diff --git a/README.md b/README.md index c82287d..a5ee90e 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,8 @@ These are notes from the [Linux Basics Course](https://bit.ly/3gGnxm0) hosted on - [04-Access-Control-Files](docs/06-Security-and-File-Permissions/04-Access-Control-Files.md) - [05-File-Permissions](docs/06-Security-and-File-Permissions/05-File-Permissions.md) - [06-SSH-and-SCP](docs/06-Security-and-File-Permissions/06-SSH-and-SCP.md) + - [07-IPtables](docs/06-Security-and-File-Permissions/07-IPtables.md) + - [08-Cronjob](docs/06-Security-and-File-Permissions/08-Cronjob.md) - [07-Networking](docs/07-Networking) diff --git a/docs/06-Security-and-File-Permissions/07-IPtables.md b/docs/06-Security-and-File-Permissions/07-IPtables.md new file mode 100644 index 0000000..a9b43de --- /dev/null +++ b/docs/06-Security-and-File-Permissions/07-IPtables.md @@ -0,0 +1,202 @@ +# IPTABLES + + - Take me to the [Tutorial](https://kodekloud.com/courses/873064/lectures/24032366) + - In this lecture, we will learn about IPtables basic commands. + +**Iptables** uses a set of tables that have chains that contain a set of built-in or user-defined rules. +- The two types of tables/rules: +1. **FILTER** – this is the default table, which contains the built-in chains for: + **`INPUT`** – packages destined for local sockets. + **`FORWARD`** – packets routed through the system. + **`OUTPUT`** – packets generated locally. +2. **NAT** – a table that is consulted when a packet tries to create a new connection. It has the following built-in: +**`PREROUTING`** – used for altering a packet as soon as it’s received. +**`OUTPUT`** – used for altering locally-generated packets. +**`POSTROUTING`** – used for altering packets as they are about to go out. + +- For **installing** IPtables in **Ubuntu** servers, + +``` +bob@devapp01:~$sudo apt install iptables +``` + +- To **list** the iptables rules, + +``` +bob@devapp01:~$sudo iptables -L + +Chain INPUT (policy ACCEPT) +target prot opt source destination + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +``` + +- To allow incoming connection from **IP** **172.16.238.187** to port **22** and **80**, you can run the following command. + +``` +sudo iptables -A INPUT -p TCP -s 172.16.238.187 --dport 22 -j ACCEPT +``` + +``` +sudo iptables -A INPUT -p TCP -s 172.16.238.187 --dport 80 -j ACCEPT +``` + +The -A or --append option appends the rule at the end of the selected chain. +The -s or --source option Source specification. +The -j, --jump option specifies the target of the rule. +The -p, --protocol option defines protocol of the rule or the packet to check +The --dport or --destination-port refers to the destination port. +The --sport or --source-port refers to source port. + +- To list the **iptables rules**, + +``` +bob@devapp01:~$ sudo iptables -L +Chain INPUT (policy ACCEPT) +target prot opt source destination +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:http + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +``` + +- To drop **incoming connections** from any **source** on any **destination port** for any **protocol** + +``` +bob@devapp01:~$sudo iptables -A INPUT -j DROP +``` + +``` +bob@devapp01:~$ sudo iptables -L +Chain INPUT (policy ACCEPT) +target prot opt source destination +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:http +DROP all -- anywhere anywhere + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +``` + +Difference between **`DROP`** and **`REJECT`** +Both DROP and REJECT prohibits packets from passing through the firewall. But, the main difference between them is the response message. + +When we use the DROP command, it will not forward the packet or answer it. But, simply drops the packet silently. + +And, no indication is sent to the client or server. + +But, the REJECT command sends an error message back to the source indicating a connection failure. + +- To block outgoing traffic to any destination on **port 80** + +``` +bob@devapp01:~$sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP +``` +This will add rule in the **OUTPUT** chain + +``` +bob@devapp01:~$ sudo iptables -L +Chain INPUT (policy ACCEPT) +target prot opt source destination +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:http +DROP all -- anywhere anywhere + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +DROP tcp -- anywhere anywhere tcp dpt:http +``` + +- To allow https connection from the server to **`google.com`** +``` +bob@devapp01:~$ sudo iptables -I OUTPUT -p tcp -d google.com --dport 443 -j ACCEPT +``` + +- **Unblock IP Address** or to **delete** a rule in IPtables Firewall + +- First find the **line-number** of the rule using the command below + +``` +bob@devapp01:~$ sudo iptables -L --line-numbers +Chain INPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +2 ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +3 DROP all -- anywhere anywhere + +Chain FORWARD (policy ACCEPT) +num target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT tcp -- anywhere google.com tcp dpt:https +2 ACCEPT tcp -- anywhere devdb01 tcp dpt:postgresql +3 ACCEPT tcp -- anywhere caleston-repo-01 tcp dpt:http +4 DROP tcp -- anywhere anywhere tcp dpt:http +5 DROP tcp -- anywhere anywhere tcp dpt:https +``` + +- Now if you want to delete the **INPUT** rule number 3, run + +``` +sudo iptables -D INPUT 3 +``` +- To display the **line number** for the rules, + +``` +bob@devapp01:~$ sudo iptables -L --line-numbers +Chain INPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh +2 ACCEPT tcp -- caleston-lp10 anywhere tcp dpt:ssh + +Chain FORWARD (policy ACCEPT) +num target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT tcp -- anywhere google.com tcp dpt:https +2 ACCEPT tcp -- anywhere devdb01 tcp dpt:postgresql +3 ACCEPT tcp -- anywhere caleston-repo-01 tcp dpt:http +4 DROP tcp -- anywhere anywhere tcp dpt:http +5 DROP tcp -- anywhere anywhere tcp dpt:https +``` + +- Allow Multiple Ports on IPtables using **`Multiport`** + +``` +iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT +iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT +``` + +--sport or --source-port refers to source port. + +- To Block Incoming **`Ping Requests`** on IPtables on an interface say **eth0**, + +``` +iptables -A INPUT -p icmp -i eth0 -j DROP +``` + +- To Block Access to Specific **`MAC Address`** on IPtables + +``` +iptables -A INPUT -m mac --mac-source 0e:Ds:8n:mq:00:de -j DROP + +0e:Ds:8n:mq:00:de refers to mac address to be blocked +``` \ No newline at end of file diff --git a/docs/06-Security-and-File-Permissions/08-cronjob.md b/docs/06-Security-and-File-Permissions/08-cronjob.md new file mode 100644 index 0000000..2a43377 --- /dev/null +++ b/docs/06-Security-and-File-Permissions/08-cronjob.md @@ -0,0 +1,37 @@ +# Cronjob in Linux + + - Take me to the [Tutorial](https://kodekloud.com/courses/873064/lectures/24032686) + - In this lecture we will learn about **Cronjobs** in Linux . + + +The basic usage of **cron** is to execute a job in a specific time. The **`crontab`** is a list of commands that you want to run on a regular schedule, and also the name of the command used to manage that list. **Crontab** stands for **`cron table`** because it uses the job scheduler cron to execute tasks. The schedule is called the crontab, which is also the name of the program used to edit that schedule. + +## Linux Crontab Format + + ![format](../../images//cronformat.png) + +### Expressions used and Description + + ![specialstring](../../images//cronspclstring.png) + + ![specialcharacter](../../images//cronspchar.png) + +#### Crontab commands + + + ![command](../../images//croncmd.png) + + +##### Crontab Examples + +*/30 * * * * Every 30 mins + +0 * * * * Every hour + +0 0 * * 0 At midnight of every Sunday + +0 0 0 15 * * Every 15th of month (monthly) + +0 0 0 1 1 * Every 1st of january (yearly) + +@reboot Every reboot \ No newline at end of file diff --git a/images/croncmd.png b/images/croncmd.png new file mode 100644 index 0000000..a8cbd1a Binary files /dev/null and b/images/croncmd.png differ diff --git a/images/cronformat.png b/images/cronformat.png new file mode 100644 index 0000000..05eed36 Binary files /dev/null and b/images/cronformat.png differ diff --git a/images/cronspchar.png b/images/cronspchar.png new file mode 100644 index 0000000..8919ba7 Binary files /dev/null and b/images/cronspchar.png differ diff --git a/images/cronspclstring.png b/images/cronspclstring.png new file mode 100644 index 0000000..79f8cc1 Binary files /dev/null and b/images/cronspclstring.png differ