WEBVTT

00:01.470 --> 00:08.910
In this section will start a series of lectures about IP tables, basic matches, which are also the

00:08.910 --> 00:18.000
most used ones, is I've already told you each IP table has a mixing component and an action component.

00:18.570 --> 00:27.780
IP tables can be constructed to make traffic by protocol type destination or source address, destination

00:27.780 --> 00:36.720
or source network destination or source Searsport input or output interface header feelings or connections

00:36.720 --> 00:38.780
state, among other criteria.

00:38.940 --> 00:43.350
And these can be combined to create very complex rules.

00:44.560 --> 00:52.300
In this lecture, we'll take a look at how to filter traffic based on source or destination IP or network

00:52.300 --> 00:52.900
address.

00:54.220 --> 01:03.460
We can make Bishkek's by source IP address or by source network address using minus S or minus minus

01:03.460 --> 01:05.290
source makes option.

01:07.360 --> 01:18.900
Address can be either a single IP address like 192 dot 168 dot zero, dot one, a network IP address

01:19.140 --> 01:30.330
with a message specification like 10 that zero that the zero zero eight or a domain name like W w w

01:30.510 --> 01:32.280
that Linux dot com.

01:33.980 --> 01:42.140
Please note that specifying any name will be resolved with a DNS query, and this is not always a good

01:42.140 --> 01:42.630
idea.

01:43.190 --> 01:45.580
Let's take a look at some examples.

01:46.880 --> 01:57.440
I want to drop all incoming traffic from Lenox to which has the IP address of 192 168 dot zero, dot

01:57.440 --> 01:58.050
20.

01:59.090 --> 02:04.040
OK, from this Linux machine to Linux one to the firewall.

02:06.600 --> 02:16.470
And I typed Fabolous minus a input, I am using the input chain because it's incoming traffic minus

02:16.470 --> 02:16.850
s.

02:17.130 --> 02:22.260
This means the source IP address and the IP address of Linux.

02:22.260 --> 02:34.950
Two of the other machine, 192, 168 dot zero, that twenty minus G and the action drop.

02:37.360 --> 02:42.400
Before hitting enter, I'll ping Linux one from Linux to.

02:46.910 --> 02:50.900
Bing is working and I am hitting the enter key.

02:52.520 --> 02:53.930
And being stopped.

02:56.020 --> 03:02.500
If I listed the firewall, I see that there are eight mixed and dropped packets.

03:11.450 --> 03:19.490
If we want to drop by destination IP address, we use minus D or minus minus the destination instead

03:19.490 --> 03:23.450
of minus S when writing the IP table soon.

03:24.080 --> 03:31.700
In the next example, I'll write the rule letter drops outgoing traffic to an entire network like eight

03:31.710 --> 03:35.150
dot zero zero zero eight.

03:37.840 --> 03:38.950
To this network.

03:42.520 --> 03:55.300
At this moment, I can communicate with that network is working and IP table is minus a output x outgoing

03:55.300 --> 04:03.580
traffic, so I am using the output chain minus D and the destination network address hate data zero.

04:03.580 --> 04:04.270
Data zero.

04:04.280 --> 04:06.010
Data zero eight.

04:07.550 --> 04:08.930
Minus G drop.

04:11.820 --> 04:19.920
Now, being is not working, and if I leased the Firehole, I see a lot of mixed packages.

04:24.000 --> 04:25.980
There are two dropkicks.

04:29.460 --> 04:37.950
So this whole drops any packages destined to an IP address that starts with eight or its first bite

04:37.950 --> 04:38.610
is eight.

04:40.480 --> 04:41.110
Perfect.

04:41.500 --> 04:44.380
Let's continue on and see another example.

04:46.450 --> 04:55.990
I want to completely deny access from this Linux machine to a website like, say, www.youtube.com.

04:57.840 --> 05:00.640
For this task, there are more possibilities.

05:01.020 --> 05:11.400
The first one is to find the IP address or the IP addresses if there are more of www.youtube.com and

05:11.400 --> 05:18.630
then drop all the packets that are going to those addresses, you can find that the IP address of a

05:18.630 --> 05:28.590
website using either DNS lookup or Digg and as Look-Up www.Youtube.com.

05:31.760 --> 05:37.670
And we see the IP addresses of www.youtube.com.

05:39.580 --> 05:44.620
And the big w w w that Ubuntu dot com.

05:46.480 --> 05:56.620
These are the IP addresses of that website, keep in mind that NSW cap works both on Windows and Linux,

05:56.860 --> 06:01.800
but Deek is a Linux only comment and has more options available.

06:03.630 --> 06:07.980
We noticed that there are six IP addresses for this domain.

06:09.070 --> 06:16.990
If we want to deny access to the website, we must write six IP table rules and each rule will drop

06:16.990 --> 06:18.030
one IP address.

06:18.460 --> 06:25.240
I write just an IP table is an example IP table minus a output.

06:25.870 --> 06:33.100
This is outgoing traffic minus D, and I'll take an IP address from this list.

06:34.240 --> 06:35.440
Let's say the first one.

06:39.270 --> 06:40.740
Minus Jay drop.

06:42.080 --> 06:49.880
Of course, at this moment, the access to the website is not denied because there are still five IP

06:49.880 --> 06:51.830
addresses that are permitted.

06:53.370 --> 07:00.690
The second possibility is to use the domain name in the IP tablespoonful, it will automatically query

07:00.690 --> 07:13.680
the system DNS server for the IP addresses and ID for each IP address IP tables minus a output minus

07:13.680 --> 07:19.140
the www.youtube.com Minhas J Drop.

07:21.020 --> 07:26.330
And IP table is minus V and L, I am listing the fireboat.

07:29.600 --> 07:36.860
And we notice that there are six rules, one rule for each IP address that drop the outgoing traffic

07:37.070 --> 07:38.420
to those IPIS.

07:40.660 --> 07:49.170
If I open up a browser window and try to connect to www.Youtube.com, it won't work.

07:54.950 --> 07:56.960
The website is not loading.

08:00.010 --> 08:07.390
Notice that when dropping traffic based on source or destination IP address and you use a domain name

08:07.390 --> 08:15.370
instead of an IP address at the end, IP table still uses IP addresses in the not the domain name.

08:16.770 --> 08:22.350
I've used a domain name, but IAPT Bullis uses IP addresses.

08:23.340 --> 08:32.280
This requires access to a DNS server and that means other IP table rules that allow DNS traffic pay

08:32.280 --> 08:35.560
attention, especially when using the drug policy.

08:36.030 --> 08:42.780
It may be the case when you cannot permit or deny traffic to or from an IP address because you have

08:42.780 --> 08:44.550
specified the domain name.

08:44.820 --> 08:49.590
But the DNS traffic that resolves the domain name is not permitted.

08:51.230 --> 08:58.550
Also note that it's not a good idea to accept or drop traffic to a very big website like Google dot

08:58.550 --> 09:08.150
com or Facebook dot com, this way domains like Google dot com have tens or hundreds of IP addresses

09:08.420 --> 09:13.180
and the DNS response will contain only a few of them.

09:13.820 --> 09:18.730
You should use an application firewall like SQUIT instead of IP tables.

09:20.220 --> 09:28.860
At the end of this lecture, I just want to tell you that if you see the address zero zero, it means

09:28.860 --> 09:31.800
any IP address with any network.

09:31.800 --> 09:32.310
Mesic.

09:33.450 --> 09:48.750
For example, I accept all outgoing traffic and I write IAPT Bullis minus a output minus BTP minus minus

09:48.750 --> 09:52.720
the port four hundred forty three.

09:52.980 --> 10:01.760
This is a traffic minus D and now the destination IP address and I write zero zero.

10:02.040 --> 10:07.410
It means any IP address with any mask minus G except.

10:10.330 --> 10:14.980
OK, this is all about mixing by source or destination IP address.

10:15.190 --> 10:15.760
Thank you.