Iptables and Network Management
Tcpdump

Capturing packet on interface eth1 with capture name and network + CIDR or host IP + port:
tcpdump -i eth1 -c 10000 -s0 -w /tmp/trace_file_name_20110812173738.pcap tcp and net 10.0.1.0/24 or host 10.0.0.12 and port 80 tcpdump -i eth1 -c 10000 -s0 -w /tmp/trace_$(hostname)_$(date +%Y-%m-%d).pcap tcp and host \(10.0.0.22 or 192.168.0.22 etc... \) tcpdump -i eth1 -c 10000 -s0 -w /tmp/trace_$(hostname)_$(date +%Y-%m-%d).pcap tcp and host 10.0.0.20 and \(port 443 or 8080 or etc...\) Capturing packets simple way:
tcpdump -s0 -v -i eth0 -w output-file tcpkill --arg --int --host Remotely tcpdump all traffic except ssh on port 22:
ssh root@ -- "tcpdump -w - -s 65535 'not port 22' > capture.pcap


Network

Setup Default Gateway with route:
route add default gw {IP-ADDRESS} {INTERFACE-NAME} route add default gw 10.0.0.254 Or:
ip route add 192.168.1.0/24 via 192.168.1.254 Delete a default route and default Gateway:
route del 0.0.0.0 gw 10.0.0.254 Show Kernel Routing Table:
route -n

Information on IP and Physical Links, on IP Routes and on ARP Routing Table:
ip link ip route arp -a ip addr show eth0 ifconfig eth0 Query a DNS Server for FQDN Info (dns-tools):
dig @ip_address dig fqdn.tld


Iptables

ip=IP_ADDRESS_TO_BLOCK_1 IP_ADDRESS_TO_BLOCK_2 IP_ADDRESS_TO_BLOCK_3 echo iptables -A INPUT -s $ip -j DROP && iptables -A OUTPUT -d $ip -j DROP iptables -nvL --line-numbers iptables-save > /etc/iptables.conf iptables-restore < /etc/iptables.conf Syntax examples:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-http-auth iptables -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress iptables -A INPUT -p tcp -m multiport --dports 9922 -j f2b-sshd iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 9922 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 9922 -j ACCEPT iptables -A OUTPUT -j DROP Isolate a Web Server from the network:
iptables -A INPUT -p tcp --dport 80 -j REJECT iptables -I INPUT 1 -p tcp --dport 80 -s LOAD_BALANCER_IP -j ACCEPT iptables -I INPUT 1 <== 1 = First Line on every Rules iptables -D INPUT 1 Make rules persistent at reboot:
iptables-save > /etc/iptables.conf Then edit /etc/rc.local as root and add the following:
# Load iptables rules from config file iptables-restore < /etc/iptables.conf

Create a basic Web server firewall, we'll accept established, server initiated connections, legitimate traffic on Web and SSH ports and after we will deny all the other kinds of traffic:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A INPUT -j DROP Fun and DANGEROUS !: for s in$(cat /logs/main_access.log |grep -i 401 | grep -v pingdom \ grep -v IP_ADDRESS | cut -f 1 -d ''-''); do iptables -A INPUT -s $s -j DROP; done for s in$(cat main_access.log |grep POST |grep -v ciro | grep -v pingdom \ | cut -f 1 -d ''-''); do do iptables -A INPUT -s $s -j DROP; done