tcp connections are limited to a maximum of 10
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 3695
conn-close 1.0
conn-close gives us possibility to get rid of entries in ip_conntrack about ESTABLISHED TCP connections. more>>
conn-close gives us possibility to get rid of entries in ip_conntrack about ESTABLISHED TCP connections that goes through our server.
conn-close script uses hping2 to send spoofed RST packets which will fool conntrack and cause specified connections to be considered by conntrack as closed (now these connections will be in ip_conntrack in CLOSE state), even though RST packets will be more likely discarded by destination host.
Information about connections is read of course from /proc/net/ip_conntrack.
Idea was taken from script seen somewhere on the internet.
<<lessconn-close script uses hping2 to send spoofed RST packets which will fool conntrack and cause specified connections to be considered by conntrack as closed (now these connections will be in ip_conntrack in CLOSE state), even though RST packets will be more likely discarded by destination host.
Information about connections is read of course from /proc/net/ip_conntrack.
Idea was taken from script seen somewhere on the internet.
Download (0.003MB)
Added: 2006-05-08 License: GPL (GNU General Public License) Price:
1264 downloads
Just For Fun Network Management System 0.8.3
Just For Fun Network Management System is a PHP-based network management system. more>>
Just For Fun Network Management System is a PHP-based network management system that features an integrated syslog, Tacacs, TFTP configuration downloading, SNMP polling, SNMP traps, journalling, auto-discovery, performance graphs (RRD), SLAs, and a lot more.
Just For Fun Network Management System uses MySQL or PostgreSQL as the backend and works under Linux and Windows.
Main features:
- Written in PHP4 (works in PHP5 too)
- Fully tested on Linux, FreeBSD and Win2K
- Should work on any other system which supports PHP
- PHP/cron scripts for polling, analizing and consolidating data
- Database Backend MySQL or PostgreSQL
- Configurable Event Types and Severity Levels
- Modular and Extensible
- Advanced Event Filter
- Interface Autodiscovery
- Licensed under the GNU GPL
- Event Console, Shows Events / Tacacs / Syslog / Alarms in the same time-ordered display
- Map & Sub-Map support
- Graphical Interface Traffic, Round Trip Time, Packet Loss Monitoring, and a LOT more
- Variable Time Span in the graphs
- Total Administration via web
- Sound Alerts in your browser
- Events RDF Feed (for newstickers)
- Works with HTTPS
- Traffic Bytes
- Utilization %
- Packets per Second, Errors per Second, Error Rate
- Round Trip Time and Packet Loss (Cisco & Smokeping)
- Drops
- TCP Connections: Incoming, Outgoing, Established, Delay
- Number of Processes, Number of Users
- Used Memory and Disks with Aggregation
- Processor Utilization and Load Average
- Temperature
- Interfaces (Network cards)
- Host (Processor, Load Average)
- Storage (Disks and Memory)
- Applications Running (HostMIB)
- Cisco Ping (RTT & PL on Cisco)
- BGP4 (BGP sessions status)
- TCP (TCP Connections, Delay)
- Cisco MAC Accounting
- Cisco IP Accounting
- Cisco CSS
- Cisco SA Agent
- Cisco Enviormental (Temperature, Voltage, etc)
- Internet Information Server (IIS) MIB
- Livingstone PortMaster3 Serial Line MIB
- Compaq Insight Manager MIB (Disk, Fan and Temperature)
- Apache /server-status monitoring
- TCP Port Content Regexp Checking (or URL)
- Configurable per Circuit SLAs (with RPN logic)
- Internal Authorization Framework
- Per Event Journals and Acknowledge
- Triggers / Actions Framework for email/others alerts.
- Database Abstraction Framework
- CSV Export
- Distributed Polling
- Object Oriented
- Consistent API
Enhancements:
- Better support for PHP 5 and RRDTool 1.2.x, OS/400 integration, Dell Chassis alarm monitoring, and fixes for all reported issues.
<<lessJust For Fun Network Management System uses MySQL or PostgreSQL as the backend and works under Linux and Windows.
Main features:
- Written in PHP4 (works in PHP5 too)
- Fully tested on Linux, FreeBSD and Win2K
- Should work on any other system which supports PHP
- PHP/cron scripts for polling, analizing and consolidating data
- Database Backend MySQL or PostgreSQL
- Configurable Event Types and Severity Levels
- Modular and Extensible
- Advanced Event Filter
- Interface Autodiscovery
- Licensed under the GNU GPL
- Event Console, Shows Events / Tacacs / Syslog / Alarms in the same time-ordered display
- Map & Sub-Map support
- Graphical Interface Traffic, Round Trip Time, Packet Loss Monitoring, and a LOT more
- Variable Time Span in the graphs
- Total Administration via web
- Sound Alerts in your browser
- Events RDF Feed (for newstickers)
- Works with HTTPS
- Traffic Bytes
- Utilization %
- Packets per Second, Errors per Second, Error Rate
- Round Trip Time and Packet Loss (Cisco & Smokeping)
- Drops
- TCP Connections: Incoming, Outgoing, Established, Delay
- Number of Processes, Number of Users
- Used Memory and Disks with Aggregation
- Processor Utilization and Load Average
- Temperature
- Interfaces (Network cards)
- Host (Processor, Load Average)
- Storage (Disks and Memory)
- Applications Running (HostMIB)
- Cisco Ping (RTT & PL on Cisco)
- BGP4 (BGP sessions status)
- TCP (TCP Connections, Delay)
- Cisco MAC Accounting
- Cisco IP Accounting
- Cisco CSS
- Cisco SA Agent
- Cisco Enviormental (Temperature, Voltage, etc)
- Internet Information Server (IIS) MIB
- Livingstone PortMaster3 Serial Line MIB
- Compaq Insight Manager MIB (Disk, Fan and Temperature)
- Apache /server-status monitoring
- TCP Port Content Regexp Checking (or URL)
- Configurable per Circuit SLAs (with RPN logic)
- Internal Authorization Framework
- Per Event Journals and Acknowledge
- Triggers / Actions Framework for email/others alerts.
- Database Abstraction Framework
- CSV Export
- Distributed Polling
- Object Oriented
- Consistent API
Enhancements:
- Better support for PHP 5 and RRDTool 1.2.x, OS/400 integration, Dell Chassis alarm monitoring, and fixes for all reported issues.
Download (0.54MB)
Added: 2006-09-17 License: GPL (GNU General Public License) Price:
1137 downloads
TCP Re-engineering Tool 1.4.3
TCP Re-engineering Tool monitors and analyzes data transmitted between a client and a server via a TCP connection. more>>
TCPreen is a simple tool to monitor and analyze data transmitted between clients and servers through connection-oriented streams data such as a TCP sessions; it supports TCP over either IPv4 or IPv6. This tool focuses on the data stream (software/socket layer), not on the lower level transmission protocol as packet sniffers do.
TCPreen listens on a TCP port and wait for incoming connections to come in. Then, it forwards data sent by the connecting client to another server port (possibly on another computer) and forwards server responses back to the client.
TCPreen can display data on your console in real-time and/or save it to log files for later reference.There are various display formats.
While it was originally meant to help developers reverse-engineer TCP-based protocols, it can also be very useful to debug network server or client software or for a system administrator to monitor a TCP service.
Enhancements:
- libsolve/getaddrinfo.{c,h}, src/winstub.{c,h}:
- dirty kludge to resolve getaddrinfo & co at run-time
- so that tcpreen can still run on Windows 2000 and older.
<<lessTCPreen listens on a TCP port and wait for incoming connections to come in. Then, it forwards data sent by the connecting client to another server port (possibly on another computer) and forwards server responses back to the client.
TCPreen can display data on your console in real-time and/or save it to log files for later reference.There are various display formats.
While it was originally meant to help developers reverse-engineer TCP-based protocols, it can also be very useful to debug network server or client software or for a system administrator to monitor a TCP service.
Enhancements:
- libsolve/getaddrinfo.{c,h}, src/winstub.{c,h}:
- dirty kludge to resolve getaddrinfo & co at run-time
- so that tcpreen can still run on Windows 2000 and older.
Download (0.041MB)
Added: 2006-06-28 License: GPL (GNU General Public License) Price:
1216 downloads
tcptunnel 1.0
tcptunnel is a simple TCP tunnel written in Perl. more>>
tcptunnel is a simple TCP tunnel written in Perl.
Also is a versatile tcp tunnel. The tcptunnel uses:
- tunnelling through a firewall or proxy
- redirecting tcp connections to other ports or machines
- debugging tcp connections in-place
- packet sniffing
The tcptunnel listens on local port < port > and when a connection is made it connects the other end of the tunnel as follows:
a) With no proxy specified, it connects the other end
to < srvport > on < srv >.
b) With a proxy, it connects to < srvport > on < proxy >.
It then directs the proxy to telnet to < srv >, and then it connects the ends of the tunnel.
<<lessAlso is a versatile tcp tunnel. The tcptunnel uses:
- tunnelling through a firewall or proxy
- redirecting tcp connections to other ports or machines
- debugging tcp connections in-place
- packet sniffing
The tcptunnel listens on local port < port > and when a connection is made it connects the other end of the tunnel as follows:
a) With no proxy specified, it connects the other end
to < srvport > on < srv >.
b) With a proxy, it connects to < srvport > on < proxy >.
It then directs the proxy to telnet to < srv >, and then it connects the ends of the tunnel.
Download (0.005MB)
Added: 2006-07-01 License: GPL (GNU General Public License) Price:
1213 downloads
Symbion SSL Proxy 1.0.5
SSL Proxy server listens on a TCP port, accepts SSL connections, and forwards them to another local or remote TCP port. more>>
SSL Proxy server listens on a TCP port, accepts SSL connections, and forwards them to another local or remote TCP port.
For example, it is possible to create an HTTPS server if you have an HTTP server and you run an SSL Proxy server on port 443 which forwards the connections to port 80.
SSL Proxys design makes it as secure as possible and still perform well.
Enhancements:
- Improved certificate handling (chained certificates are now supported), more error information on SSL protocol errors during SSL_accept(), -U and -D options (buffer size), and a "powered by" logo.
<<lessFor example, it is possible to create an HTTPS server if you have an HTTP server and you run an SSL Proxy server on port 443 which forwards the connections to port 80.
SSL Proxys design makes it as secure as possible and still perform well.
Enhancements:
- Improved certificate handling (chained certificates are now supported), more error information on SSL protocol errors during SSL_accept(), -U and -D options (buffer size), and a "powered by" logo.
Download (0.024MB)
Added: 2005-09-30 License: GPL (GNU General Public License) Price:
1493 downloads
Crossroads Load Balancer 1.59
Crossroads is a load balance and failover utility for TCP-based services. more>>
Crossroads is a load balance and failover utility for TCP-based services.
Crossroads Load Balancer is a daemon program running in userspace and features extensive configurability, polling of backends using "wakeup calls", detailed status reporting, "hooks" for special actions when backend calls fail, and more.
It is service-independent; it is usable for HTTP(S), SSH, SMTP, DNS, etc.
Crossroads is a daemon that basically accepts TCP connections at preconfigured ports, and given a list of back ends distributes each incoming connection, so that a client process is served.
Additionally, crossroads maintains an internal administration of the back end connectivity: if a back end isnt usable, then the client request is handled using another back end. Crossroads will then periodically check whether a previously not usable back end has come to life yet. Also, crossroads can select back ends by estimating the load, so that balancing is achieved.
Using this approach, crossroads serves as load balancer and fail over utility. Crossroads will very likely not be as reliable as hardware based balancers, since it always will require a server to run on. This server, in turn, may become a new Single Point of Failure (SPOS). However, in situations where cost efficiency is an issue, crossroads may be a good choice.
Furthermore, crossroads can be deployed in situations where a hardware based balancing already exists and augmenting service reliability is needed. Or, crossroads may be run off a diskless system, which again improves reliability of the underlying hardware.
This document describes how to use crossroads, how to configure it in order to increase the reliability of your systems, and how to compile the program from its sources. This document is also available in PDF format.
Usage:
Crossroads is started from the commandline, and highly depends on /etc/crossroads.conf (the default configuration file). It supports a number of flags (e.g., to overrule the location of the configuration file). The actual usage information is always obtained by typing crossroads without any arguments. Crossroads then displays the allowed arguments.
This section shows the basic usage.
- crossroads start and crossroads stop are typical actions that are run from system startup scripts. The meaning is self-explanatory.
- crossroad status reports on each running service. Per service, the state of each back end is reported.
- crossroads tell service backend state is a command line way of telling crossroads that a given back end, of a given service, is in a given state. Normally crossroads maintains state information itself, but by using crossroads tell, a back end can be e.g. taken off line for servicing.
- crossroads services reports on the configured services. In contrast to crossroads status, this option only shows whats configured -- not whats up and running. Therefore, crossroads services doesnt report on back end states.
- crossroads sampleconf shows a sample configuration on screen. A good way of quicky viewing the configuration file syntax, or of getting a start for your own configuration /etc/crossroads.conf.
<<lessCrossroads Load Balancer is a daemon program running in userspace and features extensive configurability, polling of backends using "wakeup calls", detailed status reporting, "hooks" for special actions when backend calls fail, and more.
It is service-independent; it is usable for HTTP(S), SSH, SMTP, DNS, etc.
Crossroads is a daemon that basically accepts TCP connections at preconfigured ports, and given a list of back ends distributes each incoming connection, so that a client process is served.
Additionally, crossroads maintains an internal administration of the back end connectivity: if a back end isnt usable, then the client request is handled using another back end. Crossroads will then periodically check whether a previously not usable back end has come to life yet. Also, crossroads can select back ends by estimating the load, so that balancing is achieved.
Using this approach, crossroads serves as load balancer and fail over utility. Crossroads will very likely not be as reliable as hardware based balancers, since it always will require a server to run on. This server, in turn, may become a new Single Point of Failure (SPOS). However, in situations where cost efficiency is an issue, crossroads may be a good choice.
Furthermore, crossroads can be deployed in situations where a hardware based balancing already exists and augmenting service reliability is needed. Or, crossroads may be run off a diskless system, which again improves reliability of the underlying hardware.
This document describes how to use crossroads, how to configure it in order to increase the reliability of your systems, and how to compile the program from its sources. This document is also available in PDF format.
Usage:
Crossroads is started from the commandline, and highly depends on /etc/crossroads.conf (the default configuration file). It supports a number of flags (e.g., to overrule the location of the configuration file). The actual usage information is always obtained by typing crossroads without any arguments. Crossroads then displays the allowed arguments.
This section shows the basic usage.
- crossroads start and crossroads stop are typical actions that are run from system startup scripts. The meaning is self-explanatory.
- crossroad status reports on each running service. Per service, the state of each back end is reported.
- crossroads tell service backend state is a command line way of telling crossroads that a given back end, of a given service, is in a given state. Normally crossroads maintains state information itself, but by using crossroads tell, a back end can be e.g. taken off line for servicing.
- crossroads services reports on the configured services. In contrast to crossroads status, this option only shows whats configured -- not whats up and running. Therefore, crossroads services doesnt report on back end states.
- crossroads sampleconf shows a sample configuration on screen. A good way of quicky viewing the configuration file syntax, or of getting a start for your own configuration /etc/crossroads.conf.
Download (0.18MB)
Added: 2007-08-21 License: GPL v3 Price:
801 downloads
HTTP Proxy Client 0.8.5
HTTP Proxy Client is a set of libraries and scripts that provide transparent access to Internet. more>>
HTTP Proxy Client is the small set of libraries and scripts, which provides transparent access to Internet via HTTP proxy for programs, which uses TCP/IP for communication.
The list of programs includes: telnet, ftp, licq, cvs, smth else? Project implements dynamic library, that can be preloaded before program run.
The library substitutes some system calls (connect(), gethostbyaddr(), gethostbyname()), with calls, which makes TCP/IP connection through HTTP proxy. This allows client programs behind HTTP proxy work with Internet without limitations.
At the moment tested on i386 Linux, i386/sparc Solaris.
Enhancements:
- While using dotted address, applications will attempt to connect regardless DNS lookup result.
<<lessThe list of programs includes: telnet, ftp, licq, cvs, smth else? Project implements dynamic library, that can be preloaded before program run.
The library substitutes some system calls (connect(), gethostbyaddr(), gethostbyname()), with calls, which makes TCP/IP connection through HTTP proxy. This allows client programs behind HTTP proxy work with Internet without limitations.
At the moment tested on i386 Linux, i386/sparc Solaris.
Enhancements:
- While using dotted address, applications will attempt to connect regardless DNS lookup result.
Download (0.21MB)
Added: 2005-09-13 License: GPL (GNU General Public License) Price:
1510 downloads
tcptrack 1.2.0
tcptrack provides a packet sniffer that displays TCP connections similarly to top. more>>
tcptrack provides a packet sniffer that displays TCP connections similarly to top.
tcptrack is a packet sniffer, which passively watches for connections on a specified network interface, tracks their states, and lists them in a manner similar to the Unix top command.
It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.
<<lesstcptrack is a packet sniffer, which passively watches for connections on a specified network interface, tracks their states, and lists them in a manner similar to the Unix top command.
It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.
Download (0.11MB)
Added: 2007-02-21 License: GPL (GNU General Public License) Price:
584 downloads
Configuration with no services supported
Configuration with no services supported script is for a single host firewall configuration with no services supported. more>>
Configuration with no services supported script is for a single host firewall configuration with no services supported by the firewall machine itself.
Sample:
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/usr/local/sbin"
# Our internal network address space and its supporting network device.
OURNET="10.5.0.0/24"
OURBCAST="10.5.0.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="ppp0"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="ssh,ftp,ftp-data"
TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
####################################
# Flush the Input table rules
echo -n Flushing forward... && {
$IPTABLES -F FORWARD
} && echo done
# We want to deny incoming access by default.
# echo -n Denying incoming access... && {
# $IPTABLES -P FORWARD drop
# } && echo done
# Drop all datagrams destined for this host received from outside.
echo -n Dropping incoming datagrams... && {
$IPTABLES -A INPUT -i $ANYDEV -j DROP
} && echo done
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
echo -n Preventing spoofing... && {
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
} && echo done
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
echo -n Preventing SMURFs... && {
$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP
} && echo done
# We should accept fragments, in iptables we must do this explicitly.
echo -n Accepting fragments... && {
$IPTABLES -A FORWARD -f -j ACCEPT
} && echo done
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports were allowing through.
# This should catch more than 95 % of all valid TCP packets.
echo -n Accepting valid incoming tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
echo -n Accepting valid outgoing tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
echo -n Accepting incoming tcp connections on allowed ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT
} && echo done
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed TCP ports.
echo -n Accepting outgoing traffic on allowed tcp ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT
} && echo done
# UDP - INCOMING
# allow UDP datagrams in on the allowed ports and back.
echo -n Allowing UDP datagrams in on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT
} && echo done
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
echo -n Allowing UDP datagrams out on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT
} && echo done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
# echo -n Allowing ICMP datagrams in of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT
# } && echo done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
# echo -n Allowing ICMP datagrams out of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT
# } && echo done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if youve
# configured the LOGGING variable above.
#
# DoS
# enabling Syn-flood protection
echo -n Enabling Syn-flood protection... && {
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling Furtive port scanner protection
echo -n Enabling Furtive port scanner protection... && {
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling ping of death protection
echo -n Enabling ping of death protection... && {
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
} && echo done
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.
<<lessSample:
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/usr/local/sbin"
# Our internal network address space and its supporting network device.
OURNET="10.5.0.0/24"
OURBCAST="10.5.0.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="ppp0"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="ssh,ftp,ftp-data"
TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
####################################
# Flush the Input table rules
echo -n Flushing forward... && {
$IPTABLES -F FORWARD
} && echo done
# We want to deny incoming access by default.
# echo -n Denying incoming access... && {
# $IPTABLES -P FORWARD drop
# } && echo done
# Drop all datagrams destined for this host received from outside.
echo -n Dropping incoming datagrams... && {
$IPTABLES -A INPUT -i $ANYDEV -j DROP
} && echo done
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
echo -n Preventing spoofing... && {
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
} && echo done
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
echo -n Preventing SMURFs... && {
$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP
} && echo done
# We should accept fragments, in iptables we must do this explicitly.
echo -n Accepting fragments... && {
$IPTABLES -A FORWARD -f -j ACCEPT
} && echo done
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports were allowing through.
# This should catch more than 95 % of all valid TCP packets.
echo -n Accepting valid incoming tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
echo -n Accepting valid outgoing tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
echo -n Accepting incoming tcp connections on allowed ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT
} && echo done
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed TCP ports.
echo -n Accepting outgoing traffic on allowed tcp ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT
} && echo done
# UDP - INCOMING
# allow UDP datagrams in on the allowed ports and back.
echo -n Allowing UDP datagrams in on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT
} && echo done
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
echo -n Allowing UDP datagrams out on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT
} && echo done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
# echo -n Allowing ICMP datagrams in of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT
# } && echo done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
# echo -n Allowing ICMP datagrams out of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT
# } && echo done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if youve
# configured the LOGGING variable above.
#
# DoS
# enabling Syn-flood protection
echo -n Enabling Syn-flood protection... && {
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling Furtive port scanner protection
echo -n Enabling Furtive port scanner protection... && {
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling ping of death protection
echo -n Enabling ping of death protection... && {
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
} && echo done
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
982 downloads
NetSplitter 20021204
NetSplitter is a ( user-level ) network load-balance. more>>
NetSplitter is a ( user-level ) network load-balance. It is like a transparent-proxy and will balance ( output ) TCP connections on multiples links.
Linux NAT add/remove code is incomplete. NetSplitter will use the system() function to run the iptables to handle this.
Step 1) IPTABLES
Tell Iptables redirect packets. netfilter will intercept the data.
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.2.0/24 -j DNAT --to-destination 192.168.2.1:5122
Or use any rule you want. just like a transparent proxy to proxy 5122.
eth0 is the LAN interface
192.168.2.0/24 is the LAN address
192.168.2.1:5122 is the netsplitter address and port.
!! DONT FORGET TO ADD UDP AND ICMP NAT CONFIGURATION !!
- OPTIONAL
LOCAL-NAT
In your iptables rulez:
iptables -t nat -A OUTPUT -p tcp --sport 1024:4999 -j DNAT --to-destination 192.168.1.1:5122
where 1024-4999 are the values in /proc/sys/net/ipv4/ip_local_port_range.
and 192.168.1.1 is the netsplitter address.
Step 2) File Configuration
Config File: /etc/netsplitter.conf
INTERFACE eth0 200.161.76.110 256
INTERFACE eth1 200.212.76.185 256
INTERFACE eth2 200.200.200.200 256
PING 1.1.1.1
PING 2.2.2.2
where:
[eth0] is a internet network link
[200.161.76.110] Is the eth0 network address.
[256] link speed, in kbps.
[1.1.1.1]
[2.2.2.2] A IP address that response to ping. NetSplitter will use this to check if a link is up or down.
Enhancements:
- 20021115 - Linux and BSD working
<<lessLinux NAT add/remove code is incomplete. NetSplitter will use the system() function to run the iptables to handle this.
Step 1) IPTABLES
Tell Iptables redirect packets. netfilter will intercept the data.
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.2.0/24 -j DNAT --to-destination 192.168.2.1:5122
Or use any rule you want. just like a transparent proxy to proxy 5122.
eth0 is the LAN interface
192.168.2.0/24 is the LAN address
192.168.2.1:5122 is the netsplitter address and port.
!! DONT FORGET TO ADD UDP AND ICMP NAT CONFIGURATION !!
- OPTIONAL
LOCAL-NAT
In your iptables rulez:
iptables -t nat -A OUTPUT -p tcp --sport 1024:4999 -j DNAT --to-destination 192.168.1.1:5122
where 1024-4999 are the values in /proc/sys/net/ipv4/ip_local_port_range.
and 192.168.1.1 is the netsplitter address.
Step 2) File Configuration
Config File: /etc/netsplitter.conf
INTERFACE eth0 200.161.76.110 256
INTERFACE eth1 200.212.76.185 256
INTERFACE eth2 200.200.200.200 256
PING 1.1.1.1
PING 2.2.2.2
where:
[eth0] is a internet network link
[200.161.76.110] Is the eth0 network address.
[256] link speed, in kbps.
[1.1.1.1]
[2.2.2.2] A IP address that response to ping. NetSplitter will use this to check if a link is up or down.
Enhancements:
- 20021115 - Linux and BSD working
Download (0.012MB)
Added: 2006-06-28 License: GPL (GNU General Public License) Price:
1214 downloads
The Doorman 0.81
The doorman guards the door of a server, manipulating firewall rules to admit only recognized parties. more>>
The doorman guards the door of a server, manipulating firewall rules to admit only recognized parties.
The doorman is intended to run on systems which have their firewall rules turned down tightly enough as to be effectively invisible to the outside world. The doorman adds and removes extra rules in a very controlled manner.
Using metaphor 1...
The doorman daemon "guards the door" of a host, admitting only recognized parties. It allows a server which is not intended for general public access to run with all of its TCP ports closed to the outside world. A matching "knocker" is provided, with which to persuade the doorman to open the door a crack, just wide enough for a single TCP connection from a single IP address.
And now, switching to metaphor 2... :)
A private server thus rigged for silent running has greatly enhanced security. Port scans cannot reveal its existence. Even if its existence is known by other means (or the firewall isnt all that tight), possible bugs in server code cannot be exploited; packets from unknown sources simply never get to the bug.
The current implementation of the doorman, "doormand", is suitable for protecting only TCP services on Unix-type systems. The door-knocker, "knock", can be run under Unix, GNU/Linux, or Microsoft Windows.
The doorman is based on an original idea of Martin Krzywinski, who proposed watching firewall logs for a sequence of packets directed to closed ports, which method he described in Sysadmin magazine and linuxjournal.com.
You might also visit his pages at www.portknocking.org.
This particular implementation deviates a bit from his original proposal, in that the doorman watches for only a single UDP packet. To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number.
Enhancements:
- Added support for linux cooked socket header len; thanks to Markus Hoffmann.
- Fixed guestlist hostname-parsing bug; also thanks to Markus.
- Changed method of remembering old knock hashes, without use of Berkeley DB.
- Kinda-fixed a bug handling pcapnext-returns-null condition. I hope.
- Included lexer.c (flex output from lexer.l) in distribution. Duh.
- Fixed doorman bug when creating new new hashfile; thanks to Robert Koropcak
- No changes made to knock.c; however, it will report being V0.81
<<lessThe doorman is intended to run on systems which have their firewall rules turned down tightly enough as to be effectively invisible to the outside world. The doorman adds and removes extra rules in a very controlled manner.
Using metaphor 1...
The doorman daemon "guards the door" of a host, admitting only recognized parties. It allows a server which is not intended for general public access to run with all of its TCP ports closed to the outside world. A matching "knocker" is provided, with which to persuade the doorman to open the door a crack, just wide enough for a single TCP connection from a single IP address.
And now, switching to metaphor 2... :)
A private server thus rigged for silent running has greatly enhanced security. Port scans cannot reveal its existence. Even if its existence is known by other means (or the firewall isnt all that tight), possible bugs in server code cannot be exploited; packets from unknown sources simply never get to the bug.
The current implementation of the doorman, "doormand", is suitable for protecting only TCP services on Unix-type systems. The door-knocker, "knock", can be run under Unix, GNU/Linux, or Microsoft Windows.
The doorman is based on an original idea of Martin Krzywinski, who proposed watching firewall logs for a sequence of packets directed to closed ports, which method he described in Sysadmin magazine and linuxjournal.com.
You might also visit his pages at www.portknocking.org.
This particular implementation deviates a bit from his original proposal, in that the doorman watches for only a single UDP packet. To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number.
Enhancements:
- Added support for linux cooked socket header len; thanks to Markus Hoffmann.
- Fixed guestlist hostname-parsing bug; also thanks to Markus.
- Changed method of remembering old knock hashes, without use of Berkeley DB.
- Kinda-fixed a bug handling pcapnext-returns-null condition. I hope.
- Included lexer.c (flex output from lexer.l) in distribution. Duh.
- Fixed doorman bug when creating new new hashfile; thanks to Robert Koropcak
- No changes made to knock.c; however, it will report being V0.81
Download (0.13MB)
Added: 2006-07-12 License: GPL (GNU General Public License) Price:
1202 downloads
Cubehub Tunnel 1.0
Cubehub is a simple UDP over TCP tunnel application written in Java. more>>
Cubehub is a simple UDP over TCP tunnel application written in Java. It is designed to help people behind a firewall to connect through a TCP connection and play Quake and other UDP-based games.
SOCKS 4 and 5 are protocols that are supposed to allow users to send data through a firewall. However, they only work like this if the SOCKS server is on the firewall itself. Whilst TCP/IP traffic is frequently permitted through firewalls, UDP/IP (required by most online games) is often blocked. When a SOCKS 5 server relays UDP data (SOCKS 4 does not support UDP), the packets are simply relayed, there is no tunnelling involved.
This application provides a solution, tunnelling the data being relayed by a SOCKS server over one or (for better gaming performance) multiple TCP connections to help applications and games to work from behind a restrictive firewall.
Main features:
- Socks 4/5 server
- TCP and UDP tunnelling over single or multiple TCP connections
- Resilience against individual connection dropping
<<lessSOCKS 4 and 5 are protocols that are supposed to allow users to send data through a firewall. However, they only work like this if the SOCKS server is on the firewall itself. Whilst TCP/IP traffic is frequently permitted through firewalls, UDP/IP (required by most online games) is often blocked. When a SOCKS 5 server relays UDP data (SOCKS 4 does not support UDP), the packets are simply relayed, there is no tunnelling involved.
This application provides a solution, tunnelling the data being relayed by a SOCKS server over one or (for better gaming performance) multiple TCP connections to help applications and games to work from behind a restrictive firewall.
Main features:
- Socks 4/5 server
- TCP and UDP tunnelling over single or multiple TCP connections
- Resilience against individual connection dropping
Download (0.19MB)
Added: 2006-06-30 License: Freeware Price:
1216 downloads
Network Communicator 2.0.0
Network Communicator is a simple script for sending and receiving data over TCP/UDP connections. more>>
Network Communicator is a simple script for sending and receiving data over TCP/UDP connections.
It can be useful for testing firewall configurations, routing tables, and similar things.
I had originally written two scripts for testing TCP only: a talker and a listener. Upon failure to properly modify them to support UDP only, I made Netcom. It allows the sending and receiving of TCP or UDP data to arbitrary IPs/Ports and optional from/to files.
Im sure there are already tools like this out there like netcat, but wasnt able to get netcat working properly for UDP also. Either way, here you go and enjoy!
Launch Netcom with no options to view the usage.
Enhancements:
- A complete re-write to support arbitrary source/destination and port forwarding (not tunneling).
<<lessIt can be useful for testing firewall configurations, routing tables, and similar things.
I had originally written two scripts for testing TCP only: a talker and a listener. Upon failure to properly modify them to support UDP only, I made Netcom. It allows the sending and receiving of TCP or UDP data to arbitrary IPs/Ports and optional from/to files.
Im sure there are already tools like this out there like netcat, but wasnt able to get netcat working properly for UDP also. Either way, here you go and enjoy!
Launch Netcom with no options to view the usage.
Enhancements:
- A complete re-write to support arbitrary source/destination and port forwarding (not tunneling).
Download (0.009MB)
Added: 2006-04-27 License: GPL (GNU General Public License) Price:
1283 downloads
Firewall Tester 1.0
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) c more>>
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the connection spoofing option. A script called freport is also available for automatically write to log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques
<<lessOf course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques
Download (0.030MB)
Added: 2006-07-07 License: GPL (GNU General Public License) Price:
1206 downloads
TCPCam Beta1
TCPCam is a video and audio point to point conference program for Linux that is very easy to use and modify. more>>
TCPCam is a video and audio point to point conference program for Linux that is very easy to use and modify. The connection uses a single TCP port that needs to be open on only one of the two ends.
TCPCam is possible to change the video compression and resolution at run-time to match the available bandwidth.
It uses the Speex encoder for audio compression (in both narrowband and wideband), JPEG compression for video, and works with most video4linux devices and audio boards supporting the OSS API.
Main features:
- It works using a single TCP port (port 7766). In order for TCPCam to work between two users, one of the users can be completly firewalled, while the other one must have port TCP 7766 open to the outside.
- Audio frames are encoded using the Speex encoder/algorithm.
- Video frames are encoded using JPEG at high compression level.
- The user can switch between ten different video quality levels at runtime using keys from 1 to 0.
- Support for multiple video resolution (up to 640x480), the user can switch at runtime using the right keys (see usage)
- Full screen mode (just press f to toggle).
- Capture screenshots in JPEG format (just press enter).
- Audio works in narrowband (8Khz) and wideband (16Khz).
- The protocol is very simple to implement in most operating systems and programming languages. It is based on frames with a simple header containing audio or video and transimtted over a TCP channel.
<<lessTCPCam is possible to change the video compression and resolution at run-time to match the available bandwidth.
It uses the Speex encoder for audio compression (in both narrowband and wideband), JPEG compression for video, and works with most video4linux devices and audio boards supporting the OSS API.
Main features:
- It works using a single TCP port (port 7766). In order for TCPCam to work between two users, one of the users can be completly firewalled, while the other one must have port TCP 7766 open to the outside.
- Audio frames are encoded using the Speex encoder/algorithm.
- Video frames are encoded using JPEG at high compression level.
- The user can switch between ten different video quality levels at runtime using keys from 1 to 0.
- Support for multiple video resolution (up to 640x480), the user can switch at runtime using the right keys (see usage)
- Full screen mode (just press f to toggle).
- Capture screenshots in JPEG format (just press enter).
- Audio works in narrowband (8Khz) and wideband (16Khz).
- The protocol is very simple to implement in most operating systems and programming languages. It is based on frames with a simple header containing audio or video and transimtted over a TCP channel.
Download (0.90MB)
Added: 2006-06-30 License: GPL (GNU General Public License) Price:
1214 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above tcp connections are limited to a maximum of 10 search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
