Skip to content

Instantly share code, notes, and snippets.

@morteza-mori

morteza-mori/arp&nast

Created July 3, 2017 07:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save morteza-mori/437ea0e5500085d1facc16773727b5e7 to your computer and use it in GitHub Desktop.
Save morteza-mori/437ea0e5500085d1facc16773727b5e7 to your computer and use it in GitHub Desktop.
Download ZIP
nast
Raw
arp&nast
NAST
Find all hosts on the LAN using ARP:
nast -m
Find suitable internet gateway:
nast -i INTERFACE -g
Reset connection:
nast -i INTERFACE -r
See specific traffic:
nast -i INTERFACE -f "src 192.168.1.2"
Check who is online poisoning:
nast -c -B
arp -an
@morteza-mori
Copy link
Author

Limit SSH Logins iptabals
iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min
--limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit

@morteza-mori
Copy link
Author

NAT iptabals
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
If succeed:
nano /etc/sysctl.conf EDIT → net.ipv4.ip_forward = 0 to 1
Remove all chains:
iptables --delete-chain

@morteza-mori
Copy link
Author

Iptables
Ex: sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
-D chain rule → Delete rule
-A chain rule - Append this rule to a rule chain. Valid chains for what we're
doing are INPUT, FORWARD and OUTPUT
-j - Jump to the specified target. By default, iptables allows four targets:
ACCEPT - Accept the packet and stop processing rules in this chain.
REJECT - Reject the packet and notify the sender that we did so, and stop
processing rules in this chain.
DROP - Silently ignore the packet, and stop processing rules in this chain.
LOG - Log the packet, and continue processing more rules in this chain.
Allows the use of the --log-prefix and --log-level options.
-I chain rule → Insert
-R chain number rule → Replace
-t table → table
-S → List rules
-X → Delete chain
-L → List all
-N chain --> New chain
-P chain target → Policy
Block Ping:
iptables -A OUTPUT -p icmp - j REJECT
iptables -A INPUT -p icmp - j REJECT
Block SSH port:
iptables -A INPUT -s 217.61.158.248 -p tcp --dport 22 -j DROP
LOG:
iptables -A OUTPUT -p icmp -j LOG --log-prefix "PING:> "
Saves the record in /var/log/messages with “PING:>”
Flush:
iptables -F [CHAIN] or --flush [CHAIN]
Accept new connections from inside:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
[Options]
-m name → Match
-p protocol → Can use all instead of protocol
--sport port:[range port] → Source port & range
--dport port:[range port] → Destination port & range
-s address[/mask] → Source address
-d address[/mask] → Destination address
-i interface → JUST FOR INPUT
-o interface → JUST FOR OUTPUT
-m state --state state → State can be INVALID, NEW, ESTABLISHED, RELATED
-j target → Jump, tells iptables what to do
-g chain → Go to chain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment