Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables rule sanity check?
Special Forums Cybersecurity iptables rule sanity check? Post 302737215 by unSpawn on Wednesday 28th of November 2012 01:35:39 PM
Old 11-28-2012
Quote:
Originally Posted by unclecameron
why would (..) along with /etc/hosts.deny rule of (..) not stop traffic to/from 180.x.x.x, which I still see by running iftop?
First of all tcp_wrappers may be considered complementary in a multi-layered approach to network access restrictions but there's a fundamental difference between tcp_wrappers and Netfilter. The first works only at the application level (and only if the application was compiled with -libwrap) and the latter works at the network level, meaning no interaction with any application.
In short: Netfilter = "must have", tcp_wrappers = "nice to have".

As for your question you show isolated rules, no rule counters and no evidence of traffic, meaning your rule could be placed below a rule that already accepts traffic or you haven't killed or restarted the network process or didn't reset individual connections so you might be seeing already established connections.


Quote:
Originally Posted by unclecameron
Or could iftop just be showing an artifact and is there a better way to monitor connections real-time?
I doubt that. Iftop uses the libpcap ('man 3 pcap') framework for data handling just like tcpdump, Wireshark or say nmap.
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

iptables rule to block ping to internet

I want to block ping on a linuxbox to any other address where it would go to the default gateway. vmdebianamd64:/etc/tcng# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 198.9.200.0 * 255.255.255.0 U 0 ... (1 Reply)
Discussion started by: progressdll
1 Replies

2. Debian

./configure is broken - /lib/cpp fails sanity check

Hi, I first wanted to install my NIC drivers but it said: Makefile:62: *** Linux kernel source not found. Stop. So I installed the kernel source: linux-source-2.6.18_2.6.18.dfsg.1-13etch5_all.deb 1) cd /usr/src 2) -xjvf linux-source.2.6.18.extension (forget what it was) 3) ln -s... (12 Replies)
Discussion started by: Virtuality
12 Replies

3. UNIX for Advanced & Expert Users

*** [Gentoo] sanity check failed! ***

I faced the following error while configuring the spine for cacti. Can any one help me to sort out this problem: hecking how to run the C++ preprocessor... g++ -E checking for g77... g77 checking whether we are using the GNU Fortran 77 compiler... yes checking whether g77 accepts -g... yes... (1 Reply)
Discussion started by: praveen_b744
1 Replies

4. Solaris

lib/cpp fails sanity check

I'm trying to install a new library for php but everytime I run configure I got the following error "lib/cpp" fails sanity check. My OS is solaris 10 Any help on how to solve this issue would be highly appreciated (3 Replies)
Discussion started by: dahr
3 Replies

5. Linux

iptables rule problem

Hi, i have 40 client's in my network, that connected to internet via squid server (WebProxy). i want none of these client can't ping my squid server bat squid server can ping them.i wrote these rules but it is'nt work. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A INPUT -p... (1 Reply)
Discussion started by: skynet_boy
1 Replies

6. IP Networking

iptables - most easy way to find rule and remove it?

I have situation where I have rules in iptables with comments. Now... I can for example enter rule like "iptables -A FORWARD -s xxx -j ACCEPT" and delete it with "iptables -D FORWARD -s xxx -j ACCEPT".. but if that rule contain some random comment (-m comment) then ... ? I can find with scripting... (2 Replies)
Discussion started by: darkman_hr
2 Replies

7. Cybersecurity

LDAP - sanity check

I have recently changed jobs and where i used to work we had kerberos. Here they have nothing resembling central password management or Network Authentication. I have started looking at LDAP but wonder if that is a good choice. we have a solaris/centos environment (no windows whoo hooo) with 4... (2 Replies)
Discussion started by: oly_r
2 Replies

8. UNIX for Dummies Questions & Answers

iptables rule to block access from VM Browser to Firewall Login Page

(1 Reply)
Discussion started by: senrabdet
1 Replies

LEARN ABOUT DEBIAN

nstreams

nstreams(1)							   Users Manuals						       nstreams(1)

NAME

       network streams - a tcpdump output analyzer

SYNOPSIS

       nstreams [ -v ] [ -c nstreams-services ] [ -n nstreams-networks_file ] [ -N [ -i ] [ -I ]] [ -r ] [ -O output [ -D iface ] [ -Y ]] [ -u ] [
       -U ] [ -B ] [ -f tcpdump_file ] [ -l <iface> ] [ tcpdump output ]

DESCRIPTION

       nstreams is a utility designed to identify the IP streams that are occuring on a network from a non-user friendly tcpdump output of several
       megabytes.

       This  is  especially  useful  when you plan to install a firewall but if you do not know the nstreams that the network users are generating
       (http, real audio, and more...).  nstreams can read the tcpdump output directly from stdin, or from a file. It can even generate  the  con-
       figuration file of your firewall, using the  -O option.

OPTIONS

       -c <nstreams-services-file>
	      The  path to an alternate nstreams service file. This file is used to identify each protocol. See the services file section later in
	      this manual page.

       -n <nstreams-networks-file>
	      The path to an alternate nstreams network file. This file is used to identify which hosts belong to which network. See the  networks
	      file section later in this manual page.

       -f <tcpdump output file>
	      The path to the file to read data from. This file must have been generated using 'tcpdump -w filename'.

       -l <iface>
	      Listen directly on interface <iface>. This avoids the use of tcpdump.

       -N     print  the  networks  names instead of the hosts IP addresses. The intra-network traffic will not be shown. Use this option twice to
	      show the networks IP address instead of their names.

       -i     Also show the intra-network traffic (must be used with -N)

       -I     Only show the intra-network traffic (must be used with -N)

       -r     be redundant. That is, the same streams will be printed each time they appear in the dump.

       -v     print version number and exit.

       -O <type>
	      output type. You can use this option to generate your firewall startup script.  Do nstreams -h to see the supported output types.

       -D <iface>
	      interface to apply to output onto. Must be used with -O.

       -Y     The firewall rules that will be generated will deny all packets coming from the outside  trying  to  establish  connections  to  the
	      inside. If you system is not serving anything, then it's safe to turn on this option.

       -u     Do not print the unknown streams

       -U     Only print the unknown streams

       -B     Show broadcasts and networks

USAGE

       Let tcpdump(1) run some time on your network (like one week), and save its output in a file, by doing :
       tcpdump -l -n > output
       or
       tcpdump -w filename

       Then,  feed nstreams with this output file, and it will turn it into a easily-readable file which will help you to write efficient firewall
       filters.  You may also do :
       tcpdump -l -n | nstreams
       or
       nstreams -f filename (if you used tcpdump -w)

THE SERVICES FILE

       The service file contains the description of each protocol, as well as their name. Its syntax is :
       protocol_name:server_port(s)/{udp,tcp}:client_ports(s)
       or :
       protocol_name:type(s)/icmp:code(s)

       Whereas :

       protocol_name
	      is the name of the protocol described. This name may contain any character, including space, except ':'.

       server_port(s)
	      is the range of ports used by the server. Usually, you will want to define one server port only, but you may  enter  any	range  you
	      want.

       ip_protocol
	      is the IP protocol that this protocol is lying onto. Acceptable values are tcp and udp

       client_port(s)

	      is  the  range  of  ports  that  the  client  may  use. You can set this to any or, for more accurate results, to ports ranges, like
	      '1-1024,2048-4096'.
	      The rules are : 'first match, first taken'.

SERVICE FILE EXAMPLE

       Using this syntax, you would declare the ssh protocol by :
       ssh-unix:22/tcp:1000-1023
       Because the Unix version of the ssh client uses a privileged port to connect onto the ssh server which listens on port 22.

THE NETWORKS FILE

       The networks file is used to define sets and subsets of hosts (also known as networks). This avoids redundancy in the output file. The syn-
       tax format for this file is :
       network name:ip/mask
       Whereas	the network name is whatever you want, the IP is the ip of the network, and the mask is the CIDR netmask of the network.  The rule
       is 'first match, first taken'.

NETWORKS FILE EXAMPLE

       admin:192.168.19.0/29
       whole_subnet:192.168.0.0/16
       internet:0.0.0.0/0

LIMITS

       o nstreams can only parse the output of 'tcpdump -n'

       o Even though the output of nstreams is easier to read than the one of tcpdump, it is still not easily readable. Use sort(1) on the nstream
       output to get a more readable file.

       o This program could have been written in perl

FILES

       /etc/nstreams-services
       /etc/nstreams-networks

SEE ALSO

       tcpdump(1)

AUTHORS

       Concept : Herve Schauer Consultants - http://www.hsc.fr
       Coding : Renaud Deraison <deraison@cvs.nessus.org>

BUG REPORTS

       Please send all your bug reports with the detail of your configuration to Renaud Deraison <deraison@cvs.nessus.org>

nstreams							     July 1999							       nstreams(1)
All times are GMT -4. The time now is 12:15 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy