WEBVTT

00:01.010 --> 00:08.120
Until this point in the course, we've read them all VIP table rules directly at the console and they

00:08.120 --> 00:09.770
were loaded into RAM.

00:10.790 --> 00:17.590
If we have a firewall with many, many rules, it's much easier to write all these rules in a script,

00:17.900 --> 00:21.410
make that script executable and then run it.

00:23.260 --> 00:30.250
But if we just want a simple rule that drops the traffic from a specific IP address or allows a specific

00:30.250 --> 00:37.710
service to communicate with the outside world, we can simply right that rule at the Linux terminal.

00:38.830 --> 00:47.680
Let's see some live examples, if I want to write an IP table rule at the Linux terminal, I simply

00:47.680 --> 00:58.090
write the rule is what IP table is minus A input, minus B, ICMP minus J, drop Viksten.

00:58.450 --> 01:03.050
The rule drops all incoming ICMP traffic to this Linux machine.

01:04.240 --> 01:11.890
It's important to note that IP tables rule rules written at the terminal are not saved after the system

01:11.890 --> 01:12.820
is restarted.

01:13.860 --> 01:17.910
If you reboot the system, you will lose all the rules.

01:19.050 --> 01:24.970
And you say, OK, OK, but do I have to write all the rules each time the computer starts?

01:25.740 --> 01:26.870
Of course you don't.

01:27.300 --> 01:34.080
If you want your IP table rules to persist after the system restarts, you write to them in a shell

01:34.140 --> 01:39.980
script, make that script executable and configure the script to be run automatically.

01:40.080 --> 01:41.100
It would time.

01:42.150 --> 01:48.520
Let's go to work and see how we create a script with IP table rules and then around the script.

01:48.810 --> 01:53.940
Remember that the script is just a text file that contains shall commence.

01:56.030 --> 02:00.860
I'm going to create the script using my preferred text editor, which is very.

02:02.010 --> 02:10.980
In your case, if you haven't used the VA before, try a simple Edita like Manau, Pekoe or even Notepad,

02:11.280 --> 02:14.670
V.I. is a very good and efficient editor.

02:14.850 --> 02:18.420
Batiks not the easiest one to use in Linux.

02:19.830 --> 02:28.290
The name of the script will be Firehole, one that S.A.G., the first line of the script will look like

02:28.290 --> 02:28.650
this.

02:30.240 --> 02:35.010
Well, sign an exclamation mark and the path to bash.

02:36.140 --> 02:43.670
This is called She Bank, and it tells the Shell what program to interpret the script with when executing

02:43.670 --> 02:43.940
it.

02:44.120 --> 02:49.510
In this example, the script is to be interpreted and run by the special.

02:49.820 --> 02:56.870
If you write another script, let's say a Python script, you write here The Path to the Python interpreter.

02:58.120 --> 03:07.200
The most common option is using Besch and inside the file, I'll simply write some IP table rules.

03:07.930 --> 03:16.540
For example, I'll write a rule that drops all incoming SSX traffic so traffic to port to 22 and to

03:16.540 --> 03:23.200
another HUGULEY that drop outgoing traffic to Port 80 and 443.

03:23.320 --> 03:26.530
So HTP IMPAC stops traffic.

03:28.040 --> 03:38.690
And the first rule table is minus 18, minus minus minus the part 22, minus G drop.

03:40.270 --> 03:43.420
It drops incoming traffic to Port 20 to.

03:49.060 --> 03:55.140
And tools that drop out going ETP and HTP traffic.

04:01.640 --> 04:12.110
IP table is myna, say output X, outgoing traffic minus BTP minus minus, deport a D minus J drop.

04:12.590 --> 04:26.480
And another rule for ETPs IP tables minus a output minus BTP minus minus deport four for three minus

04:26.510 --> 04:26.880
jatra.

04:29.470 --> 04:31.000
OK, here, output.

04:35.670 --> 04:42.360
I'm saving the script, make it executable and then run it.

04:45.450 --> 04:46.460
And we see the.

04:50.520 --> 05:00.120
The role of water drops, incoming traffic and the rules that drop outgoing ETP and he keeps traffic.

05:02.100 --> 05:09.450
One important thing to know is the vetting around the script using its name like Firehole, one that

05:09.450 --> 05:10.080
they seek.

05:12.990 --> 05:20.460
So without a doubt, which is the current working directory and the forum, I get an error comment not

05:20.460 --> 05:20.910
found.

05:22.280 --> 05:29.460
This happens because the current working directory doesn't belong to the Linux path, so the Shell doesn't

05:29.470 --> 05:37.090
look for the script inside the current directory, it's looking for Cumming's only in these directories.

05:40.770 --> 05:47.550
Here is where the shell is looking for Cemex, so you have either to add the current working directory

05:47.550 --> 05:53.670
to Perth or run the script using DOT forward slash into the name of the script.

05:55.150 --> 06:01.720
In fact, it says take the script from the current working directory, which is that and it.

06:04.250 --> 06:11.630
Now, suppose we want to change something in our script, for example, I don't want to block outgoing

06:11.630 --> 06:13.540
ETOPS traffic anymore.

06:14.120 --> 06:20.890
The logical thing to do is to open the script, replace that line, save the script and run it again.

06:22.090 --> 06:25.750
In this example, I've executed the script again.

06:27.460 --> 06:37.120
If we to the final IP table minus Varnell, we see that there are more holes that we have expected.

06:39.350 --> 06:45.110
There are only three rules in the script, but more rules in the realm memory.

06:47.980 --> 06:50.980
In fact, each rule seems doubled.

06:51.920 --> 06:56.260
To make this point clearer, I'll execute the script again.

07:01.300 --> 07:07.870
Now, there are even more holes in the ram of memory, something is wrong, what could it be?

07:09.580 --> 07:13.790
Each time I've executed the script, the rules from the script.

07:13.810 --> 07:19.210
So with those three rules have been appended to the table changed.

07:19.750 --> 07:25.630
I ran the script three times, so I have nine holes and this is not what we want.

07:25.630 --> 07:33.000
As a result, when I ran the final script, I expect that only those rules from the script are loaded.

07:33.430 --> 07:34.390
How do we do it?

07:35.080 --> 07:41.620
A good practice is to add at the beginning of the script IP tables minus F.

07:43.300 --> 07:49.270
This will flush all the change of the filter table and start with a new, fresh, friable.

07:50.930 --> 07:58.670
I am opening the file and at the beginning I am adding IP table minus F.

07:59.910 --> 08:02.430
This will flash all the chains.

08:03.940 --> 08:07.330
I'm saving the file and running it again.

08:10.610 --> 08:18.950
And we noticed that only the rules from the script have been loaded, all other rules have been flushed.

08:21.770 --> 08:29.150
An important remark is that if you have rules also on other occasions and tables like, say, rules

08:29.150 --> 08:33.940
for doing that, you should also flash those tables and change.

08:34.440 --> 08:35.780
Let's see what is all about.

08:37.670 --> 08:45.620
I'm adding a rule that will perform Ethernet, it will translate to the private IP addresses from network

08:45.620 --> 08:55.340
10 data zero data zero two zero eight to the public IP of this Linux machine, in this case, outer

08:56.120 --> 08:59.800
IP tables minus the net.

08:59.810 --> 09:12.380
It's mandatory to specify the table minus a post routing minus s the IP addresses that will be translated.

09:13.760 --> 09:15.320
It's an entire network.

09:24.160 --> 09:27.550
Minus O, the outgoing interface,

09:30.370 --> 09:31.390
minus J.

09:31.630 --> 09:40.210
S Net and thesaurus, and I'll write a random IP address.

09:41.620 --> 09:51.490
I suppose this is the public IP don't focus on the net will have an entire section on this, I'm saving

09:51.490 --> 09:55.990
the script and then run it and I'll run it many times.

09:59.820 --> 10:05.880
When I am listing the net filter, we see there are many egoless.

10:07.900 --> 10:16.620
There are four rules, not one like in my script, it upended the rule to post routing change and to

10:16.630 --> 10:17.500
not filter.

10:17.740 --> 10:20.500
Each time I've executed the script.

10:21.800 --> 10:28.370
This issue will be solved by also flushing down that table at the beginning of the Feigel escaped.

10:31.200 --> 10:36.150
Here at the beginning, I write IAPT Bullis, minus Demet, minus F.

10:37.730 --> 10:40.720
I'm saving the script and running it again.

10:43.310 --> 10:46.100
I can arrange it as many times as I want.

10:46.460 --> 10:48.950
There will be a single net rule.

10:49.460 --> 10:55.070
The rule from the script IP table is minus DeMatte, minus V and L.

10:56.810 --> 10:58.280
And there is only one rule.

10:59.750 --> 11:02.120
OK, Rexall, thank you.