Get Mystery Box with random crypto!

[IPTABLES][CONNTRACK] Close the door! Let's say you have a loc | LinuxCheatSheet

[IPTABLES][CONNTRACK] Close the door!
Let's say you have a local network with server 192.168.1.1 and client 192.168.1.2, and normally they can ping each other.
—- server to client —-
[srv@telegram ~]# fping 192.168.1.2
192.168.1.2 is alive
[srv@telegram ~]#
—- client to server —-
[clt@telegram ~]# fping 192.168.1.1
192.168.1.1 is alive
[clt@telegram ~]#
This is your precious server and, for some reason, you want to prohibit the communication from client to server.
You may try with:
[srv@telegram ~]# iptables -A INPUT --src 192.168.1.2 -j DROP
If the client try to ping you now
[clt@telegram ~]# fping 192.168.1.1
192.168.1.1 is unreachable
But what is the effect on the server?
[srv@telegram ~]# fping 192.168.1.2
192.168.1.2 is unreachable
Why the server cannot reach the client if we close the Incoming traffic (INPUT) from client to server? You may note, that, in contrast with the previous post, you do not obtain a ping: sendmsg: Operation not permitted. What happen here is that the server send the ping to client, and the client receive it (unless, of course, it has some firewall rules too). But when the client reply to the server, the reply is dropped because of the firewall rule you inserted above. To close your server from communication received by client, but still allow it to communicate to client, you must use the connection tracking feature of NetFilter. You may do it with the module state of iptables. Flush your firewall rules and try to:
[srv@telegram ~]# iptables -F
[srv@telegram ~]# iptables -A INPUT -m state --src 192.168.1.2 --state NEW -j DROP
And now you have on the client
[clt@telegram ~]# fping 192.168.1.1
192.168.1.1 is unreachable
And on the server
[srv@telegram ~]# fping 192.168.1.2
192.168.1.2 is alive
We can interpret the second iptables rule used as: block incoming traffic from 192.168.1.2 if it is new traffic (that is: a packet never seen from the server kernel). In this case, when you initiate a ping from server to client, the kernel track the connection initiated from fping and can recognize the incoming packet from 192.168.1.2 (an echo reply) as related to the echo request you done.

iptables has a lot of modules that can help you in different task, have a look to man iptables-extensions for more informations.

If you like it please vote the post and share the channel with your friends: http://t.me/linuxcheatsheet
Bye!
G.
Prossimo messaggio
telegram-store.com © 2016-2024
Non official site about Telegram
Tutti i diritti sono riservati. È vietata la copia e l'utilizzo di tutto il materiale; la citazione parziale è possibile solo con un collegamento ipertestuale al sito telegram-store.com.