menampilkan ip suatu network ifconfig eth1 | awk -F ":" '/inet addr/{split($2,
a," ");print a[1]}'
melihat jika ada yang melakukan ping ke komputer kita sudo tcpdump -i eth0 'proto \icmp' software BiOS billing warnet linux refresh your understanding: 10.1.1.0/24 adalah network, tetapi jika disebutkan 10.1.1.10/32 atau 10.1.1.10 n etmask 255.255.255.255 itu menunjukkan bahwa ip tersebut adalah host. untuk mengganti ip suatu interface (eth0, eth1, dsb) pertama sekali matikan dulu interface tsb. sudo ifcofig eth0 down. ================================================================================ =================================== ROUTING: suatu network 10.1.1.0/24 jika salah satu host (katakanlah 10.1.1.20) ingin berkomunikasi dengan host yang lain (katakanlah 10.1.1.15), maka paket akan dikirim langsung dari 10.1.1.20 ke 10.1.1.15. tetapi jika tujuan paket yang dari 10.1.1.20 adalah host yang berada di luar network 10.1.1.0/24 maka diperlukan sebuah gateway. ================================================================================ =================================== IPTABLES: The version of iptables may be checked by iptables -v iptables contains 3 tables: - filter table - nat table - mangle table filter table (to filter packets) contains 3 chains: - INPUT chain : used to filter incoming packets - OUTPUT chain : used to filter outgoing packets - FORWARD chain : used to filter forwarded packets (between network cards), in b oth firections in and out. nat table contains 3 chains: - PREROUTING chain : used to change IP before forwarding take place - POSTROUTING chain : used to change IP after forwarding take place - OUTPUT chain mangle table contains 4 chains (kernel 2.4.18 and later): - INPUT chain - OUTPUT chain - PREROUTING chain - POSTROUTING chain by default if table name is not specified (for example: with -t nat --> nat tabl e, -t mangle --> mangle table), so default table which is used is filter table. Policy --> default target of a chain. All packets that don't match any rule will then be forced to use the policy of the chain. Each chain have a default policy. Policy can be ACCEPT or DROP, by default all C HAIN have ACCEPT policy. pengertian dari --ctstate options: - NEW : The connection has not yet been seen. - RELATED : The connection is new, but is related to another connection already permitted. - ESTABLISHED : The connection is already established. - INVALID : The traffic couldn't be identified for some reason. pengertian dari beberapa -j (jump) targets: - ACCEPT : Accept the packet and stop processing rules in this chain. - REJECT : Reject the packet and notify the sender that we did so, and stop processing rules in this chain. - DROP : Silently ignore the packet, and stop processing rules in this ch ain. - LOG : Log the packet, and continue processing more rules in this chain . Allows the use of the --log-prefix and --log-level options - MASQUERADE: This target is only valid in the nat table, in the POSTROUTI NG chain - DNAT : Target ini diperlukan jika misalnya suatu web server terkoneski ke internet lewat firewall/gateway dan mempunyai IP LAN Contoh: iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.5 15.45.23.67--> public IP, 192.168.1.5--> web server on the LAN - SNAT : Gunanya hampir sama dengan masquerade. jika masquerade tidak mem butuhkan --to-source, maka SNAT membutuhkannya. Contoh: iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 194.236.50.155 eth0--> internet connection interface with public IP 194.236.50.1 55 Beberapa tips: -When you design firewall rules to allow access to your machine and block everyt hing else, take in consideration that traffic goes both ways. If you allow traff ic on INPUT chain but your OUTPUT chain block everything, your rule will not wor k. Usualy is a good practice when you protect your machine to allow everything o n OUTPUT (you want to be able from your machine to do anything), and block every thing on INPUT (incoming) for connections that are not initiated from your machi ne. If your machine run public services, like for example a web server, or a mai l server then you must allow connections from outside on INPUT, only on ports us ed by those services (for example allow incoming on port 80 - http, port 25 - sm tp, port 110 - pop3 and 143 -imap, mail services.) So as a conclusion when you d esign your firewall, setup your default policy on INPUT to drop all packets and on OUTPUT leave it default (ACCEPT), to allow everything. And then design your f irewall. -If your machine is not only connected to Internet, but is also a router for you r LAN clients, then you must also filter connections from LAN. It is recommended to change policy on FORWARD chain to DROP and then allow only IPs you want from LAN to be able to access Internet. --> INPUT: DROP, OUTPUT: ACCEPT, FORWARD: DR OP Untuk mengerti suatu rule iptables bisa dilakukan dengan memberikan pertanyaan-p ertanyaan berkaitan dengan rule tersebut misalnya: iptables -A FORWARD -o eth1 -p tcp -j ACCEPT --> artinya paket yang masuk ke cha in ini adalah khusus paket2 yang diforward. Pertanyaan2-nya misalnya: apakah pak et masuk melalui eth1? Apakah protokol paket tcp? jika semuanya benar/cocok maka paket akan dibiarkan lewat. ================================================================================ =================================== IP MASQUERADING: Sedikit catatan: "The MASQUERADE target is used basically the same as the SNAT t arget, but it does not require any --to-source option. The reason for this is that the MASQUER ADE target was made to work with, for example, dial-up connections, or DHCP connections, which ge ts dynamic IP addresses when connecting to the network in question. This means that you shou ld only use the MASQUERADE target with dynamically assigned IP connections, which we don't know t he actual address of at all times. If you have a static IP connection, you should instead u se the SNAT target." MASQUERADE , this target is only valid in the nat table, in the POSTROUTING ch ain. misalnya eth1 for LAN dengan network 10.1.1.0/27 eth0 for connection to internet dengan network 192.168.1.0/24 iptables -t nat -A POSTROUTING -j MASQUERADE --> jangan biarkan begini saja supa ya tidak dihack orang dari luar tapi harus dicantumkan juga interface dan juga n ama network pada interface tsb (untuk membatasi cakupan MAWQUARADE), sehingga me njadi iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE untuk membuat IP tertentu saja yang bisa mengakses internet: iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.5/32 -j MASQUERADE Do NOT make your default policy: MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity!