:
*udp
*icmp
*mac
*tcp
--sport port [:port]
--dport port [:port]
--syn
--match tcp[-m tcp]
*--source-port port[:port](port # or range #:#)
*--destination-port port[:port]
*--tcp-flags
--match state [-m state]
--state
*ESTABLISHED
*RELATED
*NEW
*INVALID
(push content, not expected to recieve this packet)
4. Defined Policies
ACCEPT - accept
DROP - deny packet with no reply
REJECT - deny packet and notify sender
RETURN - handled by default targets
MARK - used for error response.
MASQUERADE - used with NAT table and DHCP
ULOG - Log to file and specify userspace logging messages
SNAT -valid in PREROUTING chain. used by nat
REDIRECT - used with nat table. output
DNAT - valid in POSTROUTING chain. output
QUEUE - pass packet to userspace
LOG - Log to file and specify message:
*--log-level #
*--log-prefix "prefix"
*--log-tcp-sequence
*--log-tcp-options
*--log-ip-options
IPChains Intro
=====
1. Multiple Machines, A single connection
2. NAT 101
3. IPCHAINS 101
4. IP_MASQ 101
5. Setting up the router
6. Caveats
The program
========
General format:
ipchains []
Commands:
-F flushes a chain so that it starts fresh
-P sets up the default handling
-A adds conditions or rules to a chain
With ipchains, three chains are predefined: input, output, and forward. The following two commands are normally used to set up a chain:
ipchains -F input //flush input chain
ipchains -P input REJECT //default mode
This causes any rules for the input chain to be discarded and sets up the default condition so incoming packets are rejected.
The output chain controls what packets can be sent. A packet may be accepted by the input chain but rejected by the output chain. Likewise, the forward chain controls what packets will be routed.
In general, the input chain controls incoming packet filtering. The packet is either destined for the router or for another computer. In the latter case, the packet is processed by the forward chain. Packets that make it through this chain will then be processed by the output chain.
Examples:
1. ipchains -A input -i eth0 -s 10.1.0.0/16 -d 0.0.0.0/0 -j ACCEPT
2. ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT
No 2 above will reject packets with a source address like 10.2.x.x to any destination. This is actually redundant for the current set of rules since anything that does not match the first example rule for 10.1.x.x will be rejected.
NB:
Note that rules are order dependent in a first-come-first-used basis
Other argument values for the -j option when used with the forward chain. These include DENY and MASQ. DENY is similar to REJECT in that it terminates checking of the chain. MASQ indicates that a packet should be masqueraded using the built-in NAT support. In this case, the accepted packet will be modified so its IP address and port address are changed as described with NAT earlier. The reverse translation for response packets is done automatically. Selective use of MASQ allows a Linux router to forward some packets NAT-fashion and others with no translation. This is handy for small companies that have been assigned more than one IP address and use them for PCs on the local network.
For simple router support when an ISP provides a single IP address, MASQ is typically used. User-defined chains are usually unnecessary.
======
Commands
======
1. chkconfig --del ipchains
Remove ipchains from system boot/initialization process
2. chkconfig --add iptables
Add iptables to system boot/initialization process
3 ipchains -F
Flush ipchains rules
4. service ipchains stop
Stop ipchains. Also: /etc/init.d/ipchains stop
5. rmmod ipchains
Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6. service iptables start
Load iptables kernel module. Also: /etc/init.d/iptables stop
1. Multiple Machines, A single connection
2. NAT 101
3. IPCHAINS 101
4. IP_MASQ 101
5. Setting up the router
6. Caveats
The program
========
General format:
ipchains
Commands:
-F flushes a chain so that it starts fresh
-P sets up the default handling
-A adds conditions or rules to a chain
With ipchains, three chains are predefined: input, output, and forward. The following two commands are normally used to set up a chain:
ipchains -F input //flush input chain
ipchains -P input REJECT //default mode
This causes any rules for the input chain to be discarded and sets up the default condition so incoming packets are rejected.
The output chain controls what packets can be sent. A packet may be accepted by the input chain but rejected by the output chain. Likewise, the forward chain controls what packets will be routed.
In general, the input chain controls incoming packet filtering. The packet is either destined for the router or for another computer. In the latter case, the packet is processed by the forward chain. Packets that make it through this chain will then be processed by the output chain.
Examples:
1. ipchains -A input -i eth0 -s 10.1.0.0/16 -d 0.0.0.0/0 -j ACCEPT
2. ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT
No 2 above will reject packets with a source address like 10.2.x.x to any destination. This is actually redundant for the current set of rules since anything that does not match the first example rule for 10.1.x.x will be rejected.
NB:
Note that rules are order dependent in a first-come-first-used basis
Other argument values for the -j option when used with the forward chain. These include DENY and MASQ. DENY is similar to REJECT in that it terminates checking of the chain. MASQ indicates that a packet should be masqueraded using the built-in NAT support. In this case, the accepted packet will be modified so its IP address and port address are changed as described with NAT earlier. The reverse translation for response packets is done automatically. Selective use of MASQ allows a Linux router to forward some packets NAT-fashion and others with no translation. This is handy for small companies that have been assigned more than one IP address and use them for PCs on the local network.
For simple router support when an ISP provides a single IP address, MASQ is typically used. User-defined chains are usually unnecessary.
======
Commands
======
1. chkconfig --del ipchains
Remove ipchains from system boot/initialization process
2. chkconfig --add iptables
Add iptables to system boot/initialization process
3 ipchains -F
Flush ipchains rules
4. service ipchains stop
Stop ipchains. Also: /etc/init.d/ipchains stop
5. rmmod ipchains
Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6. service iptables start
Load iptables kernel module. Also: /etc/init.d/iptables stop
Basic Commands
1. Find:
find / -perm -4000 -print
find / -atime +10 -print
2. Changing file permissions:
4=read, 2=write, 1=execute
permissions are always in the order; user, group, other
$ chmod 755 file
means 7 (rwx-user) , 5 (rx-group), 5 (rx-others)
3. add default gateway
route add default gw 10.0.0.1
4. adding many routes + gateways
route add -net 10.1.0.0 gw 10.0.0.10
route add -net 10.2.0.0 gw 10.0.0.20
5. Accessing remote file systems
mount [-tnfs] 1.2.3.4:/usr/files /mnt/files
6. Allowing users to mount drives
With a special command in the etc/fstab file.....
Typical eg for fd0(A:) drive in etc/fstab:
/dev/fdo /mnt auto noauto,user 1 1
noauto: tells mount not to mount drive A on boot
user: allows any user to mount the drive into /mnt
auto: tells mount to try to find out the FS on the drive
7. Allowing users to run root programs
You can set a cmd to be suid root with chmod command
chmod _s mybin : sets mybin suid root
8. Change locales (keyboad)
loadkeys cf (others fr,us,etc)
9. Default file permissions ?
A. Linux
The default is 755
To change the default from 755 to 700, use this cmd:
umask 077 (base 8)
10. Default boot mode (3 in total)
They are defined in /etc/inittab
>Runlevel 1 is a single user mode (with no networking?)
>Runlevel 3 is the default. loads net servers + login txt
>Runlevel 5 displays the graphical login prompt
Modify the initdefault line in /etc/inittab to:
id:3:initdefault:
11. Change password:
passwd
12. File Permissions in Unix
Change group access on the file shrc in ur home dir
chmod g=rw- ~/.shrc
Make group and others have read permission only
chmod go=r-- ~/.shrc
Direclty:
chmod u=rwx,go=r-x foo
13. List directory contents
ls -l /lib/l* :long
ls -r /lib/l* :recursively down the dir tree
ls -l -r
14.
netstat -an ! more
15. See user and process owning a port
fuser -v -n tcp 6000
16.To make a symbolic link:
$ ln -s
Eg: $ ln -s /usr/doc/g77/DOC g77manual.txt
17. Make a file executable
chmod +x
Now u can refer to g77manual.txt instead of /usr/doc/g77/DOC
18. Setting Enviroment Variables
PATH : export PATH=$JAVA_HOME/bin:$PATH
JAVA_HOME: export JAVA_HOME=/usr/local/blackdown/jdk1.2.2
========
DOs Vs Linux
========
DOS Linux Notes
--------------------------------------------------
ATTRIB (+-)attr file chmod file
BACKUP tar -Mcvf device dir/
CD dirname\ cd dirname/
COPY file1 file2 cp file1 file2
DEL file rm file
DELTREE dirname rm -R dirname/
DIR ls
DIR file /S find . -name file
EDIT file vi file
jstar file
EDLIN file ed file
FORMAT fdformat,
mount, umount
HELP command man command,
info command
MD dirname mkdir dirname/
MORE < file less file
MOVE file1 file2 mv file1 file2
NUL /dev/null
PRINT file lpr file
PRN /dev/lp0,
/dev/lp1
RD dirname rmdir dirname/
REN file1 file2 mv file1 file2
RESTORE tar -Mxpvf device
TYPE file less file
WIN startx
find / -perm -4000 -print
find / -atime +10 -print
2. Changing file permissions:
4=read, 2=write, 1=execute
permissions are always in the order; user, group, other
$ chmod 755 file
means 7 (rwx-user) , 5 (rx-group), 5 (rx-others)
3. add default gateway
route add default gw 10.0.0.1
4. adding many routes + gateways
route add -net 10.1.0.0 gw 10.0.0.10
route add -net 10.2.0.0 gw 10.0.0.20
5. Accessing remote file systems
mount [-tnfs] 1.2.3.4:/usr/files /mnt/files
6. Allowing users to mount drives
With a special command in the etc/fstab file.....
Typical eg for fd0(A:) drive in etc/fstab:
/dev/fdo /mnt auto noauto,user 1 1
noauto: tells mount not to mount drive A on boot
user: allows any user to mount the drive into /mnt
auto: tells mount to try to find out the FS on the drive
7. Allowing users to run root programs
You can set a cmd to be suid root with chmod command
chmod _s mybin : sets mybin suid root
8. Change locales (keyboad)
loadkeys cf (others fr,us,etc)
9. Default file permissions ?
A. Linux
The default is 755
To change the default from 755 to 700, use this cmd:
umask 077 (base 8)
10. Default boot mode (3 in total)
They are defined in /etc/inittab
>Runlevel 1 is a single user mode (with no networking?)
>Runlevel 3 is the default. loads net servers + login txt
>Runlevel 5 displays the graphical login prompt
Modify the initdefault line in /etc/inittab to:
id:3:initdefault:
11. Change password:
passwd
12. File Permissions in Unix
Change group access on the file shrc in ur home dir
chmod g=rw- ~/.shrc
Make group and others have read permission only
chmod go=r-- ~/.shrc
Direclty:
chmod u=rwx,go=r-x foo
13. List directory contents
ls -l /lib/l* :long
ls -r /lib/l* :recursively down the dir tree
ls -l -r
14.
netstat -an ! more
15. See user and process owning a port
fuser -v -n tcp 6000
16.To make a symbolic link:
$ ln -s
Eg: $ ln -s /usr/doc/g77/DOC g77manual.txt
17. Make a file executable
chmod +x
Now u can refer to g77manual.txt instead of /usr/doc/g77/DOC
18. Setting Enviroment Variables
PATH : export PATH=$JAVA_HOME/bin:$PATH
JAVA_HOME: export JAVA_HOME=/usr/local/blackdown/jdk1.2.2
========
DOs Vs Linux
========
DOS Linux Notes
--------------------------------------------------
ATTRIB (+-)attr file chmod
BACKUP tar -Mcvf device dir/
CD dirname\ cd dirname/
COPY file1 file2 cp file1 file2
DEL file rm file
DELTREE dirname rm -R dirname/
DIR ls
DIR file /S find . -name file
EDIT file vi file
jstar file
EDLIN file ed file
FORMAT fdformat,
mount, umount
HELP command man command,
info command
MD dirname mkdir dirname/
MORE < file less file
MOVE file1 file2 mv file1 file2
NUL /dev/null
PRINT file lpr file
PRN /dev/lp0,
/dev/lp1
RD dirname rmdir dirname/
REN file1 file2 mv file1 file2
RESTORE tar -Mxpvf device
TYPE file less file
WIN startx
Advanced Firewall - ipchains
Scenario One:
=========
Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo
Gateway script for ipchains firewall and NAT:
#!/bin/sh
# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input
# Set default to deny all
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# Add Rules
# Accept packets from itself (localhost) (s)ource to itself (d)estination
# Keeps system logging, X-Windows or any socket based service working.
ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l
# Accept requests/responses from/to your own firewall machine
ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0 ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 ipchains -A output -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth0 -l ipchains -A forward -s 192.168.10.0/24 -j MASQ ipchains -A forward -i eth1 -j MASQ # Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Notes:
For this example it was assumed that your private network is from 192.168.10.0 to 192.168.10.255
The -d 0.0.0.0/0 refers to all or any destination address of packet. (destination in this case is irrelevant and the -d statement may be omitted))
localhost refers to your loopback interface on 127.0.0.1
=========
Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo
Gateway script for ipchains firewall and NAT:
#!/bin/sh
# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input
# Set default to deny all
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# Add Rules
# Accept packets from itself (localhost) (s)ource to itself (d)estination
# Keeps system logging, X-Windows or any socket based service working.
ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l
# Accept requests/responses from/to your own firewall machine
ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0 ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 ipchains -A output -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth0 -l ipchains -A forward -s 192.168.10.0/24 -j MASQ ipchains -A forward -i eth1 -j MASQ # Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Notes:
For this example it was assumed that your private network is from 192.168.10.0 to 192.168.10.255
The -d 0.0.0.0/0 refers to all or any destination address of packet. (destination in this case is irrelevant and the -d statement may be omitted))
localhost refers to your loopback interface on 127.0.0.1
Blocking Ports
1. Block specific host
iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP
2. Block specific ports
# Allow loopback access. Rule for your computer to be able to access itself via the loopback. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
# Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
# Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
# Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
# Block Sun rpc/NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP
# Deny packets which claim to be from your loopback interface
iptables -A INPUT -p all -s localhost -i eth0 -j DROP
Debugging and Logging
-----------------------------
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
NB:
Add these (logging) to the end of your rules inorder to monitor dropped connections in /var/log/messages. It generates outrageous volume of messages. Use for debugging or short term monitoring of the network.
iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP
2. Block specific ports
# Allow loopback access. Rule for your computer to be able to access itself via the loopback. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
# Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
# Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
# Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
# Block Sun rpc/NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP
# Deny packets which claim to be from your loopback interface
iptables -A INPUT -p all -s localhost -i eth0 -j DROP
Debugging and Logging
-----------------------------
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
NB:
Add these (logging) to the end of your rules inorder to monitor dropped connections in /var/log/messages. It generates outrageous volume of messages. Use for debugging or short term monitoring of the network.
A simple Firewall
======
Firewall 1
======
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
NB:
Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
Allow network input/output from self (lo).
======
Firewall 2
======
Another approach to firewalls is to drop everything and then grant access to each port you may need.
iptables -F : Flush
iptables -A INPUT -i lo -p all -j ACCEPT : Allow loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT : Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Open ftp port (tcp +/- udp)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
# Open secure shell port
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# Open HTTP port
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT : Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP : Drop all other connection attempts.Only connections defined above are allowed.
Firewall 1
======
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
NB:
Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
Allow network input/output from self (lo).
======
Firewall 2
======
Another approach to firewalls is to drop everything and then grant access to each port you may need.
iptables -F : Flush
iptables -A INPUT -i lo -p all -j ACCEPT : Allow loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT : Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Open ftp port (tcp +/- udp)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
# Open secure shell port
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# Open HTTP port
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT : Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP : Drop all other connection attempts.Only connections defined above are allowed.
A simple Firewall
======
Firewall 1
======
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
NB:
Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
Allow network input/output from self (lo).
======
Firewall 2
======
Another approach to firewalls is to drop everything and then grant access to each port you may need.
iptables -F : Flush
iptables -A INPUT -i lo -p all -j ACCEPT : Allow loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT : Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Open ftp port (tcp +/- udp)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
# Open secure shell port
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# Open HTTP port
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT : Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP : Drop all other connection attempts.Only connections defined above are allowed.
Firewall 1
======
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
NB:
Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
Allow network input/output from self (lo).
======
Firewall 2
======
Another approach to firewalls is to drop everything and then grant access to each port you may need.
iptables -F : Flush
iptables -A INPUT -i lo -p all -j ACCEPT : Allow loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT : Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Open ftp port (tcp +/- udp)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
# Open secure shell port
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# Open HTTP port
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT : Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP : Drop all other connection attempts.Only connections defined above are allowed.
IPTables Vs IPChains
IPTABLES is (or should) replacing IPCHAINS
1. IPCHAINS
-with ipchains you will need to write a rule for the input, forward
and output chains, as each and every packet goes through each of
these chain. This usually leads to a very complex script even for a
simple packet filter.
2. IPTABLES
- with iptables you will need to write rules as follows:
INPUT rules only for packets with the destination IP on the local box
FORWARD rules only for packets passing through the local box
OUTPUT rules only for packets generated on the local box
1. IPCHAINS
-with ipchains you will need to write a rule for the input, forward
and output chains, as each and every packet goes through each of
these chain. This usually leads to a very complex script even for a
simple packet filter.
2. IPTABLES
- with iptables you will need to write rules as follows:
INPUT rules only for packets with the destination IP on the local box
FORWARD rules only for packets passing through the local box
OUTPUT rules only for packets generated on the local box
Subscribe to:
Posts (Atom)