/l3/users/eb/2009/linux3/user :1 :2 :3 :4 :5 :6 :7 :8 :9 :10 :11 :12 :13 :14 :15 |
|
$sudo iptables --help
[sudo] password for user: Sorry, try again. [sudo] password for user: iptables v1.4.3.2 Usage: iptables -[AD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -R chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LS] [chain [rulenum]] [options] iptables -[FZ] [chain] [options] ... [!] --out-interface -o output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: `filter') --verbose -v verbose mode --line-numbers print line numbers when listing --exact -x expand numbers (display exact values) [!] --fragment -f match second or further fragments only --modprobe=<command> try to insert modules using this command --set-counters PKTS BYTES set the counter during insert/append [!] --version -V print package version. |
$sudo man iptables
|
#iptables -t filter -A -p tcp -s 192.168.102.2 -j REJECT with tcp-reset
Bad argument `tcp' Try `iptables -h' or 'iptables --help' for more information. |
#iptables -A -p tcp -s 192.168.102.2 -j REJECT with tcp-reset
Bad argument `tcp' Try `iptables -h' or 'iptables --help' for more information. |
#iptables -A -Ñi eth0.102 - tcp -s 192.168.102.2 -j REJECT with tcp-reset
Bad argument `eth0.102' Try `iptables -h' or 'iptables --help' for more information. |
#iptables -t filter -A -i eth0.102 -p tcp -s 192.168.102.2 -j REJECT with tcp-reset
Bad argument `eth0.102' Try `iptables -h' or 'iptables --help' for more information. |
#iptables -t filter -A -i eth0 -p tcp -s 192.168.102.2 -j REJECT with tcp-reset
Bad argument `eth0' Try `iptables -h' or 'iptables --help' for more information. |
#iptables -t filter -A INPUT -i eth0.102 -p tcp -s 192.168.102.2 -j REJECT
|
#iptables -t filter -D INPUT -i eth0.102 -p tcp -s 192.168.102.2 -j REJECT
|
#iptables -t filter -A FORWARD -i eth0.102 -p tcp -d 192.168.102.2 -j REJECT
|
#iptables -t filter -A FORWARD -i eth0.102 -p tcp -s 192.168.102.2 -j REJECT
|
#iptables -t filter -D FORWARD -i eth0.102 -p tcp -s 192.168.102.2 -j REJECT
|
#iptables-save > /etc/network/iptables
|
#cat /etc/network/iptables
# Generated by iptables-save v1.4.3.2 on Tue Jun 2 14:18:22 2009 *filter :INPUT ACCEPT [1170:686543] :FORWARD ACCEPT [18906:9083917] :OUTPUT ACCEPT [1364:208926] COMMIT # Completed on Tue Jun 2 14:18:22 2009 |
#iptables -t filter -A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable
|
#nmap -p1-10000 -sS 192.168.102.2
Starting Nmap 4.68 ( http://nmap.org ) at 2009-06-02 14:34 EEST |
#nmap -p1-100 -sS 192.168.102.2
Starting Nmap 4.68 ( http://nmap.org ) at 2009-06-02 14:34 EEST |
#iptables -v --list
Chain INPUT (policy ACCEPT 2363 packets, 1747K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 20693 packets, 9594K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2870 packets, 341K bytes) pkts bytes target prot opt in out source destination |
#iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
#!ss
ssh 192.168.102.2 root@192.168.102.2's password: |
#mii-tool -F 1000baseTx eth0
Invalid media specification '1000baseTx'. |
#nmap -p1-100 -sS 192.168.102.1
Starting Nmap 4.68 ( http://nmap.org ) at 2009-06-02 14:42 EEST |
#exit
exit Connection to 192.168.102.2 closed. |
$sudo nmap -p1-100 -sF 192.168.102.2
[sudo] password for user: Starting Nmap 4.68 ( http://nmap.org ) at 2009-06-02 14:44 EEST All 100 scanned ports on 192.168.102.2 are open|filtered (66) or filtered (34) MAC Address: 00:04:76:A0:A9:12 (3 Com) Nmap done: 1 IP address (1 host up) scanned in 28.875 seconds |
$sudo mii-
mii-diag mii-tool |
$sudo mii-tool
eth0: negotiated, link ok |
$sudo mii-tool eth0
eth0: negotiated, link ok |
$sudo mii-tool
eth0: negotiated, link ok |
$sudo mii-tool --help
usage: mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...] -V, --version display version information -v, --verbose more verbose output -R, --reset reset MII to poweron state -r, --restart restart autonegotiation -w, --watch monitor for link status changes -l, --log with -w, write events to syslog -A, --advertise=media,... advertise only specified media -F, --force=media force specified media technology media: 1000baseTx-HD, 1000baseTx-FD, 100baseT4, 100baseTx-FD, 100baseTx-HD, 10baseT-FD, 10baseT-HD, (to advertise both HD and FD) 1000baseTx, 100baseTx, 10baseT |
$sudo mii-tool -A eth0
Invalid media specification 'eth0'. |
$sudo mii-tool -A
mii-tool: option requires an argument -- 'A' usage: mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...] -V, --version display version information -v, --verbose more verbose output -R, --reset reset MII to poweron state -r, --restart restart autonegotiation -w, --watch monitor for link status changes -l, --log with -w, write events to syslog -A, --advertise=media,... advertise only specified media -F, --force=media force specified media technology media: 1000baseTx-HD, 1000baseTx-FD, 100baseT4, 100baseTx-FD, 100baseTx-HD, 10baseT-FD, 10baseT-HD, (to advertise both HD and FD) 1000baseTx, 100baseTx, 10baseT |
$sudo mii-tool eth0 -A
mii-tool: option requires an argument -- 'A' usage: mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...] -V, --version display version information -v, --verbose more verbose output -R, --reset reset MII to poweron state -r, --restart restart autonegotiation -w, --watch monitor for link status changes -l, --log with -w, write events to syslog -A, --advertise=media,... advertise only specified media -F, --force=media force specified media technology media: 1000baseTx-HD, 1000baseTx-FD, 100baseT4, 100baseTx-FD, 100baseTx-HD, 10baseT-FD, 10baseT-HD, (to advertise both HD and FD) 1000baseTx, 100baseTx, 10baseT |
$sudo mii-tool -F 1000baseTx-FD eth0
Invalid media specification '1000baseTx-FD'. |
$sudo mii-tool -F 1000baseTx eth0
Invalid media specification '1000baseTx'. |
#mii-tool -F 100baseTx eth0
usage: mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...] -V, --version display version information -v, --verbose more verbose output -R, --reset reset MII to poweron state -r, --restart restart autonegotiation -w, --watch monitor for link status changes -l, --log with -w, write events to syslog -A, --advertise=media,... advertise only specified media -F, --force=media force specified media technology media: 1000baseTx-HD, 1000baseTx-FD, 100baseT4, 100baseTx-FD, 100baseTx-HD, 10baseT-FD, 10baseT-HD, (to advertise both HD and FD) 1000baseTx, 100baseTx, 10baseT |
#mii-tool -R eth0
resetting the transceiver... |
#mii-tool -v eth0
eth0: 10 Mbit, half duplex, link ok product info: vendor 00:aa:00, model 56 rev 0 basic mode: 10 Mbit, half duplex basic status: link ok capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control |
#ethtool -s eth0 speed 100 autoneg on duplex full
|
#mii-tool -v eth0
eth0: negotiated 100baseTx-FD, link ok product info: vendor 00:aa:00, model 56 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD |
#ethtool -s eth0 speed 1000 autoneg on duplex full
|
#mii-tool -v eth0
eth0: negotiated, link ok product info: vendor 00:aa:00, model 56 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: flow-control link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD |
#mii-tool -v eth0
eth0: negotiated 100baseTx-FD, link ok product info: vendor 00:aa:00, model 56 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD |
#!ss
ssh 192.168.102.2 root@192.168.102.2's password: Linux linux4 2.6.29-2-686 #1 SMP Sun May 17 17:56:29 UTC 2009 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jun 2 14:41:42 2009 from 192.168.102.1 l3-agent is already running: pid=10426; pidfile=/root/.lilalo/l3-agent.pid |
#exit
exit Connection to 192.168.102.2 closed. |
#iptables -v --list
Chain INPUT (policy ACCEPT 2713 packets, 1891K bytes) pkts bytes target prot opt in out source destination 630 121K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 13 548 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 7247 299K REJECT tcp -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 29738 packets, 10M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4585 packets, 485K bytes) pkts bytes target prot opt in out source destination |
#nmap -T4 -p1-1000 -sS 192.168.102.2
Starting Nmap 4.68 ( http://nmap.org ) at 2009-06-02 15:01 EEST Interesting ports on 192.168.102.2: Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:04:76:A0:A9:12 (3 Com) Nmap done: 1 IP address (1 host up) scanned in 4.540 seconds |
#iptables-save > /etc/network/iptables
|
#vi /etc/network/iptables
|
#~
*filter :INPUT ACCEPT [2715:1891490] :FORWARD ACCEPT [35447:12261582] --tcp-reset --reject-with icmp-port-unreachable :OUTPUT ACCEPT [7570:979239] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ~ ~ ~ ~ ... ~ ~ ~ ~ ~ ~ ~ ~ ~ "/etc/network/iptables" 10L, 395C written |
|