AlbanianWizard

VLAN tutorial | How VLAN Works – VLAN Configuration Linux

arditi — Sat, 28 Aug 2010 22:33:01 +0000

VLAN Theory

Before we understand what VLAN (Virtual Local Area Network) is we should understand what an LAN (Local Area Network) is. Here we have an LAN

Lan Diagram

In this case, we have a router 192.168.0.1/24 and 3 switches that are physically separating our network, but at network configuration level they have all 192.168.0.x IP-s. A LAN includes all systems in the broadcast domain. All of the network components on a single LAN receive a broadcast sent by any member of that LAN. By this definition, a LAN is bordered by routers or other devices that operate at OSI Layer 3. Any component of the LAN can communicate with any other component if the machines personal firewalls allow to do so, but this is fine when we are talking about small home networks, but when we are talking about big networks many problems raise. For example, I have different employees and my enterprise network is divided in different sectors:

a)Administration

b)Development

c)Marketing/Sales

d)Help Desk

e)Hotspot – Free Access
and I don’t want that the Hotspot part of my network communicate with Administration, or Development or any other portion of my network cause of security. So the first problem is security.
Another problem is maintenance of all of this switches , and the network configuration and administration is difficult, lets think about an big LAN /16 with many switches. You have to configure any hardware device, when physically moving server computer to another location. Let’s say I want to move my radius server from the Help desk to Administration, then I should physically move this server to the administration RAK and re-configure with the administration network settings. Performance as well raise as a problem.

All of this problems are solved with VLAN

VLAN (Virtual Local Area Network) is a group of hosts that communicate as if they were attached to the same broadcast domain, regardless of their physical location. VLAN offer the combination of different LAN’s network in to a single physical device.
You have to buy an switch with VLAN capabilities. A single VLAN-capable switch is able to participate in multiple LANs at once.

This functionality alone has a variety of uses, but VLANs become far more interesting when combined with trunking. A trunk is a single physical connection that can carry multiple VLANs. Each frame that crosses the trunk has a VLAN identifier attached to it, so it can be identified and kept within the correct VLAN.

Trunks can be used between two switches, between a switch and a router or between a switch and a computer that supports trunking. When connecting to a router or computer, each VLAN appears as a separate virtual interface.

Cool ha? So this means, 1 switch (save allot of money) and different networks, the networks are:

Physically connected but in the same time isolated from each other
They have different subnets and different locations
Administration is easy and centralized , if you have to move now your radius server you have only to unplug the cable from VLAN 5 to VLAN lets say 3
The networks share the same physical link without leakage of information between networks

How VLAN Works

VLAN uses IEEE 802.1Q IEEE standard a.k.a VLAN Tagging that in reality doesn’t encapsulate or change the normal packet but it just add a 32-bit field between the source MAC address and the EtherType/Length fields of the original frame, this for including specific VLAN data as the VLAN ID, TPID (Tag Protocol Identifier) etc.

So this is how the switch knows where to redirect the traffic, if the traffic comes with VLAN ID x he will redirect this packets to the virtual LAN X.

In order to correctly communicate the firewall /router must “understand” the packets received from the switch and also send packets that the switch “understands”. For this, our firewall supports VLAN and have vlan software installed in order to generate VLAN traffic. The switch from his side is just recognising the traffic and redirecting it but indeed this packets are generated by an interface like:

eth1.2 (eth1 vlan id 2)

or eth1.4 (eth1 vlan id 4… etc..

VLAN Configuration

Switch Configuration

so I have an 3Com switch with VLAN support, now I want to create 3 different VLAN-s with 3 different firewalls. I create a new VLAN and change the id to 5 (or whatever except 1 – is reserved/default) now there are 3 type of switch port modality:

a) Tagged => Green

b) Untagged => Blue

c) Not a Member => White

Tagged means for the switch that hi will expect tagged packets on that ports, so if the id is 5 the switch will expect packets with VLAN ID 5 on the tagged port, and this is the port when we should attach the firewall because the VLAN traffic is generated and handled by the firewall.

Untagged means that from that port the firewall should expect normal packets without VLAN ID, but if I set any port to Untaged this port automatically becomes a member of VLAN 5, and when I connect the PC the dhcp request is redirected to the first DHCP server available on his LAN (in reality VLAN) and this is our firewall.

Not a Member means that this port is not a member of this VLAN and the packet that pass through this port are not handled by VLAN 5.

Firewall / Linux configuration

Configuring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. The main difference is you first must attach each VLAN to a physical device. This is accomplished with the vconfig utility. If the trunk device itself is configured, it is treated as native. For example, these commands define VLANs 2-4 on device eth0:

vconfig add eth0 2
vconfig add eth0 3 where 3 is vlan ID

So we use 1 switch instead of 3
here a pic:

VLAN_Configuration

“Anti-Security” | Save a Bug, Save a Life :)

arditi — Sun, 22 Aug 2010 11:52:53 +0000

I could not start this category except with the old and wise anti.security.is home page statement and some Q&A.

This is what it was writ-ed once upon a time….

The purpose of this movement is to encourage a new policy of anti-disclosure among the computer and network security communities. The goal is not to ultimately discourage the publication of all security-related news and developments, but rather, to stop the disclosure of all unknown or non-public exploits and vulnerabilities. In essence, this would put a stop to the publication of all private materials that could allow script kiddies from compromising systems via unknown methods.

The open-source movement has been an invaluable tool in the computer world, and we are all indebted to it. Open-source is a wonderful concept which should and will exist forever, as educational, scientific, and end-user software should be free and available to everybody.

Exploits, on the other hand, do not fall into this broad category. Just like munitions, which span from cryptographic algorithms to hand guns to missiles, and may not be spread without the control of export restrictions, exploits should not be released to a mass public of millions of Internet users. A digital holocaust occurs each time an exploit appears on Bugtraq, and kids across the world download it and target unprepared system administrators. Quite frankly, the integrity of systems world wide will be ensured to a much greater extent when exploits are kept private, and not published.

A common misconception is that if groups or individuals keep exploits and security secrets to themselves, they will become the dominators of the “illegal scene”, as countless insecure systems will be solely at their mercy. This is far from the truth. Forums for information trade, such as Bugtraq, Packetstorm, www.hack.co.za, and vuln-dev have done much more to harm the underground and net than they have done to help them.

What casual browsers of these sites and mailing lists fail to realize is that some of the more prominent groups do not publish their findings immediately, but only as a last resort in the case that their code is leaked or has become obsolete. This is why production dates in header files often precede release dates by a matter of months or even years.

Another false conclusion by the same manner is that if these groups haven’t released anything in a matter of months, it must be because they haven’t found anything new. The regular reader must be made aware of these things.

We are not trying to discourage exploit development or source auditing. We are merely trying to stop the results of these efforts from seeing the light. Please join us if you would like to see a stop to the commercialization, media, and general abuse of infosec.

Thank you.

Quoting from some Q&A :

(this is free-speach copyright, mean like i told that to you freely in personal/public talk, so you can do anything to it)
Q: Why security is bad thing?
A: In short – hell is totally secure. Do we want live in hell?.. If people follow security at first everywhere – probably we will still live in den.

Q: What is nature of security?
A: Nature of security is restriction, destruction and antagonism to freedom. That thing is balance freedom. Wrong is – in current situation – process of security – grow much faster then freedom. And that speed is not accident – that is artifically stimulated by technology of war. We are now stand on fork and choosing between totalitarism or freedom. And governemt always glad to help us choose first.

Q: Technology of war in security? What do you mean?
A: When people improve weapon to beat other people. Other people, of course, improving own weapon too. Keyword is “people vs. people”.

Q: Who profits from the infosec war?
A: Security companies do (this is their line of employment). They need to use scare tactics to motivate more people and companies into thinking their services are not only desirable, but necessary. It’s simple Capitalism. These corporations make security popular and fashionable, and turn it into a consumer pastime. Why can’t they carry out their jobs with less glamour?

Q: How do scriptkiddies help security?
A: This is an easy answer. The term was coined as a whip fashioned by various “security experts” with which to flog the public. They show us depictions of these lawless, rabid, savage kids who are out of control, so they can impress upon us the demographic from which they defend us.

Q: Can I sleep safely at night while Bugtraq is around?
A: Absolutely not.

Q: How does Bugtraq help security?
A: Bugtraq serves as a front for an underground cabal through which electronic weapons of mass destruction disseminate amongst scriptkiddies. It is also an addictive substance which has hooked admins trying to preserve their systems’ security without getting owned by the “early bird” defacer who grabs the exploit before their local ISP has been notified of the vulnerability. However, even Bugtraq publicizes a false concept of “full disclosure,” since information about competitors or friends (like @stake) is tossed in the trash. Full disclosure simply serves to sate the scriptkid’s addiction to power, and this addiction is very hard to break. antiSecurity aims to help stop that addiction.

Q: What’s wrong with full disclosure?
A: Full disclosure attempts to contradict the saying “two wrongs don’t make a right” in the sense that it stimulates criminal activities in order to catalyze security awareness. Take the following example:
An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests. And who makes these vests? After everybody is protected by vest v1, the public is complacent, and sales of vest v2 must be stimulated by inventing a shotgun which penetrates the first vest. There is competition in the vest manufacturing business, so they all profit from the development of higher powered munitions. Manufacturers get money, and also lobby for pro-homicidal laws in other countries to spread the market, while innocent people suffer at their expense. The cycle still doesn’t end with vest v666, because a newer armor-piercing bullet is in the works. How do you end the rat race? Stop full disclosure!

Q: We should fix all bugs! How could it be otherwise?
A: Imagine terrorist control nuclear bomb from box on internet, and nobody can terminate bomb controlling process to stop countdown. Or your house is absolutely secure but you lost key by accident – how you will return in your own home? In real world security is always limited – nobody make safe doors everywhere and lock them. In case of emergency you will need access w/o keys. Absolute security is nonsense. People forgot about that for computers and trying to reach it..

Q: Isn’t all hackers is a bad people?
A: No! People are different, but probabilty of bad person in 10 or in 1000000 is different… (hint about script-kids). And i tell you if compare hard working person who know cost of own work and idling kid or newbie – who will do shit very likely?

Q: All admins are good/bad people?
A: No! Think! So don’t attack EVERYBODY, and don’t protect EVERYBODY! If you pretect bastards you are on bastard’s side. Do you know BOFH admins are exists?

Q: Why worry about security? Vulnerabilities will always exist and there is no absolute protection against them.
A: Exactly correct. But if problem can’t besolved in dumb way, this is don’t mean it is can’t be solved indirect. This is why many of us have safeguarded ourselves with security measures such as encrypted or steganographized filesystems in the case that our sensitive information is accessed in an unauthorized manner. Security will never be absolute, but technological developments will continue to be made to push possible system security as close to absolute system security as possible.

I can’t disallow people come to my computer, but I can make another restriction so even if them come they can’t access data. I put encrypted disk. Side efect is i need always enter password myself and id slower disk operation.
We can fight spam. But we can disable relaying email thru our system for unknown.
Can’t stop DDOS attack but can make global tracking system over internet.
We can’t restrict access for one, so we restrict for everybody. This is cost of security. More and more progressive restrictions.
Q: I just love finding bugs, though. What’s wrong with that?
A: Air Force pilots loving flying planes, too. Sometimes they even find themselves flying missions over Hiroshima and Nagasaki.

Q: What are “grayhats” and how are they different from whitehats and blackhats?
A: Grayhats are indecisive people who consider themselves to be neither blackhats nor whitehats, or both blackhat and whitehat. However, being a grayhat, is not synonymous to existing in a “healthy medium.” Rather, these individuals do not pledge allegiance to either side of the controversy, and in not doing so, commit blunders that hurt supporters of both viewpoints.

Q: Is antiSecurity motivated in any part by personal profit?
A: Can true freedom be reduced to the sole notion of economy? What seems odd in all of this is that many of Bugtraq and Packetstorm’s followers are aficionados of free, open-sourced operating systems which have been provided as efficient and stable alternatives to highly commercialized and unduly popular OS’es such as Windows. But when it comes to security, they can’t understand that measures they take towards “freeing information”, such as full disclosure actually serves to fuel commercialism in the security market. How can we bring this to popular attention?

Q: Is antiSecurity trying to change the world? Isn’t that a bit radical?
A: Everything is going to sound a bit ambitious at first. But it’s got to start somewhere. So far, we have had manifestos published on the net concerning the ethics of hacking, defacement, and the definition of a “hacker”, but we have yet to see a comprehensive document or set of documents that defines the parameters of anti-disclosure policies. The discussion has, up until this point, been an imbalanced one. Generally, disclosure is discussed on forums such as Bugtraq, which obviously have a predominant pro-disclosure following. Supporters of non-disclosure very rarely make similar postings for obvious reasons: they avoid the glare of the public limelight. The antiSecurity site is the perfect non-threatening environment in which open intellectual discussion relevant to this topic can take place. (So in answering the question, yes, we are

Q: What does antiSecurity suggest we do about people who siphon their reputations off the hard work and creativity of others (ie Aleph1, route) ?
A: This is probably the simplest answer of them all: don’t support them. Don’t subscribe to their mailing lists, don’t read their ‘zines, don’t use their software. Who said boycotts won’t work on the Internet?

Q: Is there anything I can do to help?
A: Yes! We would greatly appreciate any assistance. Please email any proposals or suggestions you might have, including essays or rants to (mail-down). Whatever happens, don’t post to Bugtraq! If you still can’t stop yourself from doing this, try posting fake exploits and advisories, or trojaned code Remember that anybody who consciously decides to fire a loaded gun at somebody has already decided to accept the consequences.

Q: Give me your root password, or i don’t believe you!
A: Obviously, you have failed to either read or comprehend any of the contents of this document. You might want to read this FAQ again, but there’s a chance that won’t do you much good.

End,

now the main concept of this movement, as you (I hope) understand is stop publishing exploit, this could be mis-understead as “don’t find exploits” but this is not the message.
In deed finding exploits, help security, helps quality code writing and improve the technology.
The problem is that with publishing this exploits and make them available online for all with an mini how-to DESTROY attached to the exploit we are just selling weapons of mass-destruction at the corner.

WHY? , lol I’m just asking my self when milw0rm whent down how many web-sites and servers where saved from the rutine defacement, and how many admins was saved?

Until the programmer are humans, in the code will be always a bug, trying to find them improve security and improve technology, publishing them helps destruction and help the Security Industry make his money.

PS, I’m not a hacker, I’m only interested in publishing this information so many people should understand what’s right and what’s wrong.
What is in reality security and what is understood this days with “security”.

How to read Tcpdump Output | Tcpdump Advanced Use

arditi — Fri, 20 Aug 2010 16:04:16 +0000

How to read Tcpdump Output

Continuing our tcpdump series (read this if you are new here) we will present an easy to understand how to about reading tcpdump output and running advanced commands for and advanced tcpdump use.

First we need a packet, I used from the command line hping, for sending just a SYN packet to my web server, and here is the first packet hitting tcpdump.

1 2	19:57:06.748557 IP (tos 0x0, ttl 64, id 33646, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.4.33922 >; 68.178.254.190.80: Flags [S], cksum 0x83ae (correct), seq 4011514848, win 5840, options [mss 1460,sackOK,TS val 612494 ecr 0,nop,wscale 6], length 0

19:57:06.748557 this is the timestamp of the request, I made it on h 19, min 57, sec 06

IP – this are all IP (protocol) related settings

tos 0×0 => type of service field

ttl 64 stands for time to live and is => number of hops that the packet has to reach its destination i.e throw how many routers the packets should pass, this is for not living the packets travel the net for ever. After 64 hops the packet will “die”.

id 33646 this is the packet ID, so in this case this is a SYN request, the reply will be an ACK if the host is online and the packet ID will be the same.
In a case of hijacking , the attacker should be able to hack the packet ID and present as a response a packet with the same ID but with malicious data.

[DF] means don’t fragment, so the packet is entire and not fragmented [F]

proto TCP is the protocol type it will be some times UDP and some times ICMP.

length 60 length of the packet

The mos important part of the packet:

192.168.1.4.33922 192.168.1.4 is the original IP and 33922 is the port used by the client

> (destination)

68.178.254.190.80 the destination is 68.178.254.190 (my poor shared server IP address) and .80 is the port used to contact the web-server (apache).

Flags [S] this is not anymore the IP flag, but is the TCP flag SYN , it could be [S.] in this case is an ack reply from the server, or it could be [R] wich means RESET, and in this case the connection is reset-ed, or could be [F] FIN for finalising a transfer etc, or [P] PUSH which means that the data should be transferred immediately,or URG.

cksum 0x83ae (correct) this is the TCP-header check-sum of the packet (for checking packets integrity)

seq 4011514848 this is the TCP sequence number

win 5840 the amount that I will send before requiring an ACK packet back from the server

options [mss 1460,sackOK,TS val 612494 ecr 0,nop,wscale 6] just TCP options, don’t bother your self finding out the meaning

length 0 this is the length of the packet (hey wait a min, I’m seeing another length just above) yes it’s true but it is the IP packet length and this is the TCP (IP – encapsulated) length , so why is 0 ? Because we sent just a SYN packet, and a SYN packet contain only the header of a TCP packet and doesn’t contain any data.

Ok, the second packet received is an ACK reply from the web server:

20:04:53.213020 IP (tos 0×0, ttl 26, id 48589, offset 0, flags [none], proto TCP (6), length 44)
68.178.254.190.80 > 192.168.1.4.1158: Flags [S.], cksum 0xaaab (correct), seq 2217564751, ack 882823260, win 0, options [mss 1460], length 0

In this case it’s almost the same except the flag [S.] which means SYN . response => ack and the generating IP this time is the server and the response is send to my local nat-ed IP.

Tcpdump Advanced Use

First let’s rock with some protocols

tcpdump protocol

protocol can be: icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, tcp, ip6, arp, rarp
Note: filters can be applied only to protocols that support them, i.e we ca not use host filter when using arp as protocol because this filter need and IP to track (layer 3), and arp is an layer 2 protocol, so for arp there is no IP address, there is only MAC address.
Check wikipedia if you don’t understand any of this protocols (you should understand at least tcp,udp,icmp,ipv6, arp if you are reading this how-to).
We can also just:

tcpdump -i br0 ip proto \\udp

if we want to specify the protocol, so udp is part of IP like icmp and tcp so we can use proto \\ for specifying the protocol.

Another interesting use of tcpdump is monitoring vlan traffic, we can select packets by their VLAN ID i.e:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

tcpdump -i eth1 -vv vlan 3 -X
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:17:44.698741 IP (tos 0x0, ttl 255, id 7394, offset 0, flags [none], proto 17, length: 60) 192.168.1.253.52811 >; 192.168.1.15.domain: [udp sum ok] 3366+ A? www.google.com. (32)
0x0000: 0003 0800 4500 003c 1ce2 0000 ff11 1a72 ....E..<;.......r 0x0010: c0a8 01fd c0a8 010f ce4b 0035 0028 10f3 .........K.5.(.. 0x0020: 0d26 0100 0001 0000 0000 0000 0377 7777 .&;...........www 0x0030: 0667 6f6f 676c 6503 636f 6d00 0001 0001 .google.com..... 17:17:44.718772 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 232) 192.168.1.15.domain >; 192.168.1.253.52811: 3366 q: A? www.google.com. 2/4/4 www.google.com. CNAME[|domain]
0x0000: 0003 0800 4500 00e8 0000 4000 4011 b5a8 ....E.....@.@...
0x0010: c0a8 010f c0a8 01fd 0035 ce4b 00d4 4319 .........5.K..C.
0x0020: 0d26 8180 0001 0002 0004 0004 0377 7777 .&;...........www
0x0030: 0667 6f6f 676c 6503 636f 6d00 0001 0001 .google.com.....
0x0040: c00c 0005 0001 0000 0000 0008 0377 7777 .............www
0x0050: 016c .l
17:17:44.719394 IP (tos 0x0, ttl 64, id 12187, offset 0, flags [none], proto 1, length: 84) 192.168.1.253 >; mil01s07-in-f104.1e100.net: icmp 64: echo request seq 0
0x0000: 0003 0800 4500 0054 2f9b 0000 4001 55f2 ....E..T/...@.U.
0x0010: c0a8 01fd 480e ea68 0800 cfcd 5e02 0000 ....H..h....^...
0x0020: 4c6e 9c98 000a f61b 0809 0a0b 0c0d 0e0f Ln..............
0x0030: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
0x0040: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./
0x0050: 3031 01
17:17:44.721422 IP (tos 0x0, ttl 54, id 15156, offset 0, flags [none], proto 1, length: 84) mil01s07-in-f104.1e100.net > 192.168.1.253: icmp 64: echo reply seq 0
0x0000: 0003 0800 4500 0054 3b34 0000 3601 5459 ....E..T;4..6.TY
0x0010: 480e ea68 c0a8 01fd 0000 d7cd 5e02 0000 H..h........^...
0x0020: 4c6e 9c98 000a f61b 0809 0a0b 0c0d 0e0f Ln..............
0x0030: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
0x0040: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./
0x0050: 3031 01

4 packets captured
4 packets received by filter
0 packets dropped by kernel

In this case, my firewall monitored an icmp request in hexadecimal from an host in VLAN.

We can monitor broadcast traffic as well

tcpdump -i eth3 broadcast

And we are able to see all packets broadcast to our network, or multicast if we want multicast.

Ok, now we want some TCP, on other tuts you will find unreadable 0þ@#þßøðj→ß commands, here we are more human , this is easy to remember when you are in a real life situation:

tcpdump -nnvv -i eth3 'tcp[tcp-syn] & (tcp-syn)' != 0 and not port 22

So what is this?
I’m saying to tcpdump to monitor using tcp protocol only tcp-syn packets that are not 0 and I don’t want port 22 crap (I’m currently connected with ssh).

Lets detect a SYN scan now

tcpdump -nnvv -i br0 'tcp[tcp-syn]  & (tcp-syn)' != 0 and not port 22 and host 192.168.0.4

Ok, I’m at 192.168.0.4 scanning with nmap, and here is the output on the scanned machine.

1
2
3
4
5
6
7

17:58:40.369468 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 44) 192.168.0.1.80 >; 192.168.0.4.39578: S [tcp sum ok] 481284648:481284648(0) ack 749969547 win 5840
17:58:40.369790 IP (tos 0x0, ttl 38, id 29797, offset 0, flags [none], proto 6, length: 44) 192.168.0.4.39578 >; 192.168.0.1.5900: S [tcp sum ok] 749969546:749969546(0) win 3072
17:58:40.369910 IP (tos 0x0, ttl 39, id 31675, offset 0, flags [none], proto 6, length: 44) 192.168.0.4.39578 >; 192.168.0.1.554: S [tcp sum ok] 749969546:749969546(0) win 4096
17:58:40.372776 IP (tos 0x0, ttl 47, id 29521, offset 0, flags [none], proto 6, length: 44) 192.168.0.4.39578 >; 192.168.0.1.993: S [tcp sum ok] 749969546:749969546(0) win 4096
17:58:40.373049 IP (tos 0x0, ttl 50, id 12150, offset 0, flags [none], proto 6, length: 44) 192.168.0.4.39578 >; 192.168.0.1.8080: S [tcp sum ok] 749969546:749969546(0) win 3072
17:58:40.373245 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 40) 192.168.0.1.8080 >; 192.168.0.4.39578: R [tcp sum ok] 0:0(0) ack 749969547 win 0
17:58:40.376608 IP (tos 0x0, ttl 52, id 8971, offset 0, flags [none], proto 6, length: 44) 192.168.0.4.39578 >; 192.168.0.1.587: S [tcp sum ok] 749969546:749969546(0) win 1024

The “easy” way to detect port-scans is the src port, it is always the same as you can see in this situation nmap is using 3957.

Monitoring ICMP-Traffic with tcpdump

Ok, now I want to monitor ICMP traffic but I don’t want random icmp echo and I want to save this capture to a file.

1
2
3

tcpdump -vvi wlan0 -w icmp.cap 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
Got 0

So this is how we sniff icmp traffic, of course not just echo reply/requests.

Ok, but how to monitor only icmp echo traffic with tcpump ?

1	tcpdump -vvi wlan0 -w icmp.cap icmp and 'icmp[icmptype] == icmp-echo \|\| icmp[icmptype] == icmp-echoreply'

Ok, in this case we have specified to capture only icmp-echo || (OR) icmp-echoreply packets. How about and?
Is impossible that an icmp packet could be echo and echoreply at the same time, don’t you think ?

You should use the above examples with the following ICMP packet types.

Other ICMP types could be:

icmp-echoreply, icmp-unreach,
icmp-sourcequench, icmp-redirect, icmp-echo,
icmp-routeradvert, icmp-routersolicit, icmp-
timxceed, icmp-paramprob, icmp-tstamp, icmp-
tstampreply, icmp-ireq, icmp-ireqreply,
icmp-maskreq, icmp-maskreply.

Ok, now I want to read what I captured before:

1
2
3
4
5
6
7
8

tcpdump -vvAr icmp.cap
reading from file icmp.cap, link-type EN10MB (Ethernet)
11:58:47.244942 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
1.122.143.82 >; p3slh045.shr.phx3.secureserver.net: ICMP echo request, id 15513, seq 1, length 64
E..T..@.@.fl.z.RD......d<;.....pL..... .................. !"#$%&'()*+,-./01234567 11:58:47.423368 IP (tos 0x0, ttl 44, id 42889, offset 0, flags [none], proto ICMP (1), length 84) p3slh045.shr.phx3.secureserver.net > 1.122.143.82: ICMP echo reply, id 15513, seq 1, length 64
E..T....,...D....z.R...d<.....pL..... .................. !"#$%&'()*+,-./01234567 11:58:48.246803 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 1.122.143.82 > p3slh045.shr.phx3.secureserver.net: ICMP echo request, id 15513, seq 2, length 64
E..T..@.@.fl.z.RD......\<.....pL..... .................. !"#$%&;'()*+,-./01234567 11:58:48.426344 IP (tos 0x0, ttl 44, id 42890, offset 0, flags [none], proto ICMP (1), length 84) p3slh045.shr.phx3.secureserver.net >; 1.122.143.82: ICMP echo reply, id 15513, seq 2, length 64
E..T....,...D....z.R...\<;.....pL..... .................. !"#$%&'()*+,-./01234567 11:58:53.436798 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 1.122.143.82 > p3slh045.shr.phx3.secureserver.net: ICMP echo request, id 15513, seq 3, length 64

This is some nice output

In this example you have learned also how to read and write with tcpdump.

Monitoring TCP-Traffic with Tcpdump

tcpdump -vv tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

For monitoring TCP syn/ack packets only.
So this is if we want to monitor only replies received from the Internet, it’s a good command to execute when we want to know with ho our host is communicating in that precise moment.

What about monitoring only specific packet types with tcpdump?

1
2
3
4
5
6
7
8
9
10
11

tcpdump -vv tcp and 'tcp[tcpflags] &; tcp-fin == tcp-fin'

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:31:53.682928 IP (tos 0x0, ttl 64, id 5985, offset 0, flags [DF], proto TCP (6), length 52)
1.122.143.82.54140 >; mil01s07-in-f104.1e100.net.www: Flags [F.], cksum 0x5c10 (correct), seq 4026359992, ack 2774872111, win 111, options [nop,nop,TS val 44332924 ecr 3098814989], length 0
12:31:53.689434 IP (tos 0x0, ttl 55, id 61029, offset 0, flags [none], proto TCP (6), length 52)
mil01s07-in-f104.1e100.net.www >; 1.122.143.82.54140: Flags [F.], cksum 0x5c0e (correct), seq 1, ack 1, win 106, options [nop,nop,TS val 3098814995 ecr 44332924], length 0
12:31:57.184582 IP (tos 0x0, ttl 64, id 8132, offset 0, flags [DF], proto TCP (6), length 52)
1.122.143.82.54141 >; mil01s07-in-f104.1e100.net.www: Flags [F.], cksum 0xd8af (correct), seq 4067714265, ack 2940968668, win 111, options [nop,nop,TS val 44333975 ecr 3100781064], length 0
12:31:57.194547 IP (tos 0x0, ttl 55, id 37010, offset 0, flags [none], proto TCP (6), length 52)
mil01s07-in-f104.1e100.net.www >; 1.122.143.82.54141: Flags [F.], cksum 0xd8a4 (correct), seq 1, ack 1, win 106, options [nop,nop,TS val 3100781079 ecr 44333975], length 0

If you see, there are only FIN packets, and the following examples should be valid with this packet types also:
tcp-rst,
tcp-push,
tcp-urg

Ok, how to detect an XMAS scan?

An XMAS scan, is a port scan typo with flags set to Fin, Push & Urg at the same packet.
At least, this is what tcpdump says:

1
2
3
4
5

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:47:30.778407 IP (tos 0x0, ttl 47, id 41535, offset 0, flags [none], proto TCP (6), length 40)
1.122.143.82.53136 >; 1.122.143.1.22: Flags [FPU], cksum 0x77eb (correct), seq 2476122955, win 4096, urg 0, length 0
12:47:30.789526 IP (tos 0x0, ttl 128, id 60248, offset 0, flags [none], proto TCP (6), length 40)
1.122.143.1.22 >; 1.122.143.82.53136: Flags [R.], cksum 0x87ff (correct), seq 0, ack 2476122956, win 0, length 0

So the working tcpdump command should be:

tcpdump -nnvvi wlan0 'tcp[tcpflags] & (tcp-push & tcp-fin & tcp-urg) == (tcp-push & tcp-fin & tcp-urg)'

And this is what tcpdump captured while I was XMAS-ing my router:

1
2
3
4

13:10:21.847432 IP (tos 0x0, ttl 39, id 50647, offset 0, flags [none], proto TCP (6), length 40)
1.122.143.82.52216 >; 1.122.143.1.22: Flags [FPU], cksum 0xce5b (correct), seq 2453623242, win 4096, urg 0, length 0
13:10:21.850590 IP (tos 0x0, ttl 128, id 60248, offset 0, flags [none], proto TCP (6), length 40)
1.122.143.1.22 >; 1.122.143.82.52216: Flags [R.], cksum 0xde6f (correct), seq 0, ack 2453623243, win 0, length 0

Ok, thank you for watching

Open-Source HotSpot Anatomy – ChilliSpot, Radius and Postgres

arditi — Sat, 14 Aug 2010 09:14:34 +0000

Preface

This is the most comprehensive material that you fill find in the “!wild net!” , it will explain in theory how stuff works and how components fit with each-other.
For a techical aproach and “how to make an hostpost” you must wait.

HotSpot

So what is an hotspot first?
Most people know what this is , but for the people that don’t know I will give a simple answer.
If you go to an airport or an hotel you find the “free access point”, you connect to it and you think that now you gona surf the web free of charge.
Well, then you open your browser and an redirect gives you an login/password page with option to buy traffic and access.

This is a hotspot [ :/ ]

A normal open-source Hotspot is made of 3 components:

ChilliSpot (acting as NAS) [Network Access Server]
FreeRadius (acting as AAA) [An AAA Server is a server or servers that provide authentication, authorization and accounting services.]
Postgressql (responsible for the Accounts data)

NAS / ChilliSpot

NAS stands for Network Access Server. The term network access server refer to a server devoted entirely to managing network access, ChilliSpot is meant to act as a gateway to guard access to a protected network. So, ChilliSpot is the initial entry point to the network, it is the first “device” in the network to provide services to an end user. After the client is connected ChilliSpot redirect the user on the authentication page requesting Username & Password credentials, and acts as a gateway for all further services. Typical Chillispot Operation Sequence:

Call arrival on tcp 0 0 192.168.10.15:3990 0.0.0.0:* LISTEN
Prompt for username and password
Request authentication from AAA server
Confirm authentication information with AAA server
If the authentication is OK, proceed to service.

AAA is responsible for handling :

User authentication (first A)
User authorization (second A)
Accounting (last A)

What AAA do?

Freeradius provides:

authentication services; checks passwords (static or dynamic)
provides authorization information to Chillispot

The process of providing a service leads to requests for additional information like date based, time based, variable cost debits ,etc and this requires real-time enforcement session accounting information is tallied by the Chillispot and reported to Freeradius.

All communications regarding RADIUS accounting are done with an Accounting-Request packet. Chillispot that is participating in the RADIUS accounting process will generate an Accounting Start packet, which is a specific kind of Accounting-Request packet. This packet includes information on which service has been provisioned and on the user for which these services are provided. The packet is sent to the RADIUS accounting server, which will then acknowledge receipt of the data. When the client is finished with the network services, it will send to the accounting server an Accounting Stop packet (again, a specialized Accounting-Request packet), which will include the service delivered; usage statistics such as time elapsed, amount transferred, average speed; and other details. The accounting server acknowledges receipt of the stop packet, and all is well.

Packet Types

Access-Request

The Access-Request packet is used by the service consumer when it is requesting a particular service from a network. The client sends a Request packet to the RADIUS server with a list of the requested services

Access-Accept

Packets sent by the RADIUS server to the client to acknowledge that the client’s request is granted.

Access-Reject

The RADIUS server is required to send an Access-Reject packet back to the client if it must deny any of the services requested in the Access-Request packet.

Access-Challenge

If a server receives conflicting information from a user, requires more information, or simply wishes to decrease the risk of a fraudulent authentication, it can issue an Access-Challenge packet to the client. The client, upon receipt of the Access-Challenge packet, must then issue a new Access-Request with the appropriate information included.

Accounting-Request

Accounting-Request packets are sent from the client to the server. When the server receives this request packet, it is required to transmit an acknowledgment to the client unless it cannot handle or process the packet.

Accounting-Response

The Accounting-Response packets are primarily designed as acknowledgment packets to be sent from the accounting server to the client, indicating that the request from the client has been received and logged.

Packet Attributes

This 2 general packets, have many attributes (currently RADIUS can specify 92 different attributes) , able to control the connections made by the clients, here we can find some of them:

User-Name

This attribute carries the distinguished name of the client requesting access to services on the network

User-Password

This attribute is designed to carry authentication information that a user provides in order to gain access to network services. Primarily, the content of this value will be an encrypted password, but sometimes it can be the response from an Access-Challenge packet sent to the client from the RADIUS server.

Chap password

CHAP-Password indicates to the RADIUS client gear that CHAP, instead of PAP, is going to be used for the transaction.

Session-Timeout

It indicates the maximum length of time in seconds that a user may remain connected to the network before the RADIUS client will kick him off.

Acct-Status-Type

This attribute indicates whether the Accounting-Request packet is being sent upon the user first authenticating and connecting to the network or upon the user finishing use of the services and disconnecting.

Idle-Timeout

The user is logged out after this amount of time of inactivity (no traffic).

NAS-IP-Address

This attribute specifies the IP address of the NAS gear that requests service on behalf of the client computer.

Terminate-Action

This is the SIG-Term of Radius, it means that the client should be disconnected.

Acct-Session-ID

This attribute is used to uniquely identify a session so that accounting stop and start records can be collated and recorded accurately.

Acct-Authentic

This optional attribute indicates the method with which the user’s declared identity was verified.

Acct-Session-Time

This attribute, found in Accounting-Request packets and interim records, indicates the time in seconds that a user has been connected.

Acct-Terminate-Cause indicates the reason, if possible and applicable, that a user’s session was ended

PostgreSql

Responsible for data management.
Here is the place where data is stored end this is the end point of the data.

Here we go , let’s see our database.

su - postgres

 psql radius

radius=# \l
       List of databases
  Name    |  Owner   | Encoding
-----------+----------+----------
postgres  | postgres | UTF8
radius    | postgres | UTF8
template0 | postgres | UTF8
template1 | postgres | UTF8

                      List of relations
Schema |               Name               |   Type   | Owner
--------+----------------------------------+----------+--------
public | hotspot_account                  | table    | radius
public | hotspot_account_generator        | table    | radius
public | hotspot_account_generator_id_seq | sequence | radius
public | hotspot_account_id_seq           | sequence | radius
public | hotspot_db_version               | table    | radius
public | hotspot_db_version_id_seq        | sequence | radius
public | hotspot_rate                     | table    | radius
public | hotspot_rate_id_seq              | sequence | radius
public | hotspot_setting                  | table    | radius
public | hotspot_setting_id_seq           | sequence | radius
public | hotspot_ticket                   | table    | radius
public | hotspot_ticket_accounting        | table    | radius
public | hotspot_ticket_accounting_id_seq | sequence | radius
public | hotspot_ticket_id_seq            | sequence | radius
public | nas                              | table    | radius
public | radacct                          | table    | radius
public | radacct_radacctid_seq            | sequence | radius
public | radcheck                         | table    | radius
public | radcheck_id_seq                  | sequence | radius
public | radgroupcheck                    | table    | radius
public | radgroupcheck_id_seq             | sequence | radius
public | radgroupreply                    | table    | radius
public | radgroupreply_id_seq             | sequence | radius
public | radpostauth                      | table    | radius
public | radpostauth_id_seq               | sequence | radius
public | radreply                         | table    | radius
public | radreply_id_seq                  | sequence | radius
public | realmgroup                       | table    | radius
public | realmgroup_id_seq                | sequence | radius
public | realms                           | table    | radius
public | realms_id_seq                    | sequence | radius
public | usergroup                        | table    | radius
public | usergroup_id_seq                 | sequence | radius
(33 rows)

radius-# \c postgres
You are now connected to database "postgres".
postgres-# \d
No relations found.

Work Flow Diagram

Ubuntu 10.04 Lucid Lynx ldap configuration – the working how-to

arditi — Wed, 11 Aug 2010 12:04:47 +0000

Hi there,

Here at work I use Ubuntu 10.04 lts, and I was trying to configure openldap.
Yes, on the internet are many how-to’s but half write-d and not really tested, but the most important is that none of them seems to really work.
I have reed about the argument online (ubuntu doc’s to – not working), and from many how to’s and now here is the final script for the ldap Ubuntu configuration:

First install with :
#apt-get install slapd ldap-utils
Then create a script ie (touch script.sh) and put the following in.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

#!/bin/sh
passwd=pleaseeditme
dc1=pleaseeditme
dc2=pleaseeditme
hash_pw=`slappasswd -s $passwd`
tmpdir=/tmp
#--------------------------------------------------------------#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
#——————————————————————-#
# database.ldif
#——————————————————————-#
cat <<EOF > $tmpdir/database.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=$dc1,dc=$dc2
olcRootDN: cn=admin,dc=$dc1,dc=$dc2
olcRootPW: $hash_pw
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=$dc1,dc=$dc2" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=$dc1,dc=$dc2" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
################################
# Modifications
################################

dn: cn=config
changetype: modify

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $hash_pw

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
EOF
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/database.ldif
####################################
# Mini DIT
####################################
cat <<EOF> $tmpdir/dit.ldif
# Tree root

dn: dc=$dc1,dc=$dc2
objectClass: dcObject
objectclass: organization
o: $dc1.$dc2
dc: $dc1
description: Tree root

# Populating
dn: cn=admin,dc=$dc1,dc=$dc2
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: $hash_pw
description: LDAP administrator

dn: cn=aw,dc=$dc1,dc=$dc2
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: aw
userPassword: $hash_pw
description: LDAP aw

dn: ou=people,dc=$dc1,dc=$dc2
ou: people
objectClass: organizationalUnit
objectClass: top

dn: ou=groups,dc=$dc1,dc=$dc2
ou: groups
objectClass: organizationalUnit
objectClass: top

dn: ou=addressbook,dc=$dc1,dc=$dc2
ou: addressbook
objectClass: top
objectClass: organizationalUnit

#Adding user
dn: uid=ldap1,ou=people,dc=$dc1,dc=$dc2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ldap1
sn: Asdasd
givenName: ldap1
cn: ldap1 Asdasd
displayName: ldap1 asdasd
uidNumber: 1002
gidNumber: 1000
userPassword: $hash_pw
gecos: ldap1 asdasd
loginShell: /bin/bash
homeDirectory: /home/ldap1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: aw@$dc1.$dc2
postalCode: 31000
l: Mysity
o: $dc1
mobile: +33 (0)6 22 22 22 22 22
homePhone: +33 (0)5 33 22 33 22
title: System Administrator
postalAddress:
initials: LP
EOF

sudo ldapadd -x -D cn=admin,dc=$dc1,dc=$dc2 -W -f $tmpdir/dit.ldif

Execute the script with $sh script.sh
If you have problems, want to edit etc, use the following script, it will fully remove and reinstall ldap.

1
2
3
4
5
6

#!/bin/sh
aptitude purge slapd ldap-utils
cat /dev/null > /var/log/debug
rm /var/lib/ldap/*
rm -rf /etc/ldap
apt-get install slapd ldap-utils

For testing if all is working fine you should try :

ldapsearch -D cn=admin,dc=yourhost,dc=yourdomain -W -x -b dc=yourhost,dc=yourdomain

Last words, for managing you can use phpldapadmin (it is in the repository).
Then visit your localhost :
http://localhost/phpldapadmin and log-in,
Enjoy.

Tcpdump how to – the linux network troubleshooter

arditi — Mon, 09 Aug 2010 22:50:11 +0000

Cool Intro

Some people say that “wireshark” is good, and bla bla bla , & bla bla bla…
Yes , wireshark is a great project but when it comes to firewalls, or to real work stuff nothing is like tcpdump.

When you log in to a remote firewall, and want to check out what the hack is going on, tcpdump is your buddy.
It is old and wise, it is the Adam of sniffers, so lets see what we can do with it.

Worming Up

In this example we use eth0 as the interface of our interest

First, we wan to see what interfaces can use for capturing packets,

tcpdump -D

This will print something like:

1.wlan0
2.any (Pseudo-device that captures on all interfaces)
3.lo

Hey, wait a min, you don’t have an ethernet card?
Yes, I have it but we need to set it up:

ip link set eth0 up

Now see the following output

tcpdump -D
1.eth0
2.wlan0
3.any (Pseudo-device that captures on all interfaces)
4.lo

Ok, lets continue our tcpdump trip ,

More info about your card, and what it supports:

tcpdump -L -i wlan0
Data link types for wlan0 when not in monitor mode (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)

Ok, lets begin:

tcpdump -nvi eth0

In this case, -n tells to not convert the port numbers in names, and host addresses to names, but treat the output numerically. -v is for “verbose” output, so it prints more stuff out.

And -i is for specifying the desired interface.
Lets make a difficult example,

We have 1 firewall with 4 physical interfaces, eth0, eth1, eth2, eth3 and bridged interfaces, like br0, br1 etc.

If we want to monitor the traffic between DMZ and Blue zone we should monitor eth1 as DMZ and eth2 as Wireless /hotspot, /blue – zone interface, so we need to specify the interface for monitoring.

A common good command to use is:

tcpdump -nnvvi eth0

Protocol Specification

I want only ICMP traffic

tcpdump -nvi eth0 icmp

I want only tcp traffic:

tcpdump -nnvvi eth0 tcp

and the same is for udp, we need only to specify.

What about monitoring only ping requests?

tcpdump -nnvvi br0 icmp[0] = 8 or icmp[0] = 30

Tcpdump Recipes

host, src, dst, net, proto, port

This are the mos common used tcpdump recipes

host – specify the host address like host www.google.com will monitor only packets coming from or to www.google.com

src – specify the source ip that you are monitoring i.e tcpdump -nnvvi eth0 tcp src 192.168.0.15 (local green IP)

dst – specify the destination ip address that you want to monitor

net – capture the entire traffic of a network using CIDR like tcpdump -nnvvi eth0 net 192.168.0.1/24 will capture any packet send from or to IP-s in the /24 range, in this case from 192.168.0.1 min to 192.168.0.254 max.

proto – is the example above for specifying the protocol (icmp, tcp or udp) but don’t type it you just have to type tcpdump -nnvvi eth0 udp

port – with this we can specify the port we want to monitor and the port option have 2 more sub-options , src and dst.

if we use:

tcpdump -nvi eth0 tcp port 80 [this will monitor for one or another destination\source port 80]

So this will capture packets to or from port 80.

Destination port 80

tcpdump -nvi eth0 tcp dst port 80

This will capture only packets that have us destination port 80, this is handy when we want to see what web sites are visiting our clients.

Source port 80

tcpdump -nvi eth0 tcp src port 80

In this case, i have said to tcpdump that I want to monitor traffic passing through eth0 using tcp protocol with source port 80.

Using tcpdump

I want to specify the IP, the port and in the same time I want to see the packets in ASCII

tcpdump -nvi lo host www.host.com and port 9999 -A

Wait buddy, we are going to fare, what is that “and”?

Tcpdump, supports Boolean operations like:

and

not

So it’s cool to use them, especially when we are interested only in some portion of the traffic.
Lets see how we can combine this options:

tcpdump -nnvvi wlan0 udp src port 50 and host www.google.com -X

-X prints the output in hexadecimals + ASCII like -A / I prefer -A

tcpdump -nnvvi wlan0 src net 1.127.64.0/24 and dst host www.google.com or dst host www.yahoo.com -A

this is a curious packet capture dooring this command:

00:24:29.842726 IP (tos 0×0, ttl 64, id 8851, offset 0, flags [DF], proto TCP (6), length 1053)
1.127.64.205.57482 > 72.14.234.104.80: Flags [P.], cksum 0xe693 (correct), seq 0:1001, ack 1, win 92, options [nop,nop,TS val 39390568 ecr 2016401695], length 1001
E…”.@.@…..@.H..h…P../../#B…\…….
hx/..GET /csi?v=3&s=webhp&action=&e=23051,25657&ei=dYBgTOjtO8qv_QbC0MD4AQ&expi=23051,25657&imc=1&imn=1&imp=0&rt= HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100724 Firefox/3.6.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.com/
Cookie: PREF=ID=840ee66f4930292e:U=4b582d1d35710b91:LD=en:CR=2:TM=12802341176:LM=12803427747:GM=1:S=zj2wIxxG3Lg_Y8gw; NID=37=WjwrG6yFHasdpeOQMhPD40IOhJlVny7KUqlmoHyVx3R54B-Gv50bzklMcAeTmrq-67U-I5xtmjpJCQWcVNfxJ5aHJTnmf3M-a9haKuS8HdEclDqAe0cKhehME6vlZqChf; rememberme=false; TZ=-120; SID=DQAAAIIAAAA8-XYkoxlfhdksFPtnDHB6XymasdBnl2dDDfJeHx8pC0uup-AbijDoYU2WzrJJVDiFJ2bg6te6EKyOj-g5eAwUYpomEq1hmE-1BgjjbAkISr2vt4f5eKcR2asdJp8-kLfct8Qh58T_f1csmPeW02DEN5bHCHzXhGFxqTC-d9OWl7099WrvUmzgUUtFyiWE3fHHu0; HSID=A-IoVh0m5t-Ijrt-8

Let’s go further..

Show all URG packets:

1
# tcpdump 'tcp[13] & 32 != 0'

Show all ACK packets:

1
# tcpdump 'tcp[13] & 16 != 0'

Show all PSH packets:

1
# tcpdump 'tcp[13] & 8 != 0'

Show all RST packets:

1
# tcpdump 'tcp[13] & 4 != 0'

Show all SYN packets:

1
# tcpdump 'tcp[13] & 2 != 0'

Show all FIN packets:

1
# tcpdump 'tcp[13] & 1 != 0'

Show all SYN-ACK packets:

1
# tcpdump 'tcp[13] = 18'

So in this case, if we want only a SYN-ACK view of a connection we can just type:

tcpdump -nnvvi wlan0 'tcp[13] = 18' and host www.google.com

For more advanced use, we should grep & write data, and we can use | (pipes) > < redirects, or build in commands of tcpdump.

If we have some worse with the output from 1 or more ports, i.e ssh, or http, or any other port we can easily clear the output with:

tcpdump -nnvvi wlan0 not port 22 and not port 80

Linux Network Configuration for home Users

arditi — Sun, 08 Aug 2010 20:59:22 +0000

The Tools – net-tools VS iproute2

There are 2 generic packages that do all-most the same thing’s.

net-tools which include:
ifconfig,
nameif
plipconfig
rarp
route
slattach
ipmaddr
iptunnel
mii-tool
netstat
hostname

It is older compared to iproute2 packages but it is still used.

iproute2 includes:
rtmon
ip
netbug
rtacct
ss
lnstat
nstat
cbq
tc
arpd

Net-tools have been great till 2.4/2.4/2.6 kernel shows up with completely new network design. They work just fine but, for some tasks, they show some strange behavior and are very outdated for complicated tasks / advanced routing. Sow, we are going to use generally iproute2.

Settings things UP {eth0|wlan0}

We just started the PC, and want to be online, we have a router in my case just a linksys-cisco, and we are going to use /24 CIDR with the router at 192.168.1.1 (default).

Dealing with our “links” – interfaces bringing them up and down

This is the easy way, for home networks with 1-2 box’s connected and this is the “plug’n play” way. First we bring the interfaces up :

#ip link set eth0 down   ==> Same as ifconfig eth0 down
#ip link set wlan0 down  ==> Same as ifconfig wlan0 down

Now, the 2 interfaces are down, and we can check this with

#ip link show

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
   link/ether 00:11:60:0a:ed:c6 brd ff:ff:ff:ff:ff:ff
3: wlan0:  mtu 1500 qdisc mq state DOWN qlen 1000
   link/ether 00:11:de:bc:ad:e2 brd ff:ff:ff:ff:ff:ff

We can notice that the lo interface (LoopBack is UP) instead of eth0 and wlan0 , there is no UP at the “state DOWN” tells the state of the connection and not the state of the our wireless card or ethernet card.

Now we want them up, because we want to connect to our router.

#ip link set eth0 up; ip link set wlan0 up
OR
#ifconfig eth0 up; ifconfig wlan0 up

We want to see if the interfaces are up and we check with

#ip link show

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
   link/ether 00:1d:60:0f:eb:c6 brd ff:ff:ff:ff:ff:ff
3: wlan0:  mtu 1500 qdisc mq state DOWN qlen 1000
   link/ether 00:18:de:c7:a0:6b brd ff:ff:ff:ff:ff:ff

Static DHCP or Dynamic DHCP?

Now that they are up, we have 2 ways of doing things with this interfaces,

Static DHCP — we have to specify the IP, the Netmask, the Default Gateway
Dynamic DHCP — we dont have to specify nothing

Sow, why Static DHCP? – In large network’s it’s all most a default type of configuration, because lets say we have a postgres sql server at 192.168.1.201 and 3 servers A,B,C with different ip address connecting to him for getting reading\writing data. Some – day, we have a problem with him, or just want to restart and we restart him, but now we have a big problem because the DHCP gives him 192.168.1.13 as ip address and the things goes mad. The same happens if we apply for different service that need other service etc. Why Dynamic DHCP ? If we are at home, and friends come to my house, i don’t want to set they ip manually so just plug & play.

Configuring eth0 with Automatic IP (DHCP)

We just connect the cable and we are just fine :) NOTE: If you have no dhcp client running you must run the client for getting your connection setting from the DHCP server running on the server. In my case, befor connecting the cable:

No – ip | No connection UP

WARNING: NO-CARRIER,BROADCAST,MULTICAST,UP ==>> Hardware Interface UP state DOWN ==>> Connection is Down

#ip addr show eth0

2: eth0:  mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
   link/ether 00:1d:60:0f:eb:c6 brd ff:ff:ff:ff:ff:ff
   inet6 fe80::21d:60ff:fe0f:ebc6/64 scope link

Routing table clear, no router:

#ip route show
[root@darkinet arditi]#

Routing table is empty

Or we can use:

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

Now i connect the ethernet cable on my laptop and on the router, the result is the same. Nothing happens, and this is because I’m on arch linux and all is manual , so I have to contact the dhcp server for getting the data and in my case:

# dhcpcd eth0
dhcpcd: version 5.2.2 starting
dhcpcd: eth0: rebinding lease of 192.168.1.100
dhcpcd: eth0: acknowledged 192.168.1.100 from 192.168.1.1
dhcpcd: eth0: checking for 192.168.1.100
dhcpcd: eth0: leased 192.168.1.100 for 86400 seconds
dhcpcd: forking to background

Now for being shore we want to check if we are connected and we ping the router.

# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=3.95 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.492 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.486 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms

rtt min/avg/max/mdev = 0.486/1.645/3.957/1.634 ms

Ctrl+C for stopping.

OK, lets see what happens to our interface and rooting table:

2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:1d:60:0f:eb:c6 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
   inet6 fe80::21d:60ff:fe0f:ebc6/64 scope link
   valid_lft forever preferred_lft forever

Now we have an ip addres at 129.168.1.100 , this because it is the first free ip on the router. Lets see our rooting table:

# ip route show
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.100  metric 202
default via 192.168.1.1 dev eth0  metric 202

Ok, this is nice now lets deal with wireless.

Configuring wlan0 with Automatic IP (DHCP)

Read eth0 with DHCP for more detailed information

Now, it’s the same story, if you expect finding here WPA2, WEP, WPA2-Enterprise how to, it’s not the section, here we are going to use an OPN (Open) Access Point with essid “linksys”. Now the wlan0 interface is up, if not #ip link set wlan0 up Than we connect our wireless card with the Access Point

#iwconfig wlan0 essid "linksys"

Case 1

We have automatic dhcp client running and this is all and we are connected

Case 2

We don’t have dhcp client running so we need to run it on the interface: In this case:

dhcpcd wlan0
dhcpcd: version 5.2.2 starting
dhcpcd: wlan0: rebinding lease of 192.168.1.100
dhcpcd: wlan0: NAK: from 192.168.1.1
dhcpcd: wlan0: broadcasting for a lease
dhcpcd: wlan0: offered 192.168.1.102 from 192.168.1.1
dhcpcd: wlan0: acknowledged 192.168.1.102 from 192.168.1.1
dhcpcd: wlan0: checking for 192.168.1.102
dhcpcd: wlan0: leased 192.168.1.102 for 86400 seconds
dhcpcd: forking to background

We ping for being shore that we are connected:

ping -c 2 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=4.96 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.770 ms

--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.770/2.869/4.969/2.100 ms

Configuring eth0 with Static IP

Indeed here we must Stop the DHCP server on our Router, so we point our browser to http://192.168.1.1 , log – in and see around about dhcp settings, than stop the dhcp server. Now, we suppose that your computer have never been connected with that router so, I’m going to clear my connection info with:

ip link set wlan0 down

Setting the interface down, automatically clears out connection info. Now, in the Dynamic DHCP we get the IP and Default Gateway from the DHCP server running on the router, but now that it is not running any more on the server how we’r going to get this data?

We are going to supply this data to our interface eth0

Now, we can get any ip that we like, and we now that the router is on 192.168.1.1 But if we don’t know this info? -Check your router quick start guide, or google it. Ok, now we connect the ethernet cable with our ethernet port on laptop and the ethernet port on the router. Ok, here we go, if we run dhcpcd eth0 nothing happens because there is not anymore the dhcp server running to give us the date so now:

For connecting in the correct way with the router we need 3 important data: Ip address Subnet Mask Default Gateway Broadcast Address The only 2 wee need to specify for make this connection work are IP address , and the Default Gateway. The range of the Ip address must be of course 192.168.0.* The ip address lets say we want 192.168.0.200 How to find the subnet mask? (yes I know is 255.255.255.0 but lets suppose that you don’t) We use a tool called ipcalc which is not currently installed on my machine so: $ipcalc 192.168.1.200 And from the output we get netmask 255.255.255.0 Broadcast is : 192.168.1.255 We use ipcalc, very nice tool helping with info about 1 ip. But normally the ip are :

   /8
   /16
   /24

Or, their dotted-quad equivalents:

   255.0.0.0
   255.255.0.0
   255.255.255.0

Adding IP, subnet and broadcast address Sow, we find that our selected ip 192.168.1.200 have a netmask 255.255.255.0 and we all ready know our router ip 192.168.1.1 The broadcast from ipcalc was 192.168.0.255. PS:Anyway we need to now only the router gateway ip (because the IP is of our selection) and we must select an ip in the right range. In this case 192.168.1.* from 2-254

ip addr add 192.168.1.200/24 eth0
or the other way
ifconfig eth0 192.168.1.200 netmask 255.255.255.0

If you are not shore about your subnet mask you just add your ip and than the ip program will calculate automatically your Subnet Mask
Here our nice output:

#ip addr show eth0

2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:1d:60:0f:eb:c6 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.200/24 brd 192.168.0.255 scope global eth0
   inet6 fe80::21d:60ff:fe0f:ebc6/64 scope link
      valid_lft forever preferred_lft forever

After this we add the route

ip route add 192.168.1.1 dev eth0
(this will work btw but if we want to add a default gateway than we just)
ip route add default 192.168.1.1 dev eth0

Now:

#ip addr show eth0
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:1d:60:0f:eb:c6 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.200/24 scope global eth0
   inet6 fe80::21d:60ff:fe0f:ebc6/64 scope link
      valid_lft forever preferred_lft forever

and

# ping -c 3 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.490 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.443 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.492 ms

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.443/0.475/0.492/0.022 ms

Now we see that we are connected. Lets deal with the wireless connection.

Configuring wlan0 with Static IP

Set all interfaces down and than again up.

Than:

ip link set wlan0 up
ip addr add 192.168.1.200/24 dev wlan0
ip route add 192.168.1.1 dev wlan0

 #ip addr show wlan0

3: wlan0:  mtu 1500 qdisc mq state UP qlen 1000
   link/ether 00:18:de:c7:a0:6b brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.200/24 scope global wlan0
   inet6 fe80::218:deff:fec7:a06b/64 scope link
      valid_lft forever preferred_lft forever

# ping -c 3 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.826 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.715 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.752 ms

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.715/0.764/0.826/0.051 ms

Troubleshooting

Checking for duplicate ip address on your network:

arping  -c5 -D 192.168.1.1 -I wlan0

ARPING 192.168.1.1 from 0.0.0.0 wlan0
Unicast reply from 192.168.1.1 [00:1D:7E:B2:B7:90] for 192.168.1.1 [00:1D:7E:B2:B7:90] 1.752ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

Minicom How To | How to use minicom when installing firewalls

arditi — Sun, 08 Aug 2010 20:55:55 +0000

The Problem

So we say that we get a brand new hardware with 4-8-16 ethernet cards, 600mhz cpu, a nice RAM and hdd. Now we want to install on it some firewall based distribution and manage the installation process.

Installing the software on our firewall HDD

The best way is to attach the firewall hdd, on our pc – free hdd slot and linux will automatically recognise the hard-disk, or wee can use a CF writer (Compact Flash) First we download the image (.img) with wget, or curl , or your browser. Normally we will find a .img.tar.gz file , first we tar -xzvf the file and than we copy our image to the firewall hdd. We assume that the hard-disk is located at /dev/sdb (/dev/sdb1) Than:

dd if=/home/user/downoads/our_img_distro.img of=/dev/sdb

if stands for input file, and of stands for output file.

Or we directly:

 tar -xzvf /location/our_img_firewall_distro.img.tar.gz | of=/dev/sdb

This requires a boot-able operating system image. You cant just copy files to the Flash card because it needs a boot sector. dd does a byte-by-byte copy, including the boot sector, which most other copy commands cannot do.

Minicom at work

Now we re-attached the hard-disk on our hardware firewall, and want to check the installation. We need:

Minicom (software) installed on our Linux-box
A null-modem serial cable(if you don’t know what I mean, search google images with “null-modem serial cable”

Than we fix the serial cable and start minicom with:

[root@mybox]# minicom -s  [s stands for setup]
------[configuration]-------
| Filenames and paths
| File transfer protocols
| Serial port setup
| Modem and dialing
| Screen and keyboard
| Save setup as dfl
| Save setup as..
| Exit
| Exit from Minicom
----------------------------

Than we go to serial-port-setup and hit [enter]

-------------------------------------------
| A -     Serial Device     : /dev/tty8
| B - Lockfile Location     : /var/lock
| C -    Callin Program     :
| D - Callout Program       :
| E -     Bps/Par/Bits      : 19200 8N1
| F - Hardware Flow Control : No
| G - Software Flow Control : No
|
|     Change which setting?
-------------------------------------------

Now , if the A -option (serial device) is not /dev/ttyS0 (which is normally our normal working port) we hit Shift+A and change it to /dev/ttyS0 Than we change the E /Bps/Par/Bits in the same way. What’s the right setting? This have to do with what are you using as hardware, but normally you get this information form the website of the firewall company.
Now we have attached our minicom and we’r reddy for a fresh new installation. Start up the firewall and if it’s all right we will see the booting information on our terminal. (just like we have a monitor and are booting our software) If we have different firewall box’s and don’t want to repeate configurations we just “Save setup as…” and than chose a name for our configuration like efw, ipcop, etc and than for connecting directly with that we just:

minicom ipcop

On the old times this cable was the “T1″ of today lol.

dnsmasq round-robin how to

arditi — Sun, 08 Aug 2010 20:52:42 +0000

Dnsmasq is currently compiled with round – robin algorithm (or a simple implementation of this algorithm). We make use of this capability for an very simple load balancing technique.
What dnsmasq & round robin do? Basically , we configure 1 host and give for him N° IP addresses , dnsmasq changes the IP order of this IP corresponding to one host after any single DNS request.
Whats the point?
After each new connection the IP responding will be the next in the list , doing so the requests will be balanced on 3 different servers managing 1 domain.
Let’s say we have a very big host called blackbox and for not bombing our host and the load we just add 3-5 or N servers for balancing the load of the server.

We give to our linux router/firewall an configuration like:
cat /etc/hosts
#
# /etc/hosts: static lookup table for host names
#
#
127.0.0.1       localhost.localdomain   localhost darkinet
192.168.0.150 blackbox
192.168.0.151 blackbox
192.168.0.152 blackbox
#NOTE: In real life this should be something like blackbox.com with an public IP address.
#192.168.1.200           www.google.com #I added google before lol
# End of file

Ok, this is good, now lets see our simple configuration at work:
If we just $dig blackbox

;; ANSWER SECTION:
blackbox.		0	IN	A	192.168.0.150
blackbox.		0	IN	A	192.168.0.151
blackbox.		0	IN	A	192.168.0.152

The seccond response

;; ANSWER SECTION:
blackbox.		0	IN	A	192.168.0.151
blackbox.		0	IN	A	192.168.0.152
blackbox.		0	IN	A	192.168.0.150

The third response

;; ANSWER SECTION:
blackbox.		0	IN	A	192.168.0.152
blackbox.		0	IN	A	192.168.0.150
blackbox.		0	IN	A	192.168.0.151

So, we see that the order of the IP changes after each DNS request cyclically.
Then we restart dnsmasq
# /etc/init.d/dnsmasq restart

This is not for serious load balancing (yep it costs up to 4000 bucks or even more)
So in conclusion, if you are not

;; ADDITIONAL SECTION:
ns1.google.com.        329163    IN    A    216.239.32.10
ns2.google.com.        327587    IN    A    216.239.34.10
ns3.google.com.        331744    IN    A    216.239.36.10
ns4.google.com.        331744    IN    A    216.239.38.10

And you don’t have the need to use 4 server farms for a domain, than this may be your case.
Bye.

AW iptables firewall bash script 1.0 personal edition

arditi — Sun, 08 Aug 2010 20:14:37 +0000

Hi there,

Update, now bug fix release 1.1, the firewall was to restrictive and doesn’t allow fast internet browsint, fixed

First of all , from now on this website will be in english language, if some one from the staff wold like to translate, i can add a subdomain with a new installation of wordpress.
So, this is a simple bash script which creates an stateful iptables firewall designed for blocking most common attacks at layer 3 & for on personal box’s.[not for gateways]
Implemented:
# a) Static rule based policies (not to be confused with a “static firewall”)
# b) Connection based stateful policies
# c) Sanity based policies
I have tested it and it blocks most nmap port-scans, syn floods, spoofing attacks and filter all ports , even open ones if the nmap sends more than 1 packet /s (very normal). I wanted to block also IPV6 traffic.
Here is the link ,
Enjoy:

#!/bin/sh
#*****************************************************************
#AlbanianWizard Iptables Firewall Script v 1.1 [connection bug fix]
#Tested against most nmap personalised scans,
#To Do : portbunny/unicornscan/ping3 scanning [next versions]
#Author : Arditi
#License : GPLv3
#Contact : arditi[nospam]hush.ai
#WARNINGS: You must be root to run this,
# This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
# Dont change the chain/rule-set order
#Technologies for building this mini-firewall:
# a) Static rule based policies (not to be confused with a "static firewall")
# b) Connection based stateful policies
# c) Sanity based policies
#*****************************************************************
#Variables, please check the correct location of iptables
#whereis iptables ; whereis ip6tables
#*****************************************************************
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
MP=/sbin/modprobe
INET=192.168.1.0/8
IF=eth0
echo $USER is setting up AW iptables firewall on $HOSTNAME
#*****************************************************************
#Setting up Connection Tracking Modules
echo * [+] Setting up Connection Tracking Modules
$MP ip_conntrack
$MP iptable_nat
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP nfnetlink_log
#*****************************************************************
#Initial Setup
echo * [+] Setting up Chains
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
$IPT -N FLOOD_CHAIN
$IPT -N BAD_CHAIN
$IPT -N TCP_CHAIN
$IPT -N ICMP_CHAIN
$IPT -N UDP_CHAIN
$IPT -A INPUT -j FLOOD_CHAIN
$IPT -A INPUT -j BAD_CHAIN
$IPT -A INPUT -j TCP_CHAIN
$IPT -A INPUT -j ICMP_CHAIN
$IPT -A INPUT -j UDP_CHAIN
#*****************************************************************
#Blocking IPV6 traffic
echo * [+] Blocking all IPV6 Traffic
$IPT6 -P INPUT DROP
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT DROP
#*****************************************************************
#Setting up the Rules
echo * [+] Setting up the rules
#Good things :)
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT #Accept loopback traffic
#Bad things are normal :)
#against -sO IP Protocol Scan (for supported protocols)
$IPT -A INPUT -p sctp -j DROP
$IPT -A INPUT -p gre -j DROP
echo * [+] Setting up the FLOOD_CHAIN
#This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
#This will work for UDPTCPICMP floods sending more than 1 packet/s and also try to block nmap -sS scan.
$IPT -A FLOOD_CHAIN -i $IF -m limit --limit 6/s --limit-burst 6 -j RETURN #Accept only 6 packet/sec and we match only the first 6 packet.
$IPT -A FLOOD_CHAIN -i $IF -j LOG --log-level 7 --log-prefix "# Syn Flood #"
$IPT -A FLOOD_CHAIN -i $IF -j DROP
#***********THE BAD CHAINS *****************************************
echo * [+] Setting up the BAD_CHAIN
#$IPT -A BAD_CHAIN -p tcp ! --syn -m state --state NEW -j DROP #Force --syn packet check for NEW connections, if not DROP IT!
$IPT -A BAD_CHAIN -m conntrack --ctstate INVALID -j DROP #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
#Throw away fragmentation attacks
$IPT -A BAD_CHAIN -f -j DROP
#nmap scans not blocked by "INVALID" state
$IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,PSH -j DROP
$IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,URG -j DROP
$IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL NONE -j DROP
#Anti-spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
#******************************************************************
echo * [+] Setting up the TCP_CHAIN
#WEB-SERVER
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl
$IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing
$IPT -A TCP_CHAIN -p tcp -i $IF -j DROP
echo * [+] Setting up the UDP_CHAIN
#UDP_CHAIN
#$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT if you want some DNS server
$IPT -A UDP_CHAIN -p udp -i $IF -j DROP
echo * [+] Setting up the ICMP_CHAIN
#ICMP_CHAIN
#allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged]
$IPT -A ICMP_CHAIN -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT
$IPT -A ICMP_CHAIN -p icmp -i $IF -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
$IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
#Logging dropping things
$IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROP: " --log-level 7

#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
#Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
#application designed for performing layer 7 application checks.
#Yes, iptalbes can do this stuff but it is to mutch resource consuming
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#print the configuration
#$IPT -nvL

Save it as firewall.sh than execute it as root with sh firewall.sh and it will print the rules
GPLv3.