From f9add1a23b1061ebc3206a32206af388f2ec97ed Mon Sep 17 00:00:00 2001
From: FreeArtMan <dos21h@gmail.com>
Date: Sun, 12 Feb 2017 22:05:41 +0000
Subject: Update iptables and chromebook notes

---
 md/writeup/devices/samsung_xe303c12.md |  5 ++
 md/writeup/using_iptables.md           | 85 ++++++++++++++++++++++++++++++----
 2 files changed, 82 insertions(+), 8 deletions(-)

(limited to 'md/writeup')

diff --git a/md/writeup/devices/samsung_xe303c12.md b/md/writeup/devices/samsung_xe303c12.md
index 0879518..12d260e 100644
--- a/md/writeup/devices/samsung_xe303c12.md
+++ b/md/writeup/devices/samsung_xe303c12.md
@@ -133,6 +133,11 @@ to disable update service.
 ```
 initctl stop update-engine
 ```
+
+### Recovery mode
+
+Press __ESC__ + __Refresh buttom__ and then press __Power button__
+
 ## Links
 
 1. https://archlinuxarm.org/platforms/armv7/samsung/samsung-chromebook
diff --git a/md/writeup/using_iptables.md b/md/writeup/using_iptables.md
index 4ef342d..3ba3337 100644
--- a/md/writeup/using_iptables.md
+++ b/md/writeup/using_iptables.md
@@ -6,12 +6,44 @@ keywords:linux,iptables,networking,icmp,ping
 
 iptables is linux firewall that uses linux kernel netfilters to expose in kernel
 stuff to userland. Here is notes how to fulfill various tasks block, forward 
-or prank this silly network packets. 
+or prank this silly network packets. This is not manual it just research notes
+how to get most of your linux box.
+
+### netfiler modules
+#### conntrack
+Module that allows more specific connection tracking for TCP,UDP,ICMP or others.
+The information that conntrack gathers is then used to tell conntrack in which 
+state the stream is currently in.
+
+## Protocols
+### TCP connection states
+| state | timeout |
+|---|---|
+| NONE 	| 30 minutes |
+| ESTABLISHED | 5 days |
+| SYN_SENT    | 2 minutes |
+| SYN_RECV    | 60 seconds |
+| FIN_WAIT    | 2 minutes |
+| TIME_WAIT   | 2 minutes |
+| CLOSE       | 10 seconds |
+| CLOSE_WAIT  | 12 hours |
+| LAST_ACK    | 30 seconds |
+| LISTEN      | 2 minutes |
+
+Not constant values could change from version to version.
+
+### TCP connection establishment
+| handshake | desc |
+|---|---|
+| SYN     | The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A. |
+| SYN-ACK | In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B. |
+| ACK     | Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1. |
+
+Once it has seen one packet(the SYN), it considers the connection as NEW. 
+Once it sees the return packet(SYN/ACK), it considers the connection as ESTABLISHED.
 
 ## Examples
 
-SIP - Server IP, your machine ip address
-
 __General cmd flag description__
 
 | Flag | Desc |
@@ -31,6 +63,7 @@ __General cmd flag description__
 | -t | command matching table |
 | -j | jump target |
 | -i | interface name |
+| -m | extra matching rulles |
 
 __Command matching table names__
 
@@ -44,7 +77,7 @@ __Command matching table names__
 
 __Adding rulle targets__
 
-| adding | desc |
+| rulle table | desc |
 | --- | --- |
 | INPUT       | for packets destined to local sockets |
 | OUTPUT      | for locally-generated packet |
@@ -52,6 +85,30 @@ __Adding rulle targets__
 | PREROUTING  | for altering incoming packets before routing |
 | POSTROUTING | for altering packets as they are about to go out |
 
+__Connection state__
+
+There is possible to match specific states of connections here is a list of 
+some of them.
+
+|state | desc |
+|---|---|
+| NEW         | The NEW state tells us that the packet is the first packet that we see.  |
+| ESTABLISHED | The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. |
+| RELATED     | The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection.  |
+| INVALID     | The INVALID state means that the packet can't be identified or that it does not. |
+| UNTRACKED   | This is the UNTRACKED state. |
+
+All connection tracking is handled in the __PREROUTING__ chain, except locally 
+generated packets which are handled in the __OUTPUT__ chain. What this means is that
+iptables will do all recalculation of states and so on within 
+the __PREROUTING__ chain. If we send the initial packet in a stream, 
+the state gets set to __NEW__ within the __OUTPUT__ chain, and when we receive 
+a return packet, the state gets changed in the __PREROUTING__ chain to 
+__ESTABLISHED__,  and so on. If the first packet is not originated by 
+ourself, the __NEW__ state  is set within the __PREROUTING__ chain of course. 
+So, all state changes and calculations are done within 
+the __PREROUTING__ and __OUTPUT__ chains of the nat table. 
+
 ### List all rulles
 
 ```
@@ -222,7 +279,7 @@ Lets block just incoming ip
 iptables -A INPUT -s 8.8.8.8 -j DROP
 ```
 
-#### By port
+#### Blov by port
 
 Block ip to access specific port
 
@@ -230,7 +287,7 @@ Block ip to access specific port
 iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP
 ```
 
-### Block UID
+### Block by UID
 
 There is possble to make iptables basing on user id
 
@@ -238,7 +295,16 @@ There is possble to make iptables basing on user id
 iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP
 ```
 
-### Loging
+### Block by state
+You can block some ports, but if you whant that ESTABLISHED connections are still
+there. Then there is possible to match specific connection state
+```
+iptables -A INPUT -m state --state NEW -j DROP -s 86.159.18.180
+```
+
+### Connection state
+
+### Logging
 
 Log droppend packages
 
@@ -271,4 +337,7 @@ the system admins could be not happy with this jokes ;].
 11. http://ipset.netfilter.org/iptables.man.html
 12. http://gr8idea.info/os/tutorials/security/iptables5.html
 13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html
-14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
\ No newline at end of file
+14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
+15. http://www.iptables.info/en/connection-state.html
+16. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation
+17. https://tools.ietf.org/html/rfc675
\ No newline at end of file
-- 
cgit v1.2.3