User Tools

Site Tools


network-and-communication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
network-and-communication [2019/04/12 13:34]
Miroslav Bernát
network-and-communication [2019/04/12 17:42] (current)
Miroslav Bernát
Line 38: Line 38:
 | **iptables** (**-t** <​table>​) <​option>​ <​chain>​ <​specification>​ <​target>​ | sets up and maintains firewall rules in the network; table „filter“ is used for packets filtering (default) and contains builtin chains „INPUT“ for incoming packets, „OUTPUT“ for outgoing packets and „FORWARD“ for packet forwarding between the networks, table „nat“ is used for IP address translations and port forwarding with chain „PREROUTING“ for incoming packets, „OUTPUT“ for altering locally-generated packets before routing and „POSTROUTING“ for outgoing packets, table „mangle“ is used for specialized packet alterations and contains all the above chains; the correct firewall setup strictly depends on the particular rules order listed in ///​etc/​sysconfig/​iptables//;​ option **-I** (<n>) inserts a rule at the head of the chain or in the selected chain given by the rule number, **-A** appends a rule to the end of the selected chain, **-D** (<n>) deletes a rule from the selected chain, **-L** lists all rules in the selected chain, if no chain is selected, all chains are listed; option **-n** prints IP addresses and ports in a numeric format, **-v** prints the number of packets and bytes for each rule including the protocol and interface, **--line-numbers** numbers the rules of a particular chain (useful for further use with option „-I“ or „-D“), **-F** removes the rules for a particular chain, if no chain is selected, all rules are removed, **-P** sets the default policy for the chain (all is allowed by default), **-N** creates a new user-defined chain by the given name, usually used for more detailed specifications of the rules (a default policy cannot be applied for these chains), **-X** removes a user-defined chain; follows the rule specification **-i** <​interface>​ input interface, **-o** <​interface>​ output interface, **-s** <​address>​ source address, **-d** <​address>​ destination address, **-p** <​protocol>​ type of protocol, **-m** <​module>​ rule extension (**state** --state <​connection_type>​ specifies the connection type – NEW new connection, ESTABLISHED existing connection, RELATED new connection related to an already existing communication,​ INVALID invalid connection meaning the packets cannot be identified; **time** specifies the time of connection --timestart <​hh:​mm>,​ --timestop <​hh:​mm>,​ --monthdays <​day_in_month>,​ --weekdays <​day_in_week>;​ **iprange** --src-range / --dst-range <​IP-IP>​ specifies the range of source/​destination addresses; **limit** --limit <​n>/<​**s** / **m** / **h** / **d**> specifies the time value, --limit-burst <n> specifies the number of packets), **--sport** <​port>​ source port, **--dport** <​port>​ destination port; and finally **-j** <​target>​ specifies how to deal with the packets – for table „filter“ ACCEPT = accept, DROP = drop, LOG = log the packets, REJECT = send back an error packet in response to the matched packet, for table „nat“ SNAT --to <​IP_address>​ = change the source address, DNAT --to <​IP_address>​ = change the destination address, REDIRECT --to-ports <​port>​ = redirect the port\\ ''#​ iptables -nvL --line-numbers''​\\ (prints the firewall rules in detailed output)\\ ''#​ iptables -P INPUT DROP''​\\ (drops all incoming packets)\\ ''#​ iptables -I INPUT -s 147.229.28.4 -j DROP''​\\ (drops all packets incoming from the particular IP address)\\ ''#​ iptables -A INPUT -p tcp --dport 22 -j DROP''​\\ (drops all packets incoming to the particular port)\\ ''#​ iptables -A INPUT -p tcp --dport 443 -j REJECT''​\\ (sends information about the service unavailability)\\ ''#​ iptables -I OUTPUT -d '​!'​ 147.229.28.4 -j DROP''​\\ (allows only packets outgoing to the particular IP address)\\ ''#​ iptables -A OUTPUT -o eth0 -d 192.168.0.0/​24 -j ACCEPT''​\\ (allows only packets outgoing from the particular interface to the local network)\\ ''#​ iptables -A OUTPUT -d upc.cz -p tcp --dport 80 -j DROP''​\\ (disallows to display the particular URL)\\ ''#​ iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport '​!'​ 80 -j DROP''​\\ (allows packet redirections only to port 80)\\ ''#​ iptables -A INPUT -p tcp –dport 50:55 -m iprange --src-range 192.168.0.1-192.168.0.10 -j ACCEPT''​\\ (allows port range of 50-55 for particular IP addresses)\\ ''#​ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT''​\\ (limits the number of „ping“ requests to 2 per 1s)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3250''​\\ (redirects the particular port)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:​8080''​\\ (alters the destination IP address and port of the service)\\ ''#​ iptables -A INPUT -j LOG''​\\ (logs all packets that do not meet any of the configured rules to ///​var/​log/​messages//​)\\ ''#​ iptables -D INPUT 5''​\\ (drops a rule on the 5th order in the list of „INPUT“ chain) | | **iptables** (**-t** <​table>​) <​option>​ <​chain>​ <​specification>​ <​target>​ | sets up and maintains firewall rules in the network; table „filter“ is used for packets filtering (default) and contains builtin chains „INPUT“ for incoming packets, „OUTPUT“ for outgoing packets and „FORWARD“ for packet forwarding between the networks, table „nat“ is used for IP address translations and port forwarding with chain „PREROUTING“ for incoming packets, „OUTPUT“ for altering locally-generated packets before routing and „POSTROUTING“ for outgoing packets, table „mangle“ is used for specialized packet alterations and contains all the above chains; the correct firewall setup strictly depends on the particular rules order listed in ///​etc/​sysconfig/​iptables//;​ option **-I** (<n>) inserts a rule at the head of the chain or in the selected chain given by the rule number, **-A** appends a rule to the end of the selected chain, **-D** (<n>) deletes a rule from the selected chain, **-L** lists all rules in the selected chain, if no chain is selected, all chains are listed; option **-n** prints IP addresses and ports in a numeric format, **-v** prints the number of packets and bytes for each rule including the protocol and interface, **--line-numbers** numbers the rules of a particular chain (useful for further use with option „-I“ or „-D“), **-F** removes the rules for a particular chain, if no chain is selected, all rules are removed, **-P** sets the default policy for the chain (all is allowed by default), **-N** creates a new user-defined chain by the given name, usually used for more detailed specifications of the rules (a default policy cannot be applied for these chains), **-X** removes a user-defined chain; follows the rule specification **-i** <​interface>​ input interface, **-o** <​interface>​ output interface, **-s** <​address>​ source address, **-d** <​address>​ destination address, **-p** <​protocol>​ type of protocol, **-m** <​module>​ rule extension (**state** --state <​connection_type>​ specifies the connection type – NEW new connection, ESTABLISHED existing connection, RELATED new connection related to an already existing communication,​ INVALID invalid connection meaning the packets cannot be identified; **time** specifies the time of connection --timestart <​hh:​mm>,​ --timestop <​hh:​mm>,​ --monthdays <​day_in_month>,​ --weekdays <​day_in_week>;​ **iprange** --src-range / --dst-range <​IP-IP>​ specifies the range of source/​destination addresses; **limit** --limit <​n>/<​**s** / **m** / **h** / **d**> specifies the time value, --limit-burst <n> specifies the number of packets), **--sport** <​port>​ source port, **--dport** <​port>​ destination port; and finally **-j** <​target>​ specifies how to deal with the packets – for table „filter“ ACCEPT = accept, DROP = drop, LOG = log the packets, REJECT = send back an error packet in response to the matched packet, for table „nat“ SNAT --to <​IP_address>​ = change the source address, DNAT --to <​IP_address>​ = change the destination address, REDIRECT --to-ports <​port>​ = redirect the port\\ ''#​ iptables -nvL --line-numbers''​\\ (prints the firewall rules in detailed output)\\ ''#​ iptables -P INPUT DROP''​\\ (drops all incoming packets)\\ ''#​ iptables -I INPUT -s 147.229.28.4 -j DROP''​\\ (drops all packets incoming from the particular IP address)\\ ''#​ iptables -A INPUT -p tcp --dport 22 -j DROP''​\\ (drops all packets incoming to the particular port)\\ ''#​ iptables -A INPUT -p tcp --dport 443 -j REJECT''​\\ (sends information about the service unavailability)\\ ''#​ iptables -I OUTPUT -d '​!'​ 147.229.28.4 -j DROP''​\\ (allows only packets outgoing to the particular IP address)\\ ''#​ iptables -A OUTPUT -o eth0 -d 192.168.0.0/​24 -j ACCEPT''​\\ (allows only packets outgoing from the particular interface to the local network)\\ ''#​ iptables -A OUTPUT -d upc.cz -p tcp --dport 80 -j DROP''​\\ (disallows to display the particular URL)\\ ''#​ iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport '​!'​ 80 -j DROP''​\\ (allows packet redirections only to port 80)\\ ''#​ iptables -A INPUT -p tcp –dport 50:55 -m iprange --src-range 192.168.0.1-192.168.0.10 -j ACCEPT''​\\ (allows port range of 50-55 for particular IP addresses)\\ ''#​ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT''​\\ (limits the number of „ping“ requests to 2 per 1s)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3250''​\\ (redirects the particular port)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:​8080''​\\ (alters the destination IP address and port of the service)\\ ''#​ iptables -A INPUT -j LOG''​\\ (logs all packets that do not meet any of the configured rules to ///​var/​log/​messages//​)\\ ''#​ iptables -D INPUT 5''​\\ (drops a rule on the 5th order in the list of „INPUT“ chain) |
 | **ssh** <​host>​ / <​user>​@<​host>​ (<​command>​) | initializes an encrypted logging in to an existing account on the remote host using the same user name on both systems / using different user names; ssh is also used for executing commands on a remote host whose outputs are displayed on STDOUT of the local computer, **-l** <​user>​ logs on under a specified user, **-p** <​port>​ uses a nonstandard port, **-v** detailed output\\ ''​$ ssh 192.168.0.20''​\\ ''​$ ssh norton@mx.webs.cz''​ / ''​ssh -l norton mx.webs.cz''​\\ ''​$ ssh 192.168.0.20 uname -a''​ | | **ssh** <​host>​ / <​user>​@<​host>​ (<​command>​) | initializes an encrypted logging in to an existing account on the remote host using the same user name on both systems / using different user names; ssh is also used for executing commands on a remote host whose outputs are displayed on STDOUT of the local computer, **-l** <​user>​ logs on under a specified user, **-p** <​port>​ uses a nonstandard port, **-v** detailed output\\ ''​$ ssh 192.168.0.20''​\\ ''​$ ssh norton@mx.webs.cz''​ / ''​ssh -l norton mx.webs.cz''​\\ ''​$ ssh 192.168.0.20 uname -a''​ |
-| **ssh-keygen** | generates a pair of authentication keys – private and public which provide a secure user identification during the ssh connection without the necessity to enter the logging name and password; the private key is by default located in //​~/​.ssh/​id_rsa//​ či //​~/​.ssh/​id_dsa//,​ the public key in //​~/​.ssh/​id_rsa.pub//​ or //​~/​.ssh/​id_dsa.pub//​ and its contents need to be put into //​~/​.ssh/​authorized_keys//​ of the remote host; the program also asks the user to enter a „passphrase“ (string of arbitrary characters, including white spaces, protecting the private key against abuse) which, if not empty, is required from the user for identification at the beginning of each connection, **-t** <key> specifies the type of the key – „rsa“ or „dsa“ (by default „rsa“), **-p** alters a „passphrase“,​ **-v** detailed output |+| **ssh-keygen** | generates a pair of authentication keys – private and public which provide a secure user identification during the ssh connection without the necessity to enter the logging name and password; the private key is by default located in //​~/​.ssh/​id_rsa//​ či //​~/​.ssh/​id_dsa//,​ the public key in //​~/​.ssh/​id_rsa.pub//​ or //​~/​.ssh/​id_dsa.pub//​ and its contents need to be put into //​~/​.ssh/​authorized_keys//​ of the remote host; the program also asks the user to enter a „passphrase“ (string of arbitrary characters, including white spaces, protecting the private key against abuse) which, if not empty, is required from the user for identification at the beginning of each connection, **-t** <key> specifies the type of key – „rsa“ or „dsa“ (by default „rsa“), **-p** alters a „passphrase“,​ **-v** detailed output |
 | **ssh-copy-id** (<​user>​@)<​host>​ | copies a public key of the user from the local computer into //​~/​.ssh/​authorized_keys//​ of the host, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa.pub//​ is used)\\ ''​$ ssh-copy-id -i ~/​.ssh/​id_dsa.pub dookie@94.112.152.47''​ | | **ssh-copy-id** (<​user>​@)<​host>​ | copies a public key of the user from the local computer into //​~/​.ssh/​authorized_keys//​ of the host, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa.pub//​ is used)\\ ''​$ ssh-copy-id -i ~/​.ssh/​id_dsa.pub dookie@94.112.152.47''​ |
 | **ssh-add** (<​file>​) | delivers temporarily a private key and „passphrase“ under „ssh-agent“ management | | **ssh-add** (<​file>​) | delivers temporarily a private key and „passphrase“ under „ssh-agent“ management |
Last modified: 2019/04/12 17:42 by Miroslav Bernát

visits: