WEBVTT

00:00.800 --> 00:03.180
Hello, everybody, and welcome back.

00:03.560 --> 00:08.910
In this lecture, I'm going to show you how to filter traffic by Disipio UDP ports.

00:09.680 --> 00:13.460
This is a very common task when developing a firewalled.

00:14.690 --> 00:21.950
You can make out by a single porth using the Mitch option minus minus deport, which comes from destination

00:21.950 --> 00:27.370
port or minus minus eSport, which comes from Searsport.

00:27.890 --> 00:34.580
It's mandatory to specify Tsipi or UDP protocol using minus PMH option.

00:34.730 --> 00:36.860
Otherwise you'll get the error.

00:37.970 --> 00:46.040
Keep in mind that there are reports in the packet, Heather, only if the protocol is DCB or UDP, other

00:46.040 --> 00:51.550
protocols like, for example, ICMP do not use sporks at all.

00:53.330 --> 01:00.800
In this example, we are dropping incoming SSX packets, it's incoming traffic because the chain is

01:00.800 --> 01:07.520
input, the protocol is Tsipi enter the destination port is the standard SSX port.

01:07.970 --> 01:13.700
We assume that there is an SSX server that is listening on Port 20 to.

01:15.500 --> 01:23.330
If we want to make it by multiple ports, we can write the more IP tables one rule for each port, or

01:23.330 --> 01:27.650
we can use another option, which is minus M multi port.

01:29.110 --> 01:38.220
There are two other options, minus minus eSports to match by source sports and the minus minus deportes

01:38.230 --> 01:40.210
to match by destination sports.

01:40.750 --> 01:43.270
After that, the match option are coming.

01:43.270 --> 01:46.000
The sports separated by coma's.

01:47.470 --> 01:56.230
Let's take a look at this example, we are accepting outgoing traffic of the output chain to Port Athie

01:56.440 --> 01:58.480
or 443.

01:59.930 --> 02:05.900
This means traffic destined to HTP or stickups service.

02:07.560 --> 02:08.130
Perfect.

02:08.280 --> 02:11.970
Let's go to a terminal and see some life examples.

02:17.870 --> 02:25.760
From Lennox to I want to see what parks are open on Linux one in order to check what parks are open,

02:25.910 --> 02:33.200
I'll use and map, which is, by the way, a great portal scanner and a map and the VA IP address of

02:33.290 --> 02:39.530
the other Linux machine, one to 168 dot zero that then.

02:42.300 --> 02:47.850
After a few seconds and Map will show us what ports are open on Linux on.

02:49.340 --> 03:02.380
As you can see, there are four ports open, 22 for age, 25 for S&amp;P, 84 HTP and 443 for ETPs.

03:06.210 --> 03:13.270
I flashed all the rules, so at this moment, it's an open firehole and all traffic is accepted.

03:13.860 --> 03:16.410
This is the state where I'm starting from.

03:16.530 --> 03:25.500
In each example, I'll show you there is no rule and the default policy is set to accept.

03:26.870 --> 03:30.420
And I want to drop incoming traffic to port.

03:30.440 --> 03:41.840
Twenty five IP table is minus 18, but incoming traffic minus PTB minus minus the port, 25, minus

03:41.840 --> 03:42.650
J drop.

03:44.640 --> 03:52.590
And I am listing the firewall again, we can see the wall here and there are no Bishkek's mixed.

03:54.510 --> 04:02.540
I'm scanning Linux once again from Linux to using, and I'm executing the same comment again.

04:05.120 --> 04:09.890
And we noticed that Part 25 is now filtered.

04:11.760 --> 04:19.280
By the way, do you know what is the difference between a field target and a closed port, a field that

04:19.280 --> 04:26.820
the port is in fact an open port, but there is a firewall that's dropping traffic to that open port

04:26.970 --> 04:32.070
and we are receiving no traffic back when sending a packet to that port.

04:32.820 --> 04:38.380
In this case, Port 25 is open on Linux one.

04:38.430 --> 04:46.680
So if there is a process of listening on that port, but it appears filtered to Linux, too, because

04:46.680 --> 04:48.000
packets are dropped.

04:49.400 --> 04:55.830
On the other hand, a closed port is a port on which no application is listening.

04:56.300 --> 05:04.130
If we sent a packet to a closed port, we receive a packet back indicating that the port is closed,

05:04.620 --> 05:08.810
there's a DCP packet with the preset flag said.

05:11.030 --> 05:15.620
For example, part 55 is closed.

05:17.290 --> 05:25.270
So is the conclusion of the report is an open port that doesn't respond back because a fireball is dropping

05:25.270 --> 05:33.520
the packets and a closed port is a port where no application is listening and eatery's points back with

05:33.520 --> 05:37.390
ATC preset packet indicating that it's closed.

05:38.800 --> 05:43.450
Now, Linux one, if I lift the firewall, I'll see some of Mixtepec.

05:45.700 --> 05:47.380
They are two Mixtepec.

05:49.820 --> 05:55.590
Let's try other examples I want to block all incoming traffic to Port Authority.

05:56.480 --> 06:01.640
Let's check if Port Authority is open or closed or filtered.

06:05.770 --> 06:07.150
And it's open.

06:10.000 --> 06:15.760
I'm going to create a new federal rule that will block all incoming traffic to Port 80.

06:17.490 --> 06:24.810
In fact, it's the same rule just that instead of bought 25, I have bought 80.

06:27.240 --> 06:35.700
I am listing the firehole there is now Mixtepec it, and if I scan it again, we see that the port is

06:35.700 --> 06:38.720
filtered and there are mixed packages.

06:40.370 --> 06:41.930
There are three Mixtepec.

06:45.030 --> 06:52.500
Let's move on and see another example, which is a very common and useful one, we suppose there is

06:52.500 --> 06:59.850
a Linux server and a management station and we want to allow only the management station to connect

06:59.850 --> 07:02.650
to the Linux server using SSX.

07:03.180 --> 07:11.370
Or in other words, we allow a single source IP address to connect to Linux one using SSX.

07:13.920 --> 07:21.960
In this example, it will be the IP address of the Windows recording machine, all other source IP addresses

07:22.110 --> 07:23.040
will be denied.

07:23.910 --> 07:28.360
Let's check what is the IP address of these Windows machine?

07:28.920 --> 07:36.540
I'm running IP config and we see that the IP address is one hundred ninety two.

07:36.540 --> 07:38.250
One hundred sixty eight.

07:38.250 --> 07:39.180
That is zero.

07:39.540 --> 07:41.460
That one hundred twelve.

07:42.610 --> 07:43.030
OK.

07:44.380 --> 07:50.890
For this task, I'm going to create the best script, write the rules inside of the script and then

07:50.890 --> 07:52.210
execute the script.

07:52.570 --> 07:55.450
It's easier to manage the firewall this way.

07:58.040 --> 08:05.380
The first line of my script is the shebang and indicates that this script will be run by the best shall

08:05.390 --> 08:06.140
by default.

08:07.640 --> 08:14.960
First, I flashed the filter table of all occasions because maybe I'll run the script many times and

08:14.960 --> 08:18.890
I don't want the rules to be appended each time I run the script.

08:20.210 --> 08:22.340
IP table is minus F.

08:24.210 --> 08:28.140
We've already discussed about this in a previous lecture.

08:29.300 --> 08:35.360
And the first depletable rule will permit us to seek traffic from that specific IP address.

08:36.720 --> 08:50.160
IP table is minus A input, minus BTC, B minus minus deport 22 minus S and the IP address of my Windows

08:50.160 --> 08:50.670
machine.

08:54.770 --> 08:56.630
Minus G, accept.

08:57.860 --> 09:03.140
The school is accepting the traffic that is coming from the Windows machine.

09:04.450 --> 09:11.800
Now, you can imagine that we still need something that will drop SSX traffic that is coming from other

09:11.800 --> 09:13.240
source IP addresses.

09:14.500 --> 09:16.150
There are two possibilities.

09:16.390 --> 09:24.160
If the default policy for the input chain is set to drop, it means that the traffic that is not matched

09:24.160 --> 09:26.950
by any role will be dropped by the policy.

09:27.310 --> 09:36.570
In this case, we don't need to write another IP rule, but if the policy is set to accept, then we

09:36.580 --> 09:45.250
mandatory need a second level that drops all incoming SSX traffic that was not accepted till that point.

09:46.240 --> 09:55.420
In this example, I said nothing about the policy, so I'll write that the second rule IP table is minus

09:55.420 --> 10:04.530
A input minus BTC B minus minus deport 22 minus G drop.

10:06.190 --> 10:12.100
I don't specify the source IP address and that means any IP address.

10:13.330 --> 10:20.930
If you want to specify an IP address, you can simply write the minus s zero zero.

10:21.520 --> 10:22.400
It's the same.

10:24.460 --> 10:25.090
Perfect.

10:25.240 --> 10:26.500
That should be enough.

10:27.440 --> 10:31.270
Let's save the script and make it executable.

10:36.190 --> 10:45.550
Before writing the script, I want to check that Part 22 is open, so I'm scanning it using a map from

10:45.550 --> 10:46.180
Linux to.

10:54.290 --> 10:55.100
It's open.

10:56.200 --> 10:57.880
Now I'm writing the script.

10:59.080 --> 11:01.000
Let's scan the path again.

11:03.120 --> 11:04.800
And the port is filtered.

11:05.950 --> 11:14.080
The file is dropping the packages that are not coming from the allowed IP address, Linux, too, doesn't

11:14.080 --> 11:16.060
have the permitted IP address.

11:17.840 --> 11:21.560
If we listed the firewall, we see there are dropped packets.

11:24.990 --> 11:30.420
From Windows, I am opening Puti and trying to connect to Linux one.

11:32.960 --> 11:35.660
I'm writing the IP address of Linux one.

11:36.950 --> 11:37.970
And open.

11:39.960 --> 11:42.330
And we see that the path is open.

11:48.920 --> 11:51.610
Pancakes are permitted through the firewall.

11:53.800 --> 11:58.090
There are 18 techniques accepted by the first toll.

11:59.810 --> 12:07.010
In the last example of this lecture, I'll show you how to make by multiple ports in a single, repeatable

12:07.010 --> 12:16.760
school using minus multipart mix option, I'll try to block the access to Port 80 and 443.

12:19.180 --> 12:30.700
I'll write the VIP table rules inside the same script, IP table minus A input, minus BTC, B minus

12:30.700 --> 12:41.350
M multipart minus minus the pork's add comma for for free minus J drop.

12:42.880 --> 12:49.120
Take care of that the very s at the end, so deports not deport.

12:50.580 --> 12:52.710
And I'm saving the script.

12:55.000 --> 12:59.650
Before running it, I'll check the state of those two ports.

13:03.660 --> 13:08.370
Bought the 80s in four for three, and they are open.

13:11.440 --> 13:15.250
I'm writing the script and then scanning the ports again.

13:27.380 --> 13:34.100
OK, the host is not responding at all, and Intermap thinks that it's not up.

13:36.330 --> 13:45.180
I'll add the minus B on uppercase B and zero to avoid probing the Sarovar using pings.

13:45.990 --> 13:51.750
Now it says that the ports are filtered exactly what we've expected.

13:56.650 --> 13:59.320
There are eight mixed packages by the whole.