Linux Learning Notes-15th lesson-Daily Management (II)

First, grab the Bag tool, analysis tool

Grab Bag Tool:

Tcpdump

Format:

tcpdump [-AENNQX] [-I interface] [-W Save file name] [-C times] [-R Archive] [packet data format to be retrieved]

Common options:

   -A: The contents of the packet are shown in ASCII and are usually used to capture the Web packet data of WWW.
   -E: Display with the MAC packet data of the data connection layer (OSI second layer);
   -nn: Displayed directly as IP and port number instead of hostname and service name    -Q: Only short packet information is listed, and the content of each row is relatively thin
   -x: Can list 16 hex and ASCII packet content, which is useful for listening to packet contents
    I: The interface after which you want to "listen", such as Eth0, Lo, ppp0, and so on;
   -W: If you want to store the packet data that you listen to, This is the right argument! The following file name
   -R: reads the packet data from the file that is followed. That "file" is an existing file,
         and this "file" is made from-W.
   -C: The number of packets being monitored, and if this parameter is not, tcpdump will continue to listen,
         Until the user enters [Ctrl]-c].

We can specifically target certain communication protocols or IP sources for packet interception, which simplifies the output and obtains the most useful information. Common presentation methods are:
' Host foo ', ' host 127.0.0.1 ': Packet interception for a single unit
' Net 192.168 ': Interception of packets for a domain;
' src host 127.0.0.1 ' DST net 192.168 ': Plus source (SRC) or target (DST) restrictions
' TCP port 21 ': can also be used for communication protocol detection, such as TCP, UDP, ARP, ether, etc.
You can also use and and or to the integration of packet data display it!

1) Example: Monitor packet information for NIC Eth0

[[Email protected] ~]# tcpdump -i eth0 -nntcpdump: verbose output  suppressed, use -v or -vv for full protocol decodelistening  on eth0, link-type EN10MB  (Ethernet),  capture size 65535 bytes09 : 15:43.969449 ip 192.168.0.120.22 > 192.168.0.116.50039: flags [p.], seq  4182134245:4182134453, ack 2359223205, win 292, length 20809:15:43.969809  ip 192.168.0.116.50039 > 192.168.0.120.22: flags [.], ack 208,  win 251, length 009:15:43.972277 IP 192.168.0.120.22 >  192.168.0.116.50039: flags [p.], seq 208:496, ack 1, win 292,  length 288 ... in the middle of the omission of ... ^c      <== pressing the   of the ....?????????????. [ctrl]-c  after the end of 952 packets captured                 The number of packets intercepted by the       <== 952 packets received by filter             <== the total number of packets received by the filter 0 packets dropped  by kernel                <== a packet discarded by the core

09:15:43.972277 IP 192.168.0.120.22 > 192.168.0.116.50039:flags [P.], seq 208:496, ack 1, win 292, length 288 intercept one of the messages For analysis

09:15:43.972277: This is the time the packet was intercepted, in: The format of minutes: seconds

IP: The communication protocol used is IP

192.168.0.120.22 >: The source IP is 192.168.0.120, the port used is the direction 22,> represents the transmission

192.168.0.116.50039: The destination IP is 192.168.0.116, the port used to receive is 50039

[P.], seq 208:496: Packet with PUSH data transfer flag, and 196~472 byte for the overall data transmitted

2) Example: monitoring port

[Email protected] ~]# tcpdump-i eth0-nn port 22tcpdump:verbose output suppressed, use-v OR-VV for full protocol deco Delistening on eth0, Link-type EN10MB (Ethernet), capture size 65535 bytes09:49:43.323168 IP 192.168.0.120.22 > 192.168 .0.116.50039:flags [P.], seq 4182816229:4182816437, Ack 2359228693, win 292, length 20809:49:43.323587 IP 192.168.0.116.5 0039 > 192.168.0.120.22:flags [.], ACK 208, win, length 009:49:43.326386 IP 192.168.0.120.22 > 192.168.0.116.50 039:flags [P.], seq 208:496, ack 1, win 292, length 288

3) Example: Display the monitored data in hexadecimal

[[Email protected] ~]# tcpdump -i eth0 -nn port 22 -x -c  1tcpdump: verbose output suppressed, use -v or -vv for full  protocol decodelistening on eth0, link-type EN10MB  (Ethernet),  capture size 65535 bytes09:55:47.264963 ip 192.168.0.120.22 >  192.168.0.116.50039: flags [p.], seq 4188295253:4188295461, ack 2359246885,  win 292, length 208        0x0000:   4510 00f8 c2b9 4000 4006 f4f9 c0a8 0078  [email protected]@ ... x        0x0010:  c0a8 0074 0016 c377  f9a4 5055 8c9f 4025  [email protected]%         0x0020:  5018  0124 8327 0000 8578 31ae e713 1540  p. $. ' [email protected]        0x0030:  63d5 51cb  41e9 a67b 6ecd ab3b a8b3 3df7  c.q.a. {n.;... =.        0x0040:  999a 4d66 abc8 9100  F000 4763 3851 FE84 &NBSP, .... Mf...... Gc8q.         0x0050:  5d71 eb81 918b 0161  CC44 B9E7 5994 9FD7  ]Q.....A.D. y...        0x0060:  bb3d e795 666e 277e  c840 4500 ff1f 525b  .=. FN ' [email protected][        0x0070:  2a11 46a0  8bb9 b10d dc69 6110 4658 b926  *. F......ia. Fx.&        0x0080:  5246 f375 c8a8 b5d4 4161 e688 bcb5 4740   [email protected]        0x0090:  386b  01b1 874f 6432 5b02 59f3 ce70 20ce  8k ... od2[. Y.. P..         0x00a0:  5604 7bc9 0a7e b593  bb66 8be9 3edc a047  v.{. ~...f. A. g        0x00b0:  62bd fb58 1613 6458  80bd b632 00bc 4472  b. X.. Dx... 2..dr        0x00c0:  542e a051 7716 6ef8  d37a 6187 322e 23d5  t. QW.N. za.2.#.        0x00d0:  9d80 4fb0 009a 1383  3313 3D74 E20A F263 &NBSP, .... O..... 3.=t...c        0x00e0:  fc2d 6c49 4305 509d 280b  A54C 6059 4745  .-LIC.P. (.. L ' Yge        0x00f0:  a8f5 6932 a5a0 aa24                       &NBSP, .... i2...$1 packets captured4 packets received by filter0 packets dropped  by kernel

Analysis Tools:

Wireshark

Second, iptables

1) View rules and policies

Options:

-T: followed by table, such as NAT or filter, if omitted, the default filter is used
-L: Lists the rules for the current table
-N: No IP and HOSTNAME, the speed of the display of the message will be much faster!
-V: Lists more information, including the total number of packets through the rule, the associated network interface, etc.

Example:

[[email protected] ~]# iptables -nvlchain input  (policy ACCEPT 42  packets, 3866 bytes)  pkts bytes target     prot  opt in     out     source                destination Chain FORWARD  (Policy  accept 0 packets, 0 bytes)  pkts bytes target      prot opt in     out     source                destination Chain  output  (policy accept 25 packets, 3048 bytes)  pkts bytes target      prot opt in     out      source                destination 

Main items Explained

• Target: Represents the action, ACCEPT is release, and REJECT is rejected, in addition, there are drop (discarded) items!

• Prot: Represents the use of the packet protocol, mainly TCP, UDP and ICMP three kinds of packet format;

• OPT: Additional options description

• Source: What is the "source IP" limit for this rule?

• Destination: What is the target IP limit for this rule?

2) Modification of the policy

Options and Parameters:
-P: Define policy. Note that this P is in uppercase!
Accept: The package is acceptable
Drop: The packet is discarded directly and will not let the client know why it was discarded.

Example:

# iptables-p INPUT drop# iptables-p OUTPUT accept# iptables-p FORWARD ACCEPT

3) Add a rule

[-ai chain name] "Insert" or "accumulate" of rules for a chain
-A: Add a new rule that adds to the last side of the original rule. For example, there are already four rules,
Use-A To add the fifth rule!
-I: Inserts a rule. If you do not specify the order of this rule, the default is insert into the first rule.
For example, there are four rules, using-I then the rule becomes the first one, and the original four becomes the 2~5 number
Chain: There is INPUT, OUTPUT, FORWARD, and so on, this chain name and-io related

[-io network Interface] set interface Specification for packet ingress and egress
-I: The network interface to which the packet is entered, such as Eth0, Lo, and other interfaces. Need to coordinate with INPUT chain;
-O: The network interface that is sent out by the packet should be matched with the OUTPUT chain;

[-P protocol] sets which packet format this rule applies to, with the main packet format: TCP, UDP, ICMP, and all

[-s source ip/domain] source ip/domain: Sets the source item of the packet for this rule, you can specify a simple IP or include domain, for example: ip:192.168.0.100 domain: 192.168.0.0/24, 192.168.0.0/255.255.255.0 are available.
If the specification is "not allowed", then add! Can, for example:-S! 192.168.100.0/24 said that the source of the packet of 192.168.100.0/24 is not allowed;

The [-D target ip/domain] is the same as-s, but this refers to the destination IP or domain

-j[accept| drop| Reject| LOG] followed by action, the main action is accept, discard (drop), Reject (REJECT) and record (log)

[-s source ip/domain] [--sport Port Range]
[-D target ip/domain] [--dport Port Range]-j [accept| drop| REJECT]
Options and Parameters:
--sport Port range: Limit the port number of the source, the port number can be continuous, for example 1024:65,535
--dport Port range: Limit the port number of the destination.

Example:

# iptables-a-i eth0 input-s 192.168.0.0/24-p tcp-j ACCEPT

4) Delete rule

-D: Delete action

--line-numbers: Show rule number

Example:

# iptables -nvl --line-number   <==  View the rule and display the number chain input  ( Policy drop) num  target     prot opt source                destination1     ACCEPT     all  --  192.168.1.0/24        0.0.0.0/02    DROP       tcp   --  192.168.1.70         0.0.0.0/0Chain  forward  (policy accept) Num  target     prot opt source                destinationchain  OUTPUT  (policy accept) num  target     prot opt  source               destination# iptables -d input  2    <==  Delete Rule 2 in the input chain,

5) rule-related cleanup

Options and Parameters:
-F: Clear all the rules that have been set;
-X: Kill all User "custom" chain (should say tables)
-Z: Zero Count of all chain and flow statistics

6) Save, Backup and restore of iptables

①#/etc/init.d/iptables Save <== Saves the current rule and makes it effective;

②# iptables-save > Ipt.rule <== back up the current rules, restore with "<" reverse redirect

③# iptables-f <== Empty rule table, Note: Policy is not cleared

④#/etc/init.d/iptables Stop <== Stop all policies and rules

Note:

Host rule setting Process:

1. Rule zeroing: Clears all existing rules (Iptables-f ...), at least stop-off service

2. Default policy: Except INPUT This custom chain is set to DROP, the other is the default ACCEPT;

3. Trust native: Lo must be set as a trust device because Lo is very important to the machine;

4. Response packet: A packet that responds to a native unsolicited request can go to the native (established,related)

5. Trust users: This is not necessary if you want to make the source of the network available to your host resources when

Comparison of ICMP packet rules: Designed for response to Ping

# iptables-a input-i eth0-p ICMP--icmp-type 8-j ACCEPT

NAT Table Application:

Route forwarding function
Suppose you have two NICs on your machine eth0 and eth1, where eth0 IP is 192.168.10.11,eth1 IP is 172.16.10.11. Eth0 Connected Intnet But eth1 is not connected, now there is another machine (172.16.10.12) and eth1 is interoperability, then how to set up to allow the connection eth1 this machine can connect intnet?

# echo "1" >/proc/sys/net/ipv4/ip_forward <== turn on route forwarding function # iptables-t nat-a postrouting-s 172.16.10.0/24-o eth0- J Masquerade <== Execute forwarding rules

This article is from the "Mylinux" blog, make sure to keep this source http://mylinuxlife.blog.51cto.com/4706737/1635937

Linux Learning Notes-15th lesson-Daily Management (II)