Showing posts with label Linux. Show all posts
Showing posts with label Linux. Show all posts

Friday, November 4, 2016

IPTABLES Commands

IPTables
-         Iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.

Types of Chains
Iptables uses three different chains: input, forward, and output
a>   Input – This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
b>  Forward – This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, Nating, or something else on your system that requires forwarding, you won’t even use this chain.
·         There’s one sure-fire way to check whether or not your system uses/needs the forward chain.
      # iptables -L –v

c>   Output This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.
      # Iptables –L |grep policy
·         Above command is use to find the default policy for rule that you haven’t define in chain
      # iptables --policy INPUT ACCEPT
# iptables --policy OUTPUT ACCEPT
# iptables --policy FORWARD ACCEPT

If you get above output then iptables ACCEPT such a connection which were not defined.
If output is as follow then iptables drop connection which not define in rule:
# iptables --policy INPUT DROP
# iptables --policy OUTPUT DROP
# iptables --policy FORWARD DROP


Connection-specific Responses

With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.

Accept – Allow the connection.
Drop – Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.
Reject – Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

Allowing or Blocking Specific Connections

-A = Append rule to existing chain. Iptables starts at the top of its list and goes through each rule until it finds one that it matches
-I = Insert rule in chain. Iptables add new chain in firewall


As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?
That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT


Saving Changes

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes.  This command can differ depending on your distribution:
Ubuntu:
sudo /sbin/iptables-save
Red Hat / CentOS:
/sbin/service iptables save
Or
/etc/init.d/iptables save


List the currently configured iptables rules:
# iptables -L

Delete Firewall Rules


To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.
To clear all the currently configured rules, you can issue the flush command.
# iptables -F
at No comments:
Labels:

Crontab in Linux

Crontab:

Description: crontab stands for "cron table," because it uses the job scheduler cron to execute tasks; cron itself is named after "chronos," the Greek word for time.

 

 Example of crontab format with commented fields is as follows:

# Minute   Hour   Day of Month       Month          Day of Week        Command 
    
# (0-59)  (0-23)     (1-31)    (1-12 or Jan-Dec)  (0-6 or Sun-Sat)     /usr/bin/find
                          
    0        2          12             *               0,6           
 

Some crontab command

# crontab -l  View crontab file, if any 
 
# crontab -r  Remove crontab file, if any 
 
# crontab -e  Edit (or create) user's crontab file (starts the editor automatically) 
 
# crontab file  Replace existing crontab file (if any) with file
 
 

Field Descriptions: 

Minute   hour    dayOfMonth    month    dayOfWeek    command
where:

minute values range from 0 to 59, 

hour values range from 0 to 23, 

dayOfMonth values range from 1 to 31, 

month values range from 1 to 12, 

dayOfWeek values range from 0 to 6, with 0 meaning Sunday 
  

Field Values: 

NUM
 
A single value
 
NUM-NUM
 
A range of values
 
NUM,NUM-NUM,...
 
A comma separated list of values or ranges (remember no spaces after commas!)
 
*
 
Wildcard, meaning match all possible values 

(Note: Don't use a wildcard for the minute field, and rarely for the hour!)


Examples: 

# Example 1:  0,30 8-17 * * 1-5 cmd
Answer: Run cmd on the half-hour from 8:00 AM to 5:30 PM, Monday thru Friday
 
# Example 2:  0 12 1,15 * 5 cmd
Answer: Run cmd at noon each Friday AND the first and fifteenth of every month

# Example 3:  17 3 * * 1 cmd
Answer: Run cmd at 3:17 AM Monday (a backup program perhaps)
 


at No comments:
Labels:

Thursday, October 27, 2016

Password Less SSH Between Centos

Password Less SSH Connection between Two Centos Server


Description

Here I have explained password less ssh configuration between two centos server. Please find below steps to configure it. Password less ssh configuration require when you want to upload backup using ssh.

Scenario:


Server 1: Source Server
Operating System: Centos 6
IP Address: 10.0.0.1

Server 2: Destination Server
Operating System: Centos 6
IP Address: 20.0.0.1

Procedure


  • Login to Server1 using root user
  • create the public key and private key by following command
# ssh-keygen -t rsa

  • It will ask for passphrase just press enter if you do not want to set any passphrase
  • After creating these keys you have to copy to the remote host [Server2] which you want to connect without password
  • Login to Server2 remote host.
  • Check .ssh directory is there or not by locate .ssh command
  • If .ssh directory is not there than create the directory by mkdir /root/.ssh
  • Give permission to .ssh directory using below command
# chmod 700 .ssh

  • Restart ssh service in Server2 using below command
# /etc/init.d/ssh restart

  • Come back to  Server1 and copy the key to the remote server [Server2] by following command
# cat id_rsa.pub | ssh -p 2220 root@20.0.0.1 'cat >>.ssh/authorized_keys'

Note: - You have to enter this command if port is different from 22 otherwise you can just follow the simple command
# ssh-copy-id  root@20.0.0.1

  • After that you can check the ssh login to the remote server [Server2]
# ssh –p 2220 root@20.0.0.1

  • It will not prompt you for the password and directly you will get the prompt.


at No comments:
Labels:
Subscribe to: Posts (Atom)