Daily management of Linux Systems 2 Tcpdump,iptables

daily management of Linux Systems 2 Tcpdump,iptables

1. Linux Grab Kit

   
   

Tcpdump system comes with grab bag tool

If it is not installed, you need to install it before you can use

Installation:

[email protected] ~]# Yum install-y tcpdump

Tcpdump-nn

Do not convert the name of the Dayton port, directly display the port number

Tcpdump-nn-i eth0 TCP and host 192.168.0.1 and port 80

Crawl TCP packets for port 80 of the 192.168.0.1IP address and do not convert port names

-I: Specify the NIC

TCP: Represents a packet that crawls only TCP

192.168.0.1: The specified IP address

Port 80: Specified, fetch only 80 ports of data

Tcpdump-nn-i eth0 TCP and host 192.168.0.1 and Port 80-w 1.txt

Writes the fetched packet to the 1.txt file

-W: Write

Tcpdump-nn-i eth0 TCP and host 192.168.0.1 and Port 80-c 10-w 1.txt

Crawl 10 packets and write to the 1.txt file

-C: Specifies how many packages to crawl

-S0: Crawl All content

[[email protected] ~]# tcpdump-nn-i eth0 TCP and not port 80

Filter out 80 ports

Tcpdump-nn-vs0 TCP and Port not 22-c 100-w 1.cap

-W: Write

Strings: can view contents of binary Package

Wireshark

Not installed by default, requires installation

Yum Install-y Wireshark

Grab Packet parse HTTP request, check for some of the things requested on port 80

Tshark-n-T a-r http.request-t fields-e "Frame.time"-E "ip.src"-E "http.host"-E "Http.request.method"-E "http.requ Est.uri "

Under what circumstances to use:

1. Access logs are not logged

2, do not know where the configuration file, do not want to configure the log file

3, just grab a look at the content

4, if the capture package does not show any time, you need to specify the network card in

Tshark-i eth0-n-T a-r http.request-t fields-e "Frame.time"-E "ip.src"-E "http.host"-E "Http.request.method"-E "H Ttp.request.uri "

Both tcpdump and Tshark need to be root to execute.

2. Selinux

Getenforce: View selinux status

Configuration file/etc/selinux/config

Three different states:

Enforcing: Open

Permissive: On but not in effect, when touching the rules warning

Disabled: Off

To set a permanent shutdown, you need to change the configuration file,

[[email protected] ~]# cat /etc/selinux/config  # this file controls the state of selinux on the system.#  SELINUX= can take one of these three values:#      enforcing - SELinux security policy is enforced.#      permissive - SELinux prints warnings instead of enforcing.#      disabled - no selinux policy is loaded. selinux=enforcing  #改成SELINUX =disabled, it's permanently closed # selinuxtype= can take one of . these two values:#     targeted - targeted processes  are protected,#     mls - multi level security  Protection. Selinuxtype=targeted 

Setenforce 0: Temporary shutdown, fail after reboot

Setenforce 1: Temporarily enabled, but cannot be enabled if selinux=disabled

If you do not getenforce this package, you need to install

Use RPM to view package name:

RPM-QF ' which Getenforce '

Installation

Yum Install-y libselinux-utils

You can also install it using Yum

Yum Install *selinux*

3. NetFilter--Iptables

IPTABLES-NVL Viewing rules

Iptables-f clears the current rule, the system will expire from the start, just temporary

Iptables-z Counter Zeroing

The rule file saved by the service iptables save rule is:/etc/sysconfig/iptables

Service iptables Stop can pause the firewall, but it will read/etc/sysconfig/iptables to start the firewall after the reboot, and even if we stop the firewall, it will open once we add any rule.

IPTABLES-T Specifies the table name, which is the filter table by default without-t

Filter This table is mainly used for filtering packets, is the System preset table, built-in three chain input, output and forward. Input acts on the package that enters the machine; the output acts on the packet sent by the machine; forward acts on packets that are not related to the machine.

Iptables-nvl-t NAT

Specifying a NAT table

NAT is primarily useful for network address translation, port mapping, and also three chains. The purpose of the prerouting chain is to change the destination address of a package just as it arrives at the firewall, if necessary. The output chain changes the destination address of the locally generated package. The postrouting chain changes its source address before the package leaves the firewall.

The mangle is primarily used to modify the TOS (type of service, services type), TTL (Time tolive, lifetime) value of the packet, and to set the mark mark for the packet to achieve QoS (quality of service, quality of services) Applications such as tuning and Policy routing are not widely available due to the need for appropriate routing device support. Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD

Raw sets a flag on the message that determines whether the packet is handled by the state tracking mechanism with only two chains: OUTPUT, prerouting

Iptables Rule Related:

View Rules Iptables-t NAT-NVL

Purge Rule iptables-t nat-f

Add/Remove Rules

iptables-a/-d input-s 10.72.11.12-p tcp--sport 1234-d 10.72.137.159--dport 80-j DROP

Drop the 10.72.11.12 mainframe from port 1234 to target 10.72.137.159 main 80 port.

-A/D: Indicates adding/deleting a rule

-I: Insert a rule that is similar to the effect of a

-P: Address protocol, which can be TCP, UDP, or ICMP

--dport: Specify the destination port to use with-p

--sport: Specify the source port to use with-p

-S: Specifies the source IP, or it can be an IP segment

-d: Specify Destination IP or IP segment

-j: Back with action, there are three options, allow accept, drop packet Dror, reject Reject

-I: Indicates a specified network card, infrequently used, occasionally

Insert rule, after using-I, the inserted rule will precede the previous rule

Iptables-i input-s 1.1.1.1-j Drop/accept/reject

The more in front of the first match, it should be said in front of a priority matching permissions

Throw out packets from 192.168.21.99 hosts

[[Email protected] ~] #iptables-I input-s 192.168.21.99-j DROP

Remove 192.168.21.99 rules for this host

[Email protected] ~]# iptables-d input-s 192.168.21.99-j DROP

The communication protocol uses the TCP protocol, and it accesses the unit via port 80, and the IP address is the packet of the 192.168.21.99 host is discarded

[[email protected] ~]# iptables-i input-s 192.168.21.99-p tcp--dport 80-j DROP

Drop the package that accesses the 192.168.21.99 host 22 port

[[email protected] ~]# iptables-i input-p tcp--dport 22-d 192.168.21.99-j DROP

Allow 192.168.21.0/24 this network segment to communicate on the eth0 NIC

[Email protected] ~]# iptables-a input-s 192.168.21.0/24-i eth0-j ACCEPT

View rule with ID number

IPTABLES-NVL--line-numbers

[[email protected] ~]# iptables -nvl --line-numberchain input  (policy  Accept 0 packets, 0 bytes) num   pkts bytes target      prot opt in     out     source                destination          1     1964  145K  accept     all  --  *      *        0.0.0.0/0             0.0.0.0/0           state related, Established 2        0     0 accept      icmp --  *      *       0.0.0.0/0             0.0.0.0/0            3        0      0 ACCEPT     all  --  lo      *       0.0.0.0/0             0.0.0.0/0           4         2   104 accept     tcp   --  *      *        0.0.0.0/0            0.0.0.0/0            state new tcp dpt:22 5     3177  311k  reject     all  --  *      *        0.0.0.0/0             0.0.0.0/0           reject-with  Icmp-host-prohibited 6        0     0  accept     tcp  --  *      *        1.1.1.1               0.0.0.0/0           tcp  Dpt:80

Delete the corresponding rule based on the ID number of the rule

iptables-d INPUT 6

[[email protected] ~]# iptables -d input 6[[email protected] ~]#  iptables -nvl --line-numberchain input  (policy accept 0 packets, 0  bytes) num   pkts bytes target     prot opt  in     out     source                destination          1     1981  146k accept     all   --  *      *        0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED 2         0     0 accept     icmp --  *       *       0.0.0.0/0             0.0.0.0/0            3        0     0 accept      all  --  lo     *        0.0.0.0/0             0.0.0.0/0           4         2   104 ACCEPT     tcp  --   *      *       0.0.0.0/0             0.0.0.0/0           state new  tcp dpt:22 5     3177  311k reject      all  --  *      *        0.0.0.0/0            0.0.0.0/0

Iptables-p INPUT [Accept] is used to set the default rule, the default is accept, once set to drop, can only use iptables-p ACCEPT to revert to the original state, and cannot use the-f parameter

Open protocol for all 192.168.21.254 hosts, i.e. no port filtering and throttling

[Email protected] ~]# iptables-a input-s 192.168.21.254-j ACCEPT

Iptables-save > 1.ipt

Redirect the rule to a 1.ipt file, or it can be said to be a backup

Iptables-restore < 1.ipt

Restore previously backed-up rules, using reverse redirection to Iptables

Forbid others to ping you, but you can ping others

[[email protected] ~]# iptables-i input-p ICMP--icmp-type 8-j DROP

Instance:

For the filter table, the default policy input chain drop, the other two chain accept, then open 22 for 192.168.0.0/24, 80 ports for all network segments, open 21 ports for all network segments. The script is as follows:

#! /bin/bash ipt= "/sbin/iptables" $ipt-F; $ipt-P INPUT DROP; $ipt-P OUTPUT ACCEPT; $ipt-P FORWARD ACCEPT; $ipt-a input-s 192.168.0.0/24-p tcp--dport 22-j accept$ipt-a input-p tcp--dport 80-j ACCEPT $ipt-a Input-p TCP --dport 21-j ACCEPT

ICMP packet has a common application, native ping out of the network, the external ping does not pass native iptables-i input-p ICMP--icmp-type 8-j DROP

NAT Table Application:

Routers are implemented using the Iptables NAT principle

Suppose you have two NICs on your machine eth0 and eth1, where eth0 IP is 192.168.10.11,eth1 IP is 172.16.10.11. Eth0 Connected Intnet But eth1 is not connected, now there is another machine (172.16.10.12) and eth1 is interoperability, then how to set up to allow the connection eth1 this machine can connect intnet?

echo "1" >/proc/sys/net/ipv4/ip_forward

Iptables-t nat-a postrouting-s 172.16.10.0/24-o eth0-j Masquerade

Regular backup and recovery:

Service Iptables Save this will be saved to/etc/sysconfig/iptables

Iptables-save > Myipt.rule can save firewall rules to the specified file

Iptables-restore < Myipt.rule so you can restore the specified rule

This article is from the It Exchange Learning blog, so be sure to keep this source http://sxct168.blog.51cto.com/824373/1659424

Daily management of Linux Systems 2 Tcpdump,iptables