From f9add1a23b1061ebc3206a32206af388f2ec97ed Mon Sep 17 00:00:00 2001 From: FreeArtMan Date: Sun, 12 Feb 2017 22:05:41 +0000 Subject: Update iptables and chromebook notes --- md/writeup/devices/samsung_xe303c12.md | 5 ++ md/writeup/using_iptables.md | 85 ++++++++++++++++++++++++++++++---- 2 files changed, 82 insertions(+), 8 deletions(-) (limited to 'md') diff --git a/md/writeup/devices/samsung_xe303c12.md b/md/writeup/devices/samsung_xe303c12.md index 0879518..12d260e 100644 --- a/md/writeup/devices/samsung_xe303c12.md +++ b/md/writeup/devices/samsung_xe303c12.md @@ -133,6 +133,11 @@ to disable update service. ``` initctl stop update-engine ``` + +### Recovery mode + +Press __ESC__ + __Refresh buttom__ and then press __Power button__ + ## Links 1. https://archlinuxarm.org/platforms/armv7/samsung/samsung-chromebook diff --git a/md/writeup/using_iptables.md b/md/writeup/using_iptables.md index 4ef342d..3ba3337 100644 --- a/md/writeup/using_iptables.md +++ b/md/writeup/using_iptables.md @@ -6,12 +6,44 @@ keywords:linux,iptables,networking,icmp,ping iptables is linux firewall that uses linux kernel netfilters to expose in kernel stuff to userland. Here is notes how to fulfill various tasks block, forward -or prank this silly network packets. +or prank this silly network packets. This is not manual it just research notes +how to get most of your linux box. + +### netfiler modules +#### conntrack +Module that allows more specific connection tracking for TCP,UDP,ICMP or others. +The information that conntrack gathers is then used to tell conntrack in which +state the stream is currently in. + +## Protocols +### TCP connection states +| state | timeout | +|---|---| +| NONE | 30 minutes | +| ESTABLISHED | 5 days | +| SYN_SENT | 2 minutes | +| SYN_RECV | 60 seconds | +| FIN_WAIT | 2 minutes | +| TIME_WAIT | 2 minutes | +| CLOSE | 10 seconds | +| CLOSE_WAIT | 12 hours | +| LAST_ACK | 30 seconds | +| LISTEN | 2 minutes | + +Not constant values could change from version to version. + +### TCP connection establishment +| handshake | desc | +|---|---| +| SYN | The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A. | +| SYN-ACK | In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B. | +| ACK | Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1. | + +Once it has seen one packet(the SYN), it considers the connection as NEW. +Once it sees the return packet(SYN/ACK), it considers the connection as ESTABLISHED. ## Examples -SIP - Server IP, your machine ip address - __General cmd flag description__ | Flag | Desc | @@ -31,6 +63,7 @@ __General cmd flag description__ | -t | command matching table | | -j | jump target | | -i | interface name | +| -m | extra matching rulles | __Command matching table names__ @@ -44,7 +77,7 @@ __Command matching table names__ __Adding rulle targets__ -| adding | desc | +| rulle table | desc | | --- | --- | | INPUT | for packets destined to local sockets | | OUTPUT | for locally-generated packet | @@ -52,6 +85,30 @@ __Adding rulle targets__ | PREROUTING | for altering incoming packets before routing | | POSTROUTING | for altering packets as they are about to go out | +__Connection state__ + +There is possible to match specific states of connections here is a list of +some of them. + +|state | desc | +|---|---| +| NEW | The NEW state tells us that the packet is the first packet that we see. | +| ESTABLISHED | The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. | +| RELATED | The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection. | +| INVALID | The INVALID state means that the packet can't be identified or that it does not. | +| UNTRACKED | This is the UNTRACKED state. | + +All connection tracking is handled in the __PREROUTING__ chain, except locally +generated packets which are handled in the __OUTPUT__ chain. What this means is that +iptables will do all recalculation of states and so on within +the __PREROUTING__ chain. If we send the initial packet in a stream, +the state gets set to __NEW__ within the __OUTPUT__ chain, and when we receive +a return packet, the state gets changed in the __PREROUTING__ chain to +__ESTABLISHED__, and so on. If the first packet is not originated by +ourself, the __NEW__ state is set within the __PREROUTING__ chain of course. +So, all state changes and calculations are done within +the __PREROUTING__ and __OUTPUT__ chains of the nat table. + ### List all rulles ``` @@ -222,7 +279,7 @@ Lets block just incoming ip iptables -A INPUT -s 8.8.8.8 -j DROP ``` -#### By port +#### Blov by port Block ip to access specific port @@ -230,7 +287,7 @@ Block ip to access specific port iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP ``` -### Block UID +### Block by UID There is possble to make iptables basing on user id @@ -238,7 +295,16 @@ There is possble to make iptables basing on user id iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP ``` -### Loging +### Block by state +You can block some ports, but if you whant that ESTABLISHED connections are still +there. Then there is possible to match specific connection state +``` +iptables -A INPUT -m state --state NEW -j DROP -s 86.159.18.180 +``` + +### Connection state + +### Logging Log droppend packages @@ -271,4 +337,7 @@ the system admins could be not happy with this jokes ;]. 11. http://ipset.netfilter.org/iptables.man.html 12. http://gr8idea.info/os/tutorials/security/iptables5.html 13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html -14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html \ No newline at end of file +14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html +15. http://www.iptables.info/en/connection-state.html +16. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation +17. https://tools.ietf.org/html/rfc675 \ No newline at end of file -- cgit v1.2.3