User Tools

Site Tools


network-and-communication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
network-and-communication [2019/10/06 20:51]
Miroslav Bernát
network-and-communication [2019/10/07 12:04] (current)
Miroslav Bernát
Line 39: Line 39:
 | **iptables-restore** | imports firewall rules from STDIN to memory\\ ''#​ iptables-restore < iprules''​\\ (reads the firewall rules from a particular file) | | **iptables-restore** | imports firewall rules from STDIN to memory\\ ''#​ iptables-restore < iprules''​\\ (reads the firewall rules from a particular file) |
 | **iptables** (**-t** <​table>​) <​option>​ <​chain>​ <​specification>​ <​target>​ | sets up and maintains firewall rules in the network; table „filter“ is used for packets filtering (default) and contains builtin chains „INPUT“ for incoming packets, „OUTPUT“ for outgoing packets and „FORWARD“ for packet forwarding between the networks, table „nat“ is used for IP address translations and port forwarding with chain „PREROUTING“ for incoming packets, „OUTPUT“ for altering locally-generated packets before routing and „POSTROUTING“ for outgoing packets, table „mangle“ is used for specialized packet alterations and contains all the above chains; the correct firewall setup strictly depends on the particular rules order listed in ///​etc/​sysconfig/​iptables//;​ option **-I** (<n>) inserts a rule at the head of the chain or in the selected chain specified by the rule number, **-A** appends a rule to the end of the selected chain, **-D** (<n>) deletes a rule from the selected chain, **-L** lists all rules in the selected chain, if no chain is selected, all chains are listed; option **-n** prints IP addresses and ports in a numeric format, **-v** prints the number of packets and bytes for each rule including the protocol and interface, **--line-numbers** numbers the rules of a particular chain (useful for further use with option „-I“ or „-D“), **-F** removes the rules for a particular chain, if no chain is selected, all rules are removed, **-P** sets the default policy for the chain (all is allowed by default), **-N** creates a new user-defined chain by the specified name, usually used for more detailed specifications of the rules (a default policy cannot be applied for these chains), **-X** removes a user-defined chain; follows the rule specification **-i** <​interface>​ input interface, **-o** <​interface>​ output interface, **-s** <​address>​ source address, **-d** <​address>​ destination address, **-p** <​protocol>​ type of protocol, **-m** <​module>​ rule extension (**state** --state <​connection_type>​ specifies the connection type – NEW new connection, ESTABLISHED existing connection, RELATED new connection related to an already existing communication,​ INVALID invalid connection meaning the packets cannot be identified; **time** specifies the time of connection --timestart <​hh:​mm>,​ --timestop <​hh:​mm>,​ --monthdays <​day_in_month>,​ --weekdays <​day_in_week>;​ **iprange** --src-range / --dst-range <​IP-IP>​ specifies the range of source/​destination addresses; **limit** --limit <​n>/<​**s** / **m** / **h** / **d**> specifies the time value, --limit-burst <n> specifies the number of packets), **--sport** <​port>​ source port, **--dport** <​port>​ destination port; and finally **-j** <​target>​ specifies how to deal with the packets – for table „filter“ ACCEPT = accept, DROP = drop, LOG = log the packets, REJECT = send back an error packet in response to the matched packet, for table „nat“ SNAT --to <​IP_address>​ = change the source address, DNAT --to <​IP_address>​ = change the destination address, REDIRECT --to-ports <​port>​ = redirect the port\\ ''#​ iptables -nvL --line-numbers''​\\ (prints the firewall rules in detailed output)\\ ''#​ iptables -P INPUT DROP''​\\ (drops all incoming packets)\\ ''#​ iptables -I INPUT -s 147.229.28.4 -j DROP''​\\ (drops all packets incoming from the particular IP address)\\ ''#​ iptables -A INPUT -p tcp --dport 22 -j DROP''​\\ (drops all packets incoming to the particular port)\\ ''#​ iptables -A INPUT -p tcp --dport 443 -j REJECT''​\\ (sends information about the service unavailability)\\ ''#​ iptables -I OUTPUT -d '​!'​ 147.229.28.4 -j DROP''​\\ (allows only packets outgoing to the particular IP address)\\ ''#​ iptables -A OUTPUT -o eth0 -d 192.168.0.0/​24 -j ACCEPT''​\\ (allows only packets outgoing from the particular interface to the local network)\\ ''#​ iptables -A OUTPUT -d upc.cz -p tcp --dport 80 -j DROP''​\\ (disallows to display the particular URL)\\ ''#​ iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport '​!'​ 80 -j DROP''​\\ (allows packet redirections only to port 80)\\ ''#​ iptables -A INPUT -p tcp –dport 50:55 -m iprange --src-range 192.168.0.1-192.168.0.10 -j ACCEPT''​\\ (allows port range of 50-55 for particular IP addresses)\\ ''#​ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT''​\\ (limits the number of „ping“ requests to 2 per 1s)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3250''​\\ (redirects the particular port)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:​8080''​\\ (alters the destination IP address and port of the service)\\ ''#​ iptables -A INPUT -j LOG''​\\ (logs all packets that do not meet any of the configured rules to ///​var/​log/​messages//​)\\ ''#​ iptables -D INPUT 5''​\\ (drops a rule on the 5th order in the list of „INPUT“ chain) | | **iptables** (**-t** <​table>​) <​option>​ <​chain>​ <​specification>​ <​target>​ | sets up and maintains firewall rules in the network; table „filter“ is used for packets filtering (default) and contains builtin chains „INPUT“ for incoming packets, „OUTPUT“ for outgoing packets and „FORWARD“ for packet forwarding between the networks, table „nat“ is used for IP address translations and port forwarding with chain „PREROUTING“ for incoming packets, „OUTPUT“ for altering locally-generated packets before routing and „POSTROUTING“ for outgoing packets, table „mangle“ is used for specialized packet alterations and contains all the above chains; the correct firewall setup strictly depends on the particular rules order listed in ///​etc/​sysconfig/​iptables//;​ option **-I** (<n>) inserts a rule at the head of the chain or in the selected chain specified by the rule number, **-A** appends a rule to the end of the selected chain, **-D** (<n>) deletes a rule from the selected chain, **-L** lists all rules in the selected chain, if no chain is selected, all chains are listed; option **-n** prints IP addresses and ports in a numeric format, **-v** prints the number of packets and bytes for each rule including the protocol and interface, **--line-numbers** numbers the rules of a particular chain (useful for further use with option „-I“ or „-D“), **-F** removes the rules for a particular chain, if no chain is selected, all rules are removed, **-P** sets the default policy for the chain (all is allowed by default), **-N** creates a new user-defined chain by the specified name, usually used for more detailed specifications of the rules (a default policy cannot be applied for these chains), **-X** removes a user-defined chain; follows the rule specification **-i** <​interface>​ input interface, **-o** <​interface>​ output interface, **-s** <​address>​ source address, **-d** <​address>​ destination address, **-p** <​protocol>​ type of protocol, **-m** <​module>​ rule extension (**state** --state <​connection_type>​ specifies the connection type – NEW new connection, ESTABLISHED existing connection, RELATED new connection related to an already existing communication,​ INVALID invalid connection meaning the packets cannot be identified; **time** specifies the time of connection --timestart <​hh:​mm>,​ --timestop <​hh:​mm>,​ --monthdays <​day_in_month>,​ --weekdays <​day_in_week>;​ **iprange** --src-range / --dst-range <​IP-IP>​ specifies the range of source/​destination addresses; **limit** --limit <​n>/<​**s** / **m** / **h** / **d**> specifies the time value, --limit-burst <n> specifies the number of packets), **--sport** <​port>​ source port, **--dport** <​port>​ destination port; and finally **-j** <​target>​ specifies how to deal with the packets – for table „filter“ ACCEPT = accept, DROP = drop, LOG = log the packets, REJECT = send back an error packet in response to the matched packet, for table „nat“ SNAT --to <​IP_address>​ = change the source address, DNAT --to <​IP_address>​ = change the destination address, REDIRECT --to-ports <​port>​ = redirect the port\\ ''#​ iptables -nvL --line-numbers''​\\ (prints the firewall rules in detailed output)\\ ''#​ iptables -P INPUT DROP''​\\ (drops all incoming packets)\\ ''#​ iptables -I INPUT -s 147.229.28.4 -j DROP''​\\ (drops all packets incoming from the particular IP address)\\ ''#​ iptables -A INPUT -p tcp --dport 22 -j DROP''​\\ (drops all packets incoming to the particular port)\\ ''#​ iptables -A INPUT -p tcp --dport 443 -j REJECT''​\\ (sends information about the service unavailability)\\ ''#​ iptables -I OUTPUT -d '​!'​ 147.229.28.4 -j DROP''​\\ (allows only packets outgoing to the particular IP address)\\ ''#​ iptables -A OUTPUT -o eth0 -d 192.168.0.0/​24 -j ACCEPT''​\\ (allows only packets outgoing from the particular interface to the local network)\\ ''#​ iptables -A OUTPUT -d upc.cz -p tcp --dport 80 -j DROP''​\\ (disallows to display the particular URL)\\ ''#​ iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport '​!'​ 80 -j DROP''​\\ (allows packet redirections only to port 80)\\ ''#​ iptables -A INPUT -p tcp –dport 50:55 -m iprange --src-range 192.168.0.1-192.168.0.10 -j ACCEPT''​\\ (allows port range of 50-55 for particular IP addresses)\\ ''#​ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT''​\\ (limits the number of „ping“ requests to 2 per 1s)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3250''​\\ (redirects the particular port)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:​8080''​\\ (alters the destination IP address and port of the service)\\ ''#​ iptables -A INPUT -j LOG''​\\ (logs all packets that do not meet any of the configured rules to ///​var/​log/​messages//​)\\ ''#​ iptables -D INPUT 5''​\\ (drops a rule on the 5th order in the list of „INPUT“ chain) |
-| **firewall-cmd**\\ (implemented from RHEL 7) | manages runtime and permanent firewall configuration,​ **--get-default-zone** prints default zone for connections and interfaces, **--set-default-zone=**<​zone>​ sets default zone for connections and interfaces, **--get-active-zones** prints currently active zones altogether with interfaces and sources used in these zones, **--get-zones** lists all available zones, **--list-all-zones** lists detailed information about all zones, **--zone=**<​zone>​ specifies a zone (if not specified, the default zone is used), **--list-all** lists detailed information about the zone, **--get-services** lists all available services, **--list-services** lists services added to the zone, **--list-ports** lists ports added to the zone, **--add-source=**<​IP_address>/<​network/​netmask>​ routes all traffic coming from the IP address or network/​netmask to the zone, **--remove-source=**<​IP_address>/<​network/​netmask>​ removes the rule routing all traffic from the zone coming from the IP address or network/​netmask network, **--add-interface=**<​interface>​ routes all traffic coming from an interface to the zone, **--change-interface=**<​interface>​ changes an interface for the zone, **--add-service=**<​service>​ adds a service to the zone, **--remove-service=**<​service>​ removes a service from the zone, **--add-port=**<​port>/<​protocol>​ adds a port/​protocol to the zone, **--remove-port=**<​port>/<​protocol>​ removes a port/​protocol from the zone, **--add-rich-rule=**<​rule>​ adds a custom firewall rule to the zone that is not covered by the basic firewalld syntax, **--remove-rich-rule=**<​rule>​ removes a custom firewall rule from the zone, **--query-rich-rule=**<​rule>​ verifies if a custom firewall rule has been added to the zone, **--list-rich-rules** lists all custom firewall rules for the zone, **--permanent** performs a permanent configuration (writes changes to ///​etc/​firewalld///​),​ **--reload** applies the permanent configuration,​ **--runtime-to-permanent** saves the current runtime configuration as permanent\\ ''#​ firewall-cmd --add-service=http --permanent''​\\ (permits a permanent access by HTTP clients for the default zone)\\ ''#​ firewall-cmd --add-port=2222/​tcp --permanent''​\\ (opens TCP port 2222 for the default zone)\\ ''#​ firewall-cmd --zone=internal --add-source=192.168.0.0/​24 --permanent''​\\ (routes all traffic coming from the 192.168.0.0/​24 network to the internal zone)\\ ''#​ firewall-cmd --zone=internal --list-all --permanent''​\\ (lists detailed information about the internal zone)\\ ''#​ firewall-cmd --add-rich-rule='​rule family=ipv4 source address=183.131.80.130 reject'​ --permanent''​\\ (blocks all traffic from the specified IP address in the default zone)\\ ''#​ firewall-cmd --add-rich-rule='​rule family=ipv4 source address=192.168.0.15 port port=8080 protocol=tcp accept'​ --permanent''​\\ (allows port 8080 for the specified IP address in the default zone)\\ ''#​ firewall-cmd --reload''​\\ (reloads the changes in the firewall settings) |+| **firewall-cmd**\\ (implemented from RHEL 7) | manages runtime and permanent firewall configuration,​ **--get-default-zone** prints default zone for connections and interfaces, **--set-default-zone=**<​zone>​ sets default zone for connections and interfaces, **--get-active-zones** prints currently active zones altogether with interfaces and sources used in these zones, **--get-zones** lists all available zones, **--list-all-zones** lists detailed information about all zones, **--zone=**<​zone>​ specifies a zone (if not specified, the default zone is used), **--list-all** lists detailed information about the zone, **--get-services** lists all available services, **--list-services** lists services added to the zone, **--list-ports** lists ports added to the zone, **--add-source=**<​IP_address>/<​network/​netmask>​ routes all traffic coming from the IP address or network/​netmask to the zone, **--remove-source=**<​IP_address>/<​network/​netmask>​ removes the rule routing all traffic from the zone coming from the IP address or network/​netmask network, **--add-interface=**<​interface>​ routes all traffic coming from an interface to the zone, **--change-interface=**<​interface>​ changes an interface for the zone, **--add-service=**<​service>​ adds a service to the zone, **--remove-service=**<​service>​ removes a service from the zone, **--add-port=**<​port>/<​protocol>​ adds a port/​protocol to the zone, **--remove-port=**<​port>/<​protocol>​ removes a port/​protocol from the zone, **--add-rich-rule=**<​rule>​ adds a custom firewall rule to the zone that is not covered by the basic firewalld syntax, **--remove-rich-rule=**<​rule>​ removes a custom firewall rule from the zone, **--query-rich-rule=**<​rule>​ verifies if a custom firewall rule has been added to the zone, **--list-rich-rules** lists all custom firewall rules for the zone, **--permanent** performs a permanent configuration (writes changes to ///​etc/​firewalld///​),​ **--reload** applies the permanent configuration,​ **--runtime-to-permanent** saves the current runtime configuration as permanent\\ ''#​ firewall-cmd --add-service=http --permanent''​\\ (permits a permanent access by HTTP clients for the default zone)\\ ''#​ firewall-cmd --add-port=2222/​tcp --permanent''​\\ (opens TCP port 2222 for the default zone)\\ ''#​ firewall-cmd --zone=internal --add-source=192.168.0.0/​24 --permanent''​\\ (routes all traffic coming from the 192.168.0.0/​24 network to the internal zone)\\ ''#​ firewall-cmd --zone=internal --list-all --permanent''​\\ (lists detailed information about the internal zone)\\ ''#​ firewall-cmd --add-rich-rule='​rule family=ipv4 source address=183.131.80.130 reject'​ --permanent''​\\ (blocks all traffic from the specified IP address in the default zone)\\ ''#​ firewall-cmd --add-rich-rule='​rule family=ipv4 source address=192.168.0.15 port port=8080 protocol=tcp accept'​ --permanent''​\\ (allows port 8080 for the specified IP address in the default ​zone)\\ ''#​ firewall-cmd --permanent --zone=work --add-rich-rule='​rule family=ipv4 source address=192.168.0.0/​26 forward-port port=80 protocol=tcp to-port=8080'''​\\ (forwards 80/TCP to port 8080/TCP for the specified network in the work zone)\\ ''#​ firewall-cmd --reload''​\\ (reloads the changes in the firewall settings) |
 | **ssh** (<​user>​@)<​host>​ (<​command>​) | initializes an encrypted logging in to an existing account on the remote host using the same user name on both systems / using different user names; ssh is also used for executing commands on a remote host whose outputs are displayed on STDOUT of the local computer, **-l** <​user>​ logs on under a specified user, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-p** <​port>​ uses a nonstandard port, **-o** <​option>​ uses a specified option to override the default configuration,​ **-v** detailed output\\ ''​$ ssh 192.168.0.20''​\\ ''​$ ssh norton@mx.webs.cz''​ / ''​ssh -l norton mx.webs.cz''​\\ ''​$ ssh 192.168.0.20 "uname -a"''​\\ ''​$ ssh -o PubkeyAuthentication=no norton@192.168.0.20''​\\ ''​$ echo "​insert hostname":;​ while read hostname; do ssh $hostname 'echo "​Hostname":​ $(hostname);​ echo "Linux version":​ $(uname -a; cat /​etc/​redhat-release)'>​ ${hostname}_version.log && echo "​insert hostname":;​ done''​ | | **ssh** (<​user>​@)<​host>​ (<​command>​) | initializes an encrypted logging in to an existing account on the remote host using the same user name on both systems / using different user names; ssh is also used for executing commands on a remote host whose outputs are displayed on STDOUT of the local computer, **-l** <​user>​ logs on under a specified user, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-p** <​port>​ uses a nonstandard port, **-o** <​option>​ uses a specified option to override the default configuration,​ **-v** detailed output\\ ''​$ ssh 192.168.0.20''​\\ ''​$ ssh norton@mx.webs.cz''​ / ''​ssh -l norton mx.webs.cz''​\\ ''​$ ssh 192.168.0.20 "uname -a"''​\\ ''​$ ssh -o PubkeyAuthentication=no norton@192.168.0.20''​\\ ''​$ echo "​insert hostname":;​ while read hostname; do ssh $hostname 'echo "​Hostname":​ $(hostname);​ echo "Linux version":​ $(uname -a; cat /​etc/​redhat-release)'>​ ${hostname}_version.log && echo "​insert hostname":;​ done''​ |
 | **ssh-keygen** | generates a pair of authentication keys – private and public which provide a secure user identification during the ssh connection without the necessity to enter the logging name and password; the private key is by default located in //​~/​.ssh/​id_rsa//​ či //​~/​.ssh/​id_dsa//,​ the public key in //​~/​.ssh/​id_rsa.pub//​ or //​~/​.ssh/​id_dsa.pub//​ and its contents need to be put into //​~/​.ssh/​authorized_keys//​ of the remote host; the program also asks the user to enter a „passphrase“ (string of arbitrary characters, including white spaces, protecting the private key against abuse) which, if not empty, is required from the user for identification at the beginning of each connection, **-t** <key> specifies the type of key – „rsa“ or „dsa“ (by default „rsa“), **-f** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-p** alters a „passphrase“,​ **-v** detailed output | | **ssh-keygen** | generates a pair of authentication keys – private and public which provide a secure user identification during the ssh connection without the necessity to enter the logging name and password; the private key is by default located in //​~/​.ssh/​id_rsa//​ či //​~/​.ssh/​id_dsa//,​ the public key in //​~/​.ssh/​id_rsa.pub//​ or //​~/​.ssh/​id_dsa.pub//​ and its contents need to be put into //​~/​.ssh/​authorized_keys//​ of the remote host; the program also asks the user to enter a „passphrase“ (string of arbitrary characters, including white spaces, protecting the private key against abuse) which, if not empty, is required from the user for identification at the beginning of each connection, **-t** <key> specifies the type of key – „rsa“ or „dsa“ (by default „rsa“), **-f** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-p** alters a „passphrase“,​ **-v** detailed output |
Last modified: 2019/10/07 12:04 by Miroslav Bernát

visits: