Scribd Logo
Upload

Welcome to Scribd!

  • Additional Topics

    Uploaded by

    Narendra Babu
    28 views26 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views26 pages

    Additional Topics

    Uploaded by

    Narendra Babu

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    IP Tables

    The Linux Basics Course


    Network Security

    Username & Password


    SSH Keys

    SSH/port 22

    Client/ Laptop Remote Server


    Network Security

    Client/ Laptop
    Web Server DB Server

    SSH/port 22

    Client/ Laptop Remote Server AD Server

    • IPTables
    • FirewallD
    • Cisco ASA
    • Juniper NGFW
    • Barracuda NGFW
    • Fortinet
    Web Server DNS Server

    Client/ Laptop
    IPTABLES
    Application Server Software Repo Server
    172.16.238.10 172.16.238.15

    DEVAPP01 caleston-repo-01
    HTTP/port 80
    SSH/port 22
    HTTP/port 80
    Client/ Laptop
    172.16.238.187

    DB Port 5432
    INTERNET

    DEVDB01

    Database Server
    172.16.238.11
    IPTABLES
    [bob@devapp01 ~]$ sudo apt install iptables

    [bob@devapp01 ~]$ sudo iptables -L

    SSH/port 22
    DEVAPP01 Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Application Server Chain FORWARD (policy ACCEPT)


    Client/ Laptop 172.16.238.10 target prot opt source destination
    172.16.238.187
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    IPTABLES
    IPTABLES

    From:
    client02
    client05
    client01

    Accept Drop Accept Accept Drop


    if if if if if
    src is client01 src is client02 src is client03 src is client04 src is any
    dest is web01
    port is 80
    protocol is http
    IPTABLES
    [bob@devapp01 ~]$ iptables -A INPUT -p tcp -s 172.16.238.187 --dport 22 -j ACCEPT

    [bob@devapp01 ~]$ iptables -L Option Description

    Chain INPUT (policy ACCEPT) -A Add Rule


    target prot opt source destination
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:ssh
    -p Protocol

    -s Source

    -d Destination
    DEVAPP01
    --dport Destination port
    SSH/port 22

    -j Action to take
    Client A Application Server
    172.16.238.187 172.16.238.10

    Client B
    172.16.238.188
    IPTABLES
    [bob@devapp01 ~]$ iptables -A INPUT -p tcp --dport 22 -j DROP

    Option Description

    [bob@devapp01 ~]$ iptables -L


    -A Add Rule
    Chain INPUT (policy ACCEPT)
    target prot opt source destination -p Protocol
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:ssh 1
    DROP tcp -- anywhere anywhere tcp dpt:ssh 2 -s Source

    Chain FORWARD (policy ACCEPT)


    -d Destination
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT) --dport Destination port


    target prot opt source destination
    -j Action to take

    DEVAPP01
    SSH/port 22

    Client B Application Server


    172.16.238.188 172.16.238.10
    IPTABLES
    IPTABLES
    [bob@devapp01 ~]$ iptables -L

    Rule # Description
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:ssh 1 Allow SSH from caleston-lp10
    1
    DROP tcp -- anywhere anywhere tcp dpt:ssh 2
    2 Drop SSH from anywhere
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)


    target prot opt source destination
    IPTABLES
    Source/
    Action
    Destination

    devdb01 Allow outgoing connection to port 5432

    Allow outgoing connection to port 80


    caleston-repo-01

    Internet Drop all outgoing connections, port 80/443 (HTTP/HTTPS)

    caleston-lp10 Allow incoming on port 80

    [bob@devapp01 ~]$ iptables -A OUTPUT -p tcp -d 172.16.238.11 --dport 5432 -j ACCEPT

    [bob@devapp01 ~]$ iptables -A OUTPUT -p tcp -d 172.16.238.15 --dport 80 -j ACCEPT

    [bob@devapp01 ~]$ iptables -A OUTPUT -p tcp --dport 443 -j DROP


    [bob@devapp01 ~]$ iptables -A OUTPUT -p tcp --dport 80 -j DROP

    [bob@devapp01 ~]$ iptables -A INPUT -p tcp -s 172.16.238.187 --dport 80 -j ACCEPT


    IPTABLES
    [bob@devapp01 ~]$ iptables -L

    Chain INPUT (policy ACCEPT)


    target prot opt source destination
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:ssh 1
    DROP tcp -- anywhere anywhere tcp dpt:ssh 2
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:http
    3
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)


    target prot opt source destination
    ACCEPT tcp -- anywhere devdb01 tcp dpt:postgresql 1
    ACCEPT tcp -- anywhere 172.16.238.15 tcp dpt:http 2
    DROP tcp -- anywhere anywhere tcp dpt:http 3
    DROP tcp -- anywhere anywhere tcp dpt:https 4
    IPTABLES

    DEVAPP01 caleston-hq.com
    HTTPS/443
    Application Server
    Application Server
    172.16.238.100
    172.16.238.10

    Chain OUTPUT (policy ACCEPT)


    target prot opt source destination
    ACCEPT tcp -- anywhere devdb01 tcp dpt:postgresql 1
    ACCEPT tcp -- anywhere 172.16.238.15 tcp dpt:http 2
    DROP tcp -- anywhere anywhere tcp dpt:http 3
    DROP tcp -- anywhere anywhere tcp dpt:https 4

    [bob@devapp01 ~]$ iptables -I OUTPUT -p tcp -d 172.16.238.100 --dport 443 -j ACCEPT


    IPTABLES

    DEVAPP01 caleston-hq.com
    HTTPS/443
    Application Server
    Application Server
    172.16.238.100
    172.16.238.10

    Chain OUTPUT (policy ACCEPT)


    target prot opt source destination
    ACCEPT tcp -- anywhere caleston-hq tcp dpt:https 1
    ACCEPT tcp -- anywhere devdb01 tcp dpt:postgresql 2
    ACCEPT tcp -- anywhere 172.16.238.15 tcp dpt:http 3
    DROP tcp -- anywhere anywhere tcp dpt:http 4
    DROP tcp -- anywhere anywhere tcp dpt:https 5
    IPTABLES
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- anywhere caleston-hq tcp dpt:https 1
    ACCEPT tcp -- anywhere devdb01 tcp dpt:postgresql 2
    ACCEPT tcp -- anywhere 172.16.238.15 tcp dpt:http 3
    DROP tcp -- anywhere anywhere tcp dpt:http 4
    DROP tcp -- anywhere anywhere tcp dpt:https 5

    [bob@devapp01 ~]$ iptables -D OUTPUT 5


    IPTABLES
    Application Server [bob@devdb01 ~]$ iptables -A INPUT -p tcp -s 172.16.238.10 --dport 5432 -j ACCEPT
    172.16.238.10

    DEVAPP01 [bob@devdb01 ~]$ iptables -A INPUT -p tcp --dport 5432 -j DROP

    [bob@devdb01 ~]$ iptables -L


    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DB Port 5432 ACCEPT tcp -- 172.16.238.10 anywhere tcp dpt:5432
    DROP tcp -- anywhere anywhere tcp dpt:5432

    Chain FORWARD (policy ACCEPT)


    target prot opt source destination
    DEVDB01
    Chain OUTPUT (policy ACCEPT)
    Database Server target prot opt source destination
    172.16.238.11
    IPTABLES
    Application Server
    172.16.238.10 [bob@devapp01 ~]$ iptables -A OUTPUT -p tcp -d 172.16.238.11 --dport 5432 -j ACCEPT

    DEVAPP01
    [bob@devdb01 ~]$ iptables -A INPUT -p tcp -s 172.16.238.10 --dport 5432 -j ACCEPT

    [bob@devdb01 ~]$ iptables -A INPUT -p tcp --dport 5432 -j DROP

    DB Port 5432

    [bob@devdb01 ~]$ iptables -L


    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DEVDB01
    ACCEPT tcp -- 172.16.238.10 anywhere tcp dpt:5432
    DROP tcp -- anywhere anywhere tcp dpt:5432
    Database Server
    172.16.238.11
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)


    target prot opt source destination
    IPTABLES
    [bob@devdb01 ~]$ netstat –an | grep 5432
    Application Server tcp 0 0 172.16.238.10:44060 172.16.238.11:5432 ESTABLISHED
    172.16.238.10

    DEVAPP01
    Port 44060 [bob@devapp01 ~]$ iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:ssh
    DROP tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT tcp -- 172.16.238.187 anywhere tcp dpt:http

    Port 5432

    DEVDB01

    Database Server
    172.16.238.11

    Ephemeral Port Range


    32768 - 60999
    HANDS-ON LABS
    Cron Jobs

    The Linux Basics Course


    CRON
    [michael@caleston-lp01 ~]$ uptime >> /tmp/system-report.txt

    uptime >> /tmp/system-report.txt

    Everyday, 9 PM

    crond service
    CRON
    [michael@caleston-lp01 ~]$ crontab -e

    # Notice that tasks will be started based on the cron's system


    # daemon's notion of time and timezones.
    #
    # Output of the crontab jobs (including errors) is sent through
    # email to the user the crontab file belongs to (unless redirected).
    #
    # For example, you can run a backup of all your user accounts
    # at 5 a.m every week with:
    # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
    #
    # For more information see the manual pages of crontab(5) and cron(8)
    #
    # m h dom mon dow command
    0 21 * * * uptime >> /tmp/system-report.txt
    CRON

    Every
    Every 08:10
    10th2 Minute
    Minute AMHour 9Every
    of Every PM19th
    Day February
    Every Month Monday
    Any weekday

    0010
    */2* 21
    8* 19
    * 2
    * 1
    *
    minute hour day month weekday
    0 21 * * * uptime >> /tmp/system-report.txt
    Requirement Minute Hour Day Month Weekday
    February 19th, 08:10 AM, Only if it’s a Monday 10 8 19 2 1
    February 19th, 08:10 AM, any weekday 10 8 19 2 *
    19th of every month at 08:10 AM, any weekday 10 8 19 * *
    Every day of every month at 08:10 AM, any weekday 10 8 * * *
    Every day of every month at 10 minutes past every hour or 10 * * * *
    any weekday
    Every day of every month at every minute past every hour or * * * * *
    any weekday
    Every day of every month at every other minute past every */2 * * * *
    hour or any weekday. eg: 08:02, 08:04, 08:06… 09:02, 09:04,
    09:06
    Every day of every month at every other minute past every */2 */2 * * *
    other hour or any weekday. eg: 08:02, 08:04, 08:06… 10:02,
    10:04, 10:06… 12:02, 12:04, 12:06
    CRON
    [michael@caleston-lp01 ~]$ crontab -l
    # Notice that tasks will be started based on the cron's system
    # daemon's notion of time and timezones.
    #
    # Output of the crontab jobs (including errors) is sent through
    # email to the user the crontab file belongs to (unless redirected).
    #
    # For example, you can run a backup of all your user accounts
    # at 5 a.m every week with:
    # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
    #
    # For more information see the manual pages of crontab(5) and cron(8)
    #
    # m h dom mon dow command
    0 21 * * * uptime >> /tmp/system-report.txt

    [michael@caleston-lp01 ~]$ cat /tmp/system-report.txt


    21:00:00 up 20:15, 1 user, load average: 0.47, 0.50, 0.52

    [michael@caleston-lp01 ~]$ tail /var/log/syslog


    Jul 22 21:00:01 caleston-lp10 CRON[1720]: (michael) CMD (uptime >> /tmp/system-report.txt)

    You might also like