WEBVTT

00:01.330 --> 00:03.020
Hello and welcome back.

00:03.430 --> 00:11.350
In this lesson, we'll talk about depletable options, flicks or switches, these options specify the

00:11.350 --> 00:19.240
desired action to perform, and only one of them can be specified on the command line unless otherwise

00:19.240 --> 00:19.900
stated.

00:20.470 --> 00:25.540
Also note that all of these options are written in uppercase letters.

00:26.960 --> 00:35.030
Let's see what options are available minus a means upend the rule to the end of the selected chain.

00:35.750 --> 00:37.550
Let's look at an example.

00:40.480 --> 00:49.420
I Lapindo, rule to the output chain that drops incoming traffic to Port 25, so it's empty B traffic.

00:51.460 --> 00:59.540
IAPT Bullis, it's not necessary to specify the table, it's by default, the filter table, so I don't

00:59.540 --> 01:01.070
try to minus the filter.

01:01.510 --> 01:11.530
I could write if I want minus a the name of the chain input minus BTP, DCP Traffik minus minus deport

01:11.890 --> 01:12.850
twenty 25.

01:13.390 --> 01:17.230
The packets are going to port 25 minus G drop.

01:18.630 --> 01:25.110
Before hitting the enter key, I want to test that port 25 is open.

01:26.300 --> 01:35.420
From another Linux machine, I'll scan that port and I'm going to use and map and map minus B, the

01:35.430 --> 01:41.480
Port 25 and the IP address of the Linux machine that I am scanning.

01:45.010 --> 01:51.280
By the way, you could simply install and map by writing Apte, get, install and map.

01:54.220 --> 01:58.060
And we notice that Part 25 is open.

01:59.840 --> 02:05.410
And I'm adding VIP tables while I'm scanning the port again.

02:06.530 --> 02:14.090
And the parties feel that this IP table rule has dropped the packets to Port 25.

02:16.370 --> 02:26.570
Let's add another rule that blocks incoming traffic to Port 80 IP tables, minus A input, minus B DCB

02:27.890 --> 02:31.880
minus minus the port at minus J drop.

02:34.350 --> 02:38.910
And I'm also installing a Web server to test it, right?

02:43.400 --> 02:46.530
It's very easy to install a Web server on Ubuntu.

02:48.610 --> 02:50.650
I'm installing the Apache Web server.

02:57.780 --> 03:02.130
From the other Linux operating system, I'm going to scan Port 80.

03:06.570 --> 03:13.230
The port is filtered and I leased the firewall, I'll see a lot of mixed and dropped packets.

03:17.080 --> 03:19.090
Each one has dropped two packages.

03:21.100 --> 03:30.070
Another important option is minus ie minus, I insert one or more holes in the selected chain on a specific

03:30.070 --> 03:34.900
position or on top or position one if no position is given.

03:35.290 --> 03:37.300
Let's look at an example.

03:39.240 --> 03:48.120
I want to drop incoming traffic to Port UDP 69, which is the FTB Trivial File Transfer Protocol.

03:51.370 --> 04:03.460
Instead of minus a ileus, minus I, the Chinese import minus B, the protocol is UDP and the destination

04:03.460 --> 04:05.800
port is sixty nine.

04:08.020 --> 04:09.450
Minus Jay drop.

04:12.010 --> 04:14.410
Now I am listing the fireguard.

04:18.110 --> 04:23.610
We see that the last rule has been added on top of the input chain.

04:24.710 --> 04:32.240
Now that rule is the first rule in the chain and this is very important because the rules are traversed

04:32.240 --> 04:33.110
in order.

04:34.750 --> 04:42.190
If I want to a on a specific position, for example, on the second position, I can simply specify

04:42.190 --> 04:44.920
the position after the name of the chain.

04:46.060 --> 04:46.810
Like this.

04:48.930 --> 04:54.060
I'll insert this role on position three on the third position,

04:57.270 --> 04:59.770
and the role is on the third position.

05:01.110 --> 05:06.930
Let's suppose I've changed my mind and I want to accept all traffic to Port Athie.

05:07.320 --> 05:13.050
Remember that I've already added a rule that drops traffic to Port 80.

05:15.100 --> 05:22.870
I'm running the same IP table as comment, just a vep instead, minus a ileus, minus I.

05:26.720 --> 05:28.100
OK, this is Darren.

05:29.630 --> 05:31.490
I'm using minus I.

05:34.590 --> 05:38.910
And instead of dope, I'm using accept.

05:41.960 --> 05:49.340
Instead of bending the rules to the end of the chain, the rule will be added on top of the chain on

05:49.340 --> 05:50.300
first position.

05:56.090 --> 05:59.840
We see the rule on the first position on input chain.

06:01.250 --> 06:08.240
Paused the video for 30 seconds and think about what will happen, will the traffic to Port Authority

06:08.240 --> 06:10.010
be dropped or accepted?

06:12.060 --> 06:15.600
Let's test it using the browser from another machine.

06:22.010 --> 06:24.950
I'm writing the IP address of Linux on.

06:30.750 --> 06:38.490
And we see that the port is open, we could connect to Port 80 and the page loaded successfully.

06:40.480 --> 06:48.630
When I've added the rule using minus I, the rule became the first rule in the chain and the rules are

06:48.630 --> 06:57.100
traversed in order top to bottom when a packet is arriving to Port 80, the first will make the packet

06:57.100 --> 06:58.150
and accepts it.

06:58.720 --> 07:06.910
Accept is a terminating target and that means that the packet is accepted and the no other rule will

07:06.910 --> 07:08.060
check the packet.

07:09.130 --> 07:17.740
So in fact, here, the rule that drops in coming back to Port 80 will never be evaluated.

07:18.160 --> 07:20.860
That's why the packages were accepted.

07:21.070 --> 07:26.620
And this is an example of why the order of the rules is so important.