Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Networking

    Enviado por

    akun_di_scribd
    36 visualizações3 páginas

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    TXT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato TXT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    36 visualizações3 páginas

    Networking

    Enviado por

    akun_di_scribd

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato TXT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 3

    menampilkan ip suatu network ifconfig eth1 | awk -F ":" '/inet addr/{split($2,

    a," ");print a[1]}'


    melihat jika ada yang melakukan ping ke komputer kita
    sudo tcpdump -i eth0 'proto \icmp'
    software BiOS billing warnet linux
    refresh your understanding:
    10.1.1.0/24 adalah network, tetapi jika disebutkan 10.1.1.10/32 atau 10.1.1.10 n
    etmask 255.255.255.255 itu menunjukkan bahwa ip tersebut adalah host.
    untuk mengganti ip suatu interface (eth0, eth1, dsb) pertama sekali matikan dulu
    interface tsb.
    sudo ifcofig eth0 down.
    ================================================================================
    ===================================
    ROUTING:
    suatu network 10.1.1.0/24
    jika salah satu host (katakanlah 10.1.1.20) ingin berkomunikasi dengan host yang
    lain (katakanlah 10.1.1.15), maka paket akan dikirim langsung dari 10.1.1.20 ke
    10.1.1.15. tetapi jika tujuan paket yang dari 10.1.1.20 adalah host yang berada
    di luar network 10.1.1.0/24 maka diperlukan sebuah gateway.
    ================================================================================
    ===================================
    IPTABLES:
    The version of iptables may be checked by iptables -v
    iptables contains 3 tables:
    - filter table
    - nat table
    - mangle table
    filter table (to filter packets) contains 3 chains:
    - INPUT chain : used to filter incoming packets
    - OUTPUT chain : used to filter outgoing packets
    - FORWARD chain : used to filter forwarded packets (between network cards), in b
    oth firections in and out.
    nat table contains 3 chains:
    - PREROUTING chain : used to change IP before forwarding take place
    - POSTROUTING chain : used to change IP after forwarding take place
    - OUTPUT chain
    mangle table contains 4 chains (kernel 2.4.18 and later):
    - INPUT chain
    - OUTPUT chain
    - PREROUTING chain
    - POSTROUTING chain
    by default if table name is not specified (for example: with -t nat --> nat tabl
    e, -t mangle --> mangle table), so default table which is used is filter table.
    Policy --> default target of a chain. All packets that don't match any rule will
    then be forced to use the policy of the chain.
    Each chain have a default policy. Policy can be ACCEPT or DROP, by default all C
    HAIN have ACCEPT policy.
    pengertian dari --ctstate options:
    - NEW : The connection has not yet been seen.
    - RELATED : The connection is new, but is related to another connection
    already permitted.
    - ESTABLISHED : The connection is already established.
    - INVALID : The traffic couldn't be identified for some reason.
    pengertian dari beberapa -j (jump) targets:
    - ACCEPT : Accept the packet and stop processing rules in this chain.
    - REJECT : Reject the packet and notify the sender that we did so, and stop
    processing rules in this chain.
    - DROP : Silently ignore the packet, and stop processing rules in this ch
    ain.
    - LOG : Log the packet, and continue processing more rules in this chain
    . Allows the use of the --log-prefix and --log-level options
    - MASQUERADE: This target is only valid in the nat table, in the POSTROUTI
    NG chain
    - DNAT : Target ini diperlukan jika misalnya suatu web server terkoneski
    ke internet lewat firewall/gateway
    dan mempunyai IP LAN
    Contoh: iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j
    DNAT --to-destination 192.168.1.5
    15.45.23.67--> public IP, 192.168.1.5--> web server on the LAN
    - SNAT : Gunanya hampir sama dengan masquerade. jika masquerade tidak mem
    butuhkan --to-source, maka SNAT
    membutuhkannya.
    Contoh: iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source
    194.236.50.155
    eth0--> internet connection interface with public IP 194.236.50.1
    55
    Beberapa tips:
    -When you design firewall rules to allow access to your machine and block everyt
    hing else, take in consideration that traffic goes both ways. If you allow traff
    ic on INPUT chain but your OUTPUT chain block everything, your rule will not wor
    k. Usualy is a good practice when you protect your machine to allow everything o
    n OUTPUT (you want to be able from your machine to do anything), and block every
    thing on INPUT (incoming) for connections that are not initiated from your machi
    ne. If your machine run public services, like for example a web server, or a mai
    l server then you must allow connections from outside on INPUT, only on ports us
    ed by those services (for example allow incoming on port 80 - http, port 25 - sm
    tp, port 110 - pop3 and 143 -imap, mail services.) So as a conclusion when you d
    esign your firewall, setup your default policy on INPUT to drop all packets and
    on OUTPUT leave it default (ACCEPT), to allow everything. And then design your f
    irewall.
    -If your machine is not only connected to Internet, but is also a router for you
    r LAN clients, then you must also filter connections from LAN. It is recommended
    to change policy on FORWARD chain to DROP and then allow only IPs you want from
    LAN to be able to access Internet. --> INPUT: DROP, OUTPUT: ACCEPT, FORWARD: DR
    OP
    Untuk mengerti suatu rule iptables bisa dilakukan dengan memberikan pertanyaan-p
    ertanyaan berkaitan dengan rule tersebut misalnya:
    iptables -A FORWARD -o eth1 -p tcp -j ACCEPT --> artinya paket yang masuk ke cha
    in ini adalah khusus paket2 yang diforward. Pertanyaan2-nya misalnya: apakah pak
    et masuk melalui eth1? Apakah protokol paket tcp? jika semuanya benar/cocok maka
    paket akan dibiarkan lewat.
    ================================================================================
    ===================================
    IP MASQUERADING:
    Sedikit catatan: "The MASQUERADE target is used basically the same as the SNAT t
    arget, but it does not require
    any --to-source option. The reason for this is that the MASQUER
    ADE target was made to work with,
    for example, dial-up connections, or DHCP connections, which ge
    ts dynamic IP addresses when
    connecting to the network in question. This means that you shou
    ld only use the MASQUERADE target
    with dynamically assigned IP connections, which we don't know t
    he actual address of at all
    times. If you have a static IP connection, you should instead u
    se the SNAT target."
    MASQUERADE , this target is only valid in the nat table, in the POSTROUTING ch
    ain.
    misalnya eth1 for LAN dengan network 10.1.1.0/27
    eth0 for connection to internet dengan network 192.168.1.0/24
    iptables -t nat -A POSTROUTING -j MASQUERADE --> jangan biarkan begini saja supa
    ya tidak dihack orang dari luar tapi harus dicantumkan juga interface dan juga n
    ama network pada interface tsb (untuk membatasi cakupan MAWQUARADE), sehingga me
    njadi
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    untuk membuat IP tertentu saja yang bisa mengakses internet:
    iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.5/32 -j MASQUERADE
    Do NOT make your default policy: MASQUERADING. Otherwise, someone can manipulate
    their routing tables to tunnel straight back through your gateway, using it to
    masquerade their OWN identity!

    Você também pode gostar