tcp connections for ibgp
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 2438
conn-close 1.0
conn-close gives us possibility to get rid of entries in ip_conntrack about ESTABLISHED TCP connections. more>>
conn-close gives us possibility to get rid of entries in ip_conntrack about ESTABLISHED TCP connections that goes through our server.
conn-close script uses hping2 to send spoofed RST packets which will fool conntrack and cause specified connections to be considered by conntrack as closed (now these connections will be in ip_conntrack in CLOSE state), even though RST packets will be more likely discarded by destination host.
Information about connections is read of course from /proc/net/ip_conntrack.
Idea was taken from script seen somewhere on the internet.
<<lessconn-close script uses hping2 to send spoofed RST packets which will fool conntrack and cause specified connections to be considered by conntrack as closed (now these connections will be in ip_conntrack in CLOSE state), even though RST packets will be more likely discarded by destination host.
Information about connections is read of course from /proc/net/ip_conntrack.
Idea was taken from script seen somewhere on the internet.
Download (0.003MB)
Added: 2006-05-08 License: GPL (GNU General Public License) Price:
1264 downloads
tcptunnel 1.0
tcptunnel is a simple TCP tunnel written in Perl. more>>
tcptunnel is a simple TCP tunnel written in Perl.
Also is a versatile tcp tunnel. The tcptunnel uses:
- tunnelling through a firewall or proxy
- redirecting tcp connections to other ports or machines
- debugging tcp connections in-place
- packet sniffing
The tcptunnel listens on local port < port > and when a connection is made it connects the other end of the tunnel as follows:
a) With no proxy specified, it connects the other end
to < srvport > on < srv >.
b) With a proxy, it connects to < srvport > on < proxy >.
It then directs the proxy to telnet to < srv >, and then it connects the ends of the tunnel.
<<lessAlso is a versatile tcp tunnel. The tcptunnel uses:
- tunnelling through a firewall or proxy
- redirecting tcp connections to other ports or machines
- debugging tcp connections in-place
- packet sniffing
The tcptunnel listens on local port < port > and when a connection is made it connects the other end of the tunnel as follows:
a) With no proxy specified, it connects the other end
to < srvport > on < srv >.
b) With a proxy, it connects to < srvport > on < proxy >.
It then directs the proxy to telnet to < srv >, and then it connects the ends of the tunnel.
Download (0.005MB)
Added: 2006-07-01 License: GPL (GNU General Public License) Price:
1213 downloads
TCP Re-engineering Tool 1.4.3
TCP Re-engineering Tool monitors and analyzes data transmitted between a client and a server via a TCP connection. more>>
TCPreen is a simple tool to monitor and analyze data transmitted between clients and servers through connection-oriented streams data such as a TCP sessions; it supports TCP over either IPv4 or IPv6. This tool focuses on the data stream (software/socket layer), not on the lower level transmission protocol as packet sniffers do.
TCPreen listens on a TCP port and wait for incoming connections to come in. Then, it forwards data sent by the connecting client to another server port (possibly on another computer) and forwards server responses back to the client.
TCPreen can display data on your console in real-time and/or save it to log files for later reference.There are various display formats.
While it was originally meant to help developers reverse-engineer TCP-based protocols, it can also be very useful to debug network server or client software or for a system administrator to monitor a TCP service.
Enhancements:
- libsolve/getaddrinfo.{c,h}, src/winstub.{c,h}:
- dirty kludge to resolve getaddrinfo & co at run-time
- so that tcpreen can still run on Windows 2000 and older.
<<lessTCPreen listens on a TCP port and wait for incoming connections to come in. Then, it forwards data sent by the connecting client to another server port (possibly on another computer) and forwards server responses back to the client.
TCPreen can display data on your console in real-time and/or save it to log files for later reference.There are various display formats.
While it was originally meant to help developers reverse-engineer TCP-based protocols, it can also be very useful to debug network server or client software or for a system administrator to monitor a TCP service.
Enhancements:
- libsolve/getaddrinfo.{c,h}, src/winstub.{c,h}:
- dirty kludge to resolve getaddrinfo & co at run-time
- so that tcpreen can still run on Windows 2000 and older.
Download (0.041MB)
Added: 2006-06-28 License: GPL (GNU General Public License) Price:
1216 downloads
Network Communicator 2.0.0
Network Communicator is a simple script for sending and receiving data over TCP/UDP connections. more>>
Network Communicator is a simple script for sending and receiving data over TCP/UDP connections.
It can be useful for testing firewall configurations, routing tables, and similar things.
I had originally written two scripts for testing TCP only: a talker and a listener. Upon failure to properly modify them to support UDP only, I made Netcom. It allows the sending and receiving of TCP or UDP data to arbitrary IPs/Ports and optional from/to files.
Im sure there are already tools like this out there like netcat, but wasnt able to get netcat working properly for UDP also. Either way, here you go and enjoy!
Launch Netcom with no options to view the usage.
Enhancements:
- A complete re-write to support arbitrary source/destination and port forwarding (not tunneling).
<<lessIt can be useful for testing firewall configurations, routing tables, and similar things.
I had originally written two scripts for testing TCP only: a talker and a listener. Upon failure to properly modify them to support UDP only, I made Netcom. It allows the sending and receiving of TCP or UDP data to arbitrary IPs/Ports and optional from/to files.
Im sure there are already tools like this out there like netcat, but wasnt able to get netcat working properly for UDP also. Either way, here you go and enjoy!
Launch Netcom with no options to view the usage.
Enhancements:
- A complete re-write to support arbitrary source/destination and port forwarding (not tunneling).
Download (0.009MB)
Added: 2006-04-27 License: GPL (GNU General Public License) Price:
1283 downloads
Configuration with no services supported
Configuration with no services supported script is for a single host firewall configuration with no services supported. more>>
Configuration with no services supported script is for a single host firewall configuration with no services supported by the firewall machine itself.
Sample:
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/usr/local/sbin"
# Our internal network address space and its supporting network device.
OURNET="10.5.0.0/24"
OURBCAST="10.5.0.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="ppp0"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="ssh,ftp,ftp-data"
TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
####################################
# Flush the Input table rules
echo -n Flushing forward... && {
$IPTABLES -F FORWARD
} && echo done
# We want to deny incoming access by default.
# echo -n Denying incoming access... && {
# $IPTABLES -P FORWARD drop
# } && echo done
# Drop all datagrams destined for this host received from outside.
echo -n Dropping incoming datagrams... && {
$IPTABLES -A INPUT -i $ANYDEV -j DROP
} && echo done
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
echo -n Preventing spoofing... && {
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
} && echo done
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
echo -n Preventing SMURFs... && {
$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP
} && echo done
# We should accept fragments, in iptables we must do this explicitly.
echo -n Accepting fragments... && {
$IPTABLES -A FORWARD -f -j ACCEPT
} && echo done
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports were allowing through.
# This should catch more than 95 % of all valid TCP packets.
echo -n Accepting valid incoming tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
echo -n Accepting valid outgoing tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
echo -n Accepting incoming tcp connections on allowed ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT
} && echo done
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed TCP ports.
echo -n Accepting outgoing traffic on allowed tcp ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT
} && echo done
# UDP - INCOMING
# allow UDP datagrams in on the allowed ports and back.
echo -n Allowing UDP datagrams in on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT
} && echo done
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
echo -n Allowing UDP datagrams out on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT
} && echo done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
# echo -n Allowing ICMP datagrams in of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT
# } && echo done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
# echo -n Allowing ICMP datagrams out of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT
# } && echo done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if youve
# configured the LOGGING variable above.
#
# DoS
# enabling Syn-flood protection
echo -n Enabling Syn-flood protection... && {
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling Furtive port scanner protection
echo -n Enabling Furtive port scanner protection... && {
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling ping of death protection
echo -n Enabling ping of death protection... && {
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
} && echo done
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.
<<lessSample:
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/usr/local/sbin"
# Our internal network address space and its supporting network device.
OURNET="10.5.0.0/24"
OURBCAST="10.5.0.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="ppp0"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="ssh,ftp,ftp-data"
TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
####################################
# Flush the Input table rules
echo -n Flushing forward... && {
$IPTABLES -F FORWARD
} && echo done
# We want to deny incoming access by default.
# echo -n Denying incoming access... && {
# $IPTABLES -P FORWARD drop
# } && echo done
# Drop all datagrams destined for this host received from outside.
echo -n Dropping incoming datagrams... && {
$IPTABLES -A INPUT -i $ANYDEV -j DROP
} && echo done
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
echo -n Preventing spoofing... && {
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
} && echo done
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
echo -n Preventing SMURFs... && {
$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP
} && echo done
# We should accept fragments, in iptables we must do this explicitly.
echo -n Accepting fragments... && {
$IPTABLES -A FORWARD -f -j ACCEPT
} && echo done
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports were allowing through.
# This should catch more than 95 % of all valid TCP packets.
echo -n Accepting valid incoming tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
echo -n Accepting valid outgoing tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
echo -n Accepting incoming tcp connections on allowed ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT
} && echo done
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed TCP ports.
echo -n Accepting outgoing traffic on allowed tcp ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT
} && echo done
# UDP - INCOMING
# allow UDP datagrams in on the allowed ports and back.
echo -n Allowing UDP datagrams in on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT
} && echo done
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
echo -n Allowing UDP datagrams out on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT
} && echo done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
# echo -n Allowing ICMP datagrams in of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT
# } && echo done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
# echo -n Allowing ICMP datagrams out of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT
# } && echo done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if youve
# configured the LOGGING variable above.
#
# DoS
# enabling Syn-flood protection
echo -n Enabling Syn-flood protection... && {
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling Furtive port scanner protection
echo -n Enabling Furtive port scanner protection... && {
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling ping of death protection
echo -n Enabling ping of death protection... && {
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
} && echo done
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
982 downloads
Remote Monitoring Agent 1.25
Remote Monitoring Agent (RMA) is an auxiliary application for HostMonitor. more>>
Remote Monitoring Agent (RMA in short) is an auxiliary application for HostMonitor. Enterprise license for Advanced Host Monitor already includes license for 10 installations of the agent. Holders of a Lite, Standard or Professional licenses may buy an additional license for Remote Monitoring Agent separately.
HostMonitor 4.0+ can monitor remote networks using Remote Monitoring Agents (RMA). RMA is small application that accepts requests from HostMonitor, performs test and provides information about test result back to HostMonitor.
Why you may need RMA? Here are just several reasons:
RMA increases security of the network. When you have to run the tests such as CPU Usage test or Performance Counters tests on a remote Windows system, HostMonitor must be able to log in to that system with administrators privileges. Instead you may now use an agent installed on that remote system. In this case HostMonitor will not have to log on to that system at all. HostMonitor needs just one TCP port to communicate with the RMA agent (by default it uses #1055 port, however you may set an agent to use any other port).
Remote Monitoring Agent is also a very useful tool when you have to monitor two (or many) separated networks (connected through Internet). In this case installing just one instance of RMA behind the firewall in network "A" will allow to monitor entire network "A" using the HostMonitor located in the network "B" with just one open TCP port.
RMA decreases the network traffic. E.g. frequent use of "File Integrity" or "Compare Files" tests in an array of remote systems may apply significant load on the network. The more and the bigger files you test the more traffic increase you get. RMA runs locally and sends only the test results to the HostMonitor thus decreasing the amount of network traffic.
Remote Monitoring Agent simplifies network administration. You no longer need to share local drives/folders to perform tests such as File Integrity, Folder/File Size, File Availability, Count Files, etc
RMA for Linux / BSD / Solaris allows you to perform tests that HostMonitor cannot perform. For example HostMonitor cannot monitor processes that are running on Linux systems. RMA can do that.
Main features:
- All traffic between Remote Monitoring Agents and HostMonitor is encrypted.
- It is possible to customize the list of enabled tests for each of the agents (e.g. living only Count Files and UNC tests only).
- You can restrict incoming TCP connections with the list of acceptable addresses.
- With RMA Manager you may configure, restart and even upgrade agent(s) remotely.
<<lessHostMonitor 4.0+ can monitor remote networks using Remote Monitoring Agents (RMA). RMA is small application that accepts requests from HostMonitor, performs test and provides information about test result back to HostMonitor.
Why you may need RMA? Here are just several reasons:
RMA increases security of the network. When you have to run the tests such as CPU Usage test or Performance Counters tests on a remote Windows system, HostMonitor must be able to log in to that system with administrators privileges. Instead you may now use an agent installed on that remote system. In this case HostMonitor will not have to log on to that system at all. HostMonitor needs just one TCP port to communicate with the RMA agent (by default it uses #1055 port, however you may set an agent to use any other port).
Remote Monitoring Agent is also a very useful tool when you have to monitor two (or many) separated networks (connected through Internet). In this case installing just one instance of RMA behind the firewall in network "A" will allow to monitor entire network "A" using the HostMonitor located in the network "B" with just one open TCP port.
RMA decreases the network traffic. E.g. frequent use of "File Integrity" or "Compare Files" tests in an array of remote systems may apply significant load on the network. The more and the bigger files you test the more traffic increase you get. RMA runs locally and sends only the test results to the HostMonitor thus decreasing the amount of network traffic.
Remote Monitoring Agent simplifies network administration. You no longer need to share local drives/folders to perform tests such as File Integrity, Folder/File Size, File Availability, Count Files, etc
RMA for Linux / BSD / Solaris allows you to perform tests that HostMonitor cannot perform. For example HostMonitor cannot monitor processes that are running on Linux systems. RMA can do that.
Main features:
- All traffic between Remote Monitoring Agents and HostMonitor is encrypted.
- It is possible to customize the list of enabled tests for each of the agents (e.g. living only Count Files and UNC tests only).
- You can restrict incoming TCP connections with the list of acceptable addresses.
- With RMA Manager you may configure, restart and even upgrade agent(s) remotely.
Download (0.088MB)
Added: 2007-05-09 License: Freeware Price:
904 downloads
Packet filtering setup script
Packet filtering setup script by Anthony C. Zboralski. more>>
Packet filtering setup script by Anthony C. Zboralski. Adapted by Didi Damian for iptables version 1.0.0
Sample:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Set up variables
EXT_IF="eth0"
INT_IF="eth1"
EXT_IP=24.x.x.x/32
INT_IP=192.168.0.1/32
EXT_NET=24.x.x.0/24
INT_NET=192.168.0.0/24
MASQ_NETS="192.168.0.0/24"
LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/32 24.x.x.x/32"
MAIL_RELAY=24.x.x.x/32
SMB_ACCESS="192.168.0.2/32"
SMB_BCAST="192.168.0.255/32"
# Turn on IP forwarding
echo Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Load the ip_tables module
echo Loading ip_tables module.
/sbin/modprobe ip_tables || exit 1
# I let the kernel dynamically load the other modules
echo Flush standard tables.
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
echo Deny everything until firewall setup is completed.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
CHAINS=`iptables -n -L |perl -n -e /Chains+(S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "`
echo Remove remaining chains:
echo $CHAINS
for chain in $CHAINS; do
iptables --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
iptables --delete-chain $chain
done
for net in $MASQ_NETS; do
# I delete all the rules so you can rerun the scripts without bloating
# your nat entries.
iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null
iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1
done
iptables --policy FORWARD ACCEPT
# Create a target for logging and dropping packets
iptables --new LDROP 2>/dev/null
iptables -A LDROP --proto tcp -j LOG --log-level info
--log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-level info
--log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-level info
--log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-level info
--log-prefix "GRE Drop "
iptables -A LDROP -f -j LOG --log-level emerg
--log-prefix "FRAG Drop "
iptables -A LDROP -j DROP
# Create a table for watching some accepting rules
iptables --new WATCH 2>/dev/null
iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
iptables -A WATCH -j ACCEPT
echo Special target for local addresses:
iptables --new LOCAL 2>/dev/null
echo $LOCAL_ADDRS
for ip in $LOCAL_ADDRS; do
iptables -A INPUT --dst $ip -j LOCAL
# iptables -A INPUT --src $ip -i ! lo -j LDROP # lame spoof protect
done
echo Authorize mail from mail relay.
iptables -A LOCAL --proto tcp --syn --src $MAIL_RELAY --dst $EXT_IP --dport 25 -j ACCEPT
echo Authorizing samba access to:
echo $SMB_ACCESS
iptables --new SMB 2>/dev/null
for ip in $SMB_ACCESS; do
iptables -A SMB -s $ip -j ACCEPT
done
iptables -A LOCAL --proto udp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 445 -j SMB
iptables -A INPUT -i ! $EXT_IF --dst $SMB_BCAST -j ACCEPT #lame samba broadcast
echo Drop and log every other incoming tcp connection attempts.
iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROP
echo Authorize dns access for local nets.
for net in $MASQ_NETS 127.0.0.0/8; do
iptables -A INPUT --proto udp --src $net --dport 53 -j ACCEPT
done
echo Enforcing up ICMP policies, use iptables -L ICMP to check.
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorythm (acz)
iptables --new ICMP 2>/dev/null
iptables -A INPUT --proto icmp -j ICMP
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
iptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP
iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP
iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
iptables -A ICMP -p icmp -j LDROP
echo Authorize tcp traffic.
iptables -A INPUT --proto tcp -j ACCEPT
echo Authorize packet output.
iptables --policy OUTPUT ACCEPT
#echo reject ident if you drop em you gotta wait for timeout
#iptables -I LOCAL --proto tcp --syn --dst $EXT_IP --dport 113 -j REJECT
echo Drop and log all udp below 1024.
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP
echo Drop rpc dynamic udp port:
RPC_UDP=`rpcinfo -p localhost|perl -n -e /.*udps+(d+)s+/ && print $1,"n"|sort -u`
echo $RPC_UDP
for port in $RPC_UDP; do
iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROP
done
echo Authorize udp above 1024.
iptables -A INPUT --proto udp --dport 1024: -j ACCEPT
<<lessSample:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Set up variables
EXT_IF="eth0"
INT_IF="eth1"
EXT_IP=24.x.x.x/32
INT_IP=192.168.0.1/32
EXT_NET=24.x.x.0/24
INT_NET=192.168.0.0/24
MASQ_NETS="192.168.0.0/24"
LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/32 24.x.x.x/32"
MAIL_RELAY=24.x.x.x/32
SMB_ACCESS="192.168.0.2/32"
SMB_BCAST="192.168.0.255/32"
# Turn on IP forwarding
echo Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Load the ip_tables module
echo Loading ip_tables module.
/sbin/modprobe ip_tables || exit 1
# I let the kernel dynamically load the other modules
echo Flush standard tables.
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
echo Deny everything until firewall setup is completed.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
CHAINS=`iptables -n -L |perl -n -e /Chains+(S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "`
echo Remove remaining chains:
echo $CHAINS
for chain in $CHAINS; do
iptables --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
iptables --delete-chain $chain
done
for net in $MASQ_NETS; do
# I delete all the rules so you can rerun the scripts without bloating
# your nat entries.
iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null
iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1
done
iptables --policy FORWARD ACCEPT
# Create a target for logging and dropping packets
iptables --new LDROP 2>/dev/null
iptables -A LDROP --proto tcp -j LOG --log-level info
--log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-level info
--log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-level info
--log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-level info
--log-prefix "GRE Drop "
iptables -A LDROP -f -j LOG --log-level emerg
--log-prefix "FRAG Drop "
iptables -A LDROP -j DROP
# Create a table for watching some accepting rules
iptables --new WATCH 2>/dev/null
iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
iptables -A WATCH -j ACCEPT
echo Special target for local addresses:
iptables --new LOCAL 2>/dev/null
echo $LOCAL_ADDRS
for ip in $LOCAL_ADDRS; do
iptables -A INPUT --dst $ip -j LOCAL
# iptables -A INPUT --src $ip -i ! lo -j LDROP # lame spoof protect
done
echo Authorize mail from mail relay.
iptables -A LOCAL --proto tcp --syn --src $MAIL_RELAY --dst $EXT_IP --dport 25 -j ACCEPT
echo Authorizing samba access to:
echo $SMB_ACCESS
iptables --new SMB 2>/dev/null
for ip in $SMB_ACCESS; do
iptables -A SMB -s $ip -j ACCEPT
done
iptables -A LOCAL --proto udp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 445 -j SMB
iptables -A INPUT -i ! $EXT_IF --dst $SMB_BCAST -j ACCEPT #lame samba broadcast
echo Drop and log every other incoming tcp connection attempts.
iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROP
echo Authorize dns access for local nets.
for net in $MASQ_NETS 127.0.0.0/8; do
iptables -A INPUT --proto udp --src $net --dport 53 -j ACCEPT
done
echo Enforcing up ICMP policies, use iptables -L ICMP to check.
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorythm (acz)
iptables --new ICMP 2>/dev/null
iptables -A INPUT --proto icmp -j ICMP
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
iptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP
iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP
iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
iptables -A ICMP -p icmp -j LDROP
echo Authorize tcp traffic.
iptables -A INPUT --proto tcp -j ACCEPT
echo Authorize packet output.
iptables --policy OUTPUT ACCEPT
#echo reject ident if you drop em you gotta wait for timeout
#iptables -I LOCAL --proto tcp --syn --dst $EXT_IP --dport 113 -j REJECT
echo Drop and log all udp below 1024.
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP
echo Drop rpc dynamic udp port:
RPC_UDP=`rpcinfo -p localhost|perl -n -e /.*udps+(d+)s+/ && print $1,"n"|sort -u`
echo $RPC_UDP
for port in $RPC_UDP; do
iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROP
done
echo Authorize udp above 1024.
iptables -A INPUT --proto udp --dport 1024: -j ACCEPT
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
984 downloads
asciireflector 1.2
asciireflector is a simple, unix based reflector program that allows sharing of data between clients through a TCP stream-socket more>>
asciireflector is a simple, unix based reflector program that allows sharing of data between clients through a TCP stream-socket connection. The reflector reads ASCII lines from each connected client, buffers them in a shared pool (ringbuffer) and sends all lines back to each client.
Usage and protocol:
Client reception is initiated by sending a textline to the reflector. This will usually be the data that is to be shared between clients. This line gets stored in the reflectors buffer unless it is the text "POLL". All lines send to the reflector have to end with a newline character. If the line is preceded by the keyword "PUSH", the line gets distributed by the reflector with the PUSH removed, but no lines get send back to the client. Otherwise immediately after the reception from the client, all textlines that have
been received since the last sending of text will be written back to the client. This sequence is finished when the text "OVER" is send from the reflector. This means no new textlines are in the ringbuffer. To close the socket connection with the reflector, send the word "LOGOUT".
Note that the reflector sends the last textline that was received from the client back to the client during the next iteration. This can be used to test if the speed of the network connection is sufficient to maintain complete reception of the ringbuffer. If the first line
received is not equal to the last line send, the ringbuffer has been overwritten by another client in the mean time, indicating that reception is too slow. Reflector use should be stopped in such a case.
Thus the client should run the following sequence repeatedly:
1. Connect to reflector
2.) Send data
2.1.) Send data as "textline", store as "last_textline"
OR
2.2) Send "POLL"
OR
2.3) Send "PUSH__and__some_text" to send text without having to receive anything (i.e. proceed to 4.)
3.) Read data
3.1.) Read "textline" unless PUSH was send
3.1.2) If first "textline" is not "last_textline" abort with an error
3.2.) Repeat from 3.1 until "textline" is the "OVER"
4.) ... do other stuff ...
5.) Goto 2. or send "LOGOUT"
The use of ASCII and stream-sockets was used for its easy of use and transparency - its not very efficient though for realtime applications that have to transport a lot of data.
Compilation and test:
To compile the source type
make
Then run
asciireflector
To test, connect to the reflector in (a few) different terminal(s) with telnet localhost 1522 and type a few lines.
The program was developed on a RedHat Linux system but should work with any unix system that provides a pthread implementation.
Limits and settings:
The current (compiled-in defaults) are:
Port number 1522
Connections 20
Line Length 128 chars (including newline)
Size of Ringbuffer 1024 lines
Change the defines in the .h files to adjust to your application.
Enhancements:
- Fixed connection count
- Added a few messages
- Fixed PUSH behaviour
<<lessUsage and protocol:
Client reception is initiated by sending a textline to the reflector. This will usually be the data that is to be shared between clients. This line gets stored in the reflectors buffer unless it is the text "POLL". All lines send to the reflector have to end with a newline character. If the line is preceded by the keyword "PUSH", the line gets distributed by the reflector with the PUSH removed, but no lines get send back to the client. Otherwise immediately after the reception from the client, all textlines that have
been received since the last sending of text will be written back to the client. This sequence is finished when the text "OVER" is send from the reflector. This means no new textlines are in the ringbuffer. To close the socket connection with the reflector, send the word "LOGOUT".
Note that the reflector sends the last textline that was received from the client back to the client during the next iteration. This can be used to test if the speed of the network connection is sufficient to maintain complete reception of the ringbuffer. If the first line
received is not equal to the last line send, the ringbuffer has been overwritten by another client in the mean time, indicating that reception is too slow. Reflector use should be stopped in such a case.
Thus the client should run the following sequence repeatedly:
1. Connect to reflector
2.) Send data
2.1.) Send data as "textline", store as "last_textline"
OR
2.2) Send "POLL"
OR
2.3) Send "PUSH__and__some_text" to send text without having to receive anything (i.e. proceed to 4.)
3.) Read data
3.1.) Read "textline" unless PUSH was send
3.1.2) If first "textline" is not "last_textline" abort with an error
3.2.) Repeat from 3.1 until "textline" is the "OVER"
4.) ... do other stuff ...
5.) Goto 2. or send "LOGOUT"
The use of ASCII and stream-sockets was used for its easy of use and transparency - its not very efficient though for realtime applications that have to transport a lot of data.
Compilation and test:
To compile the source type
make
Then run
asciireflector
To test, connect to the reflector in (a few) different terminal(s) with telnet localhost 1522 and type a few lines.
The program was developed on a RedHat Linux system but should work with any unix system that provides a pthread implementation.
Limits and settings:
The current (compiled-in defaults) are:
Port number 1522
Connections 20
Line Length 128 chars (including newline)
Size of Ringbuffer 1024 lines
Change the defines in the .h files to adjust to your application.
Enhancements:
- Fixed connection count
- Added a few messages
- Fixed PUSH behaviour
Download (0.010MB)
Added: 2006-06-05 License: GPL (GNU General Public License) Price:
1236 downloads
TCPCam Beta1
TCPCam is a video and audio point to point conference program for Linux that is very easy to use and modify. more>>
TCPCam is a video and audio point to point conference program for Linux that is very easy to use and modify. The connection uses a single TCP port that needs to be open on only one of the two ends.
TCPCam is possible to change the video compression and resolution at run-time to match the available bandwidth.
It uses the Speex encoder for audio compression (in both narrowband and wideband), JPEG compression for video, and works with most video4linux devices and audio boards supporting the OSS API.
Main features:
- It works using a single TCP port (port 7766). In order for TCPCam to work between two users, one of the users can be completly firewalled, while the other one must have port TCP 7766 open to the outside.
- Audio frames are encoded using the Speex encoder/algorithm.
- Video frames are encoded using JPEG at high compression level.
- The user can switch between ten different video quality levels at runtime using keys from 1 to 0.
- Support for multiple video resolution (up to 640x480), the user can switch at runtime using the right keys (see usage)
- Full screen mode (just press f to toggle).
- Capture screenshots in JPEG format (just press enter).
- Audio works in narrowband (8Khz) and wideband (16Khz).
- The protocol is very simple to implement in most operating systems and programming languages. It is based on frames with a simple header containing audio or video and transimtted over a TCP channel.
<<lessTCPCam is possible to change the video compression and resolution at run-time to match the available bandwidth.
It uses the Speex encoder for audio compression (in both narrowband and wideband), JPEG compression for video, and works with most video4linux devices and audio boards supporting the OSS API.
Main features:
- It works using a single TCP port (port 7766). In order for TCPCam to work between two users, one of the users can be completly firewalled, while the other one must have port TCP 7766 open to the outside.
- Audio frames are encoded using the Speex encoder/algorithm.
- Video frames are encoded using JPEG at high compression level.
- The user can switch between ten different video quality levels at runtime using keys from 1 to 0.
- Support for multiple video resolution (up to 640x480), the user can switch at runtime using the right keys (see usage)
- Full screen mode (just press f to toggle).
- Capture screenshots in JPEG format (just press enter).
- Audio works in narrowband (8Khz) and wideband (16Khz).
- The protocol is very simple to implement in most operating systems and programming languages. It is based on frames with a simple header containing audio or video and transimtted over a TCP channel.
Download (0.90MB)
Added: 2006-06-30 License: GPL (GNU General Public License) Price:
1214 downloads
tcpflow 0.21
tcpflow is a program that captures data transmitted as part of TCP connections. more>>
tcpflow is a program that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis or debugging.
A program like tcpdump shows a summary of packets seen on the wire, but usually doesnt store the data thats actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.
tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like tcpdump support.
tcpflow stores all captured data in files that have names of the form
128.129.130.131.02345-010.011.012.013.45103
where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.
I originally wrote this program to capture the data being sent by various programs that use undocumented network protocols in an attempt to reverse engineer them. RealPlayer (and most other streaming media players), ICQ, and AOL IM are good examples of this type of application. It should be compiled under most popular versions of UNIX; see the INSTALL file for details.
In tinkering with it, I later also found tcpflow to be useful for checking to see what cookies my browser was sending to various sites, looking at the MIME headers of HTTP requests people are sending to my web server, and verifying that various connections to my machine that were supposed to be encrypted actually were encrypted.
<<lessA program like tcpdump shows a summary of packets seen on the wire, but usually doesnt store the data thats actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.
tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like tcpdump support.
tcpflow stores all captured data in files that have names of the form
128.129.130.131.02345-010.011.012.013.45103
where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.
I originally wrote this program to capture the data being sent by various programs that use undocumented network protocols in an attempt to reverse engineer them. RealPlayer (and most other streaming media players), ICQ, and AOL IM are good examples of this type of application. It should be compiled under most popular versions of UNIX; see the INSTALL file for details.
In tinkering with it, I later also found tcpflow to be useful for checking to see what cookies my browser was sending to various sites, looking at the MIME headers of HTTP requests people are sending to my web server, and verifying that various connections to my machine that were supposed to be encrypted actually were encrypted.
Download (0.029MB)
Added: 2006-06-30 License: GPL (GNU General Public License) Price:
1211 downloads
tcptrack 1.2.0
tcptrack provides a packet sniffer that displays TCP connections similarly to top. more>>
tcptrack provides a packet sniffer that displays TCP connections similarly to top.
tcptrack is a packet sniffer, which passively watches for connections on a specified network interface, tracks their states, and lists them in a manner similar to the Unix top command.
It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.
<<lesstcptrack is a packet sniffer, which passively watches for connections on a specified network interface, tracks their states, and lists them in a manner similar to the Unix top command.
It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.
Download (0.11MB)
Added: 2007-02-21 License: GPL (GNU General Public License) Price:
584 downloads
UTIN Firewall script
UTIN Firewall script project is a script for Linux 2.4.x and iptables. more>>
UTIN Firewall script project is a script for Linux 2.4.x and iptables.
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
<<less###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
985 downloads
Nanoserv 1.0.2
Nanoserv is a sockets daemon toolkit for PHP 5.1+. more>>
Nanoserv is a sockets daemon toolkit for PHP 5.1+. Nanoserv is object oriented and features native support for TCP with SSL/TLS and UDP connections, multiplexing and forking listeners, handlers for raw connections, line input, HTTP, SMTP, XML-RPC, Syslog, transparent inter-process communications with forked handlers, and more.
Main features:
- 100% object oriented
- native support for TCP with SSL/TLS and UDP connections
- multiplexing and forking listeners
- handlers for raw connections, line input, HTTP, SMTP, XML-RPC, Syslog, ...
- transparent inter process communications with forked handlers
- and probably more ...
<<lessMain features:
- 100% object oriented
- native support for TCP with SSL/TLS and UDP connections
- multiplexing and forking listeners
- handlers for raw connections, line input, HTTP, SMTP, XML-RPC, Syslog, ...
- transparent inter process communications with forked handlers
- and probably more ...
Download (0.020MB)
Added: 2006-08-23 License: LGPL (GNU Lesser General Public License) Price:
1161 downloads
TinyMUSH 3.1p4
TinyMUSH 3 is a descendant of the TinyMUD server, and thus supports multi-user communication. more>>
TinyMUSH 3 project is a descendant of the TinyMUD server, and thus supports multi-user communication in a text-based "virtual world" format, via TCP/IP connections (presumably, but not necessarily, Internet connections).
The end result looks much like text adventures games of the mid-1980s. Though its simplest application is as a chat server, TinyMUSH 3 is intended to have the flexibility and power to support highly complex roleplaying environments.
TinyMUSH 3 is a derivative of TinyMUSH 2.0, originally created through the fusion of the TinyMUSH 2.2 and TinyMUX 1.6 code branches. The server is under active development and support.
Enhancements:
- Fixed Always clear @prog data on logout
- Fixed tools (src/tools). Add an install tag to the tools makefile.
- Update LibTools to version 1.5.22.
- Update AutoConf to version 2.59.
- Fixed function logf() in udb_* conflict with build-in function logf(), rename the function to warning().
- Remove unused port-concentrator code.
- Automated build of TinyGDBM within ./configure.
- Updated the build process a bit to keep in line with autoconf standards.
<<lessThe end result looks much like text adventures games of the mid-1980s. Though its simplest application is as a chat server, TinyMUSH 3 is intended to have the flexibility and power to support highly complex roleplaying environments.
TinyMUSH 3 is a derivative of TinyMUSH 2.0, originally created through the fusion of the TinyMUSH 2.2 and TinyMUX 1.6 code branches. The server is under active development and support.
Enhancements:
- Fixed Always clear @prog data on logout
- Fixed tools (src/tools). Add an install tag to the tools makefile.
- Update LibTools to version 1.5.22.
- Update AutoConf to version 2.59.
- Fixed function logf() in udb_* conflict with build-in function logf(), rename the function to warning().
- Remove unused port-concentrator code.
- Automated build of TinyGDBM within ./configure.
- Updated the build process a bit to keep in line with autoconf standards.
Download (1.2MB)
Added: 2006-12-20 License: Artistic License Price:
1039 downloads
StdioTunnel 0.2
StdioTunnel project allows you to tunnel arbitrary TCP connections through any shell access connection. more>>
StdioTunnel project allows you to tunnel arbitrary TCP connections through any shell access connection.
If the connection provides a clear 8-bit data path and allows you to start programs, you can use it with StdioTunnel.
It tunnels TCP connections in much the same way SSH does, but is useful in particular cases where SSH port forwarding is disabled, and it does not require running or changing the configuration of any server processes on either side of the connection.
Once StdioTunnel handshakes, the connection you used to initiate it is no longer available. The local StdioTunnel process will ignore further input. The connection is shut down when you kill the StdioTunnel process at either end.
All that is required for StdioTunnel to make a connection is that the standard input and output of the remote side appear to be connected through an 8-bit clear channel to the standard input and output of the process started by the local side. ssh with the -e none option to turn off the escape character works quite nicely as the connecting process.
Please note that using ANY software, StdioTunnel included, to work-around firewall restrictions may make systems on either side of the firewall more vulnerable to any number of attacks. StdioTunnel may have bugs that make such vulnerabilities even worse. The user takes sole responsibility for any adverse consequences of using this software.
<<lessIf the connection provides a clear 8-bit data path and allows you to start programs, you can use it with StdioTunnel.
It tunnels TCP connections in much the same way SSH does, but is useful in particular cases where SSH port forwarding is disabled, and it does not require running or changing the configuration of any server processes on either side of the connection.
Once StdioTunnel handshakes, the connection you used to initiate it is no longer available. The local StdioTunnel process will ignore further input. The connection is shut down when you kill the StdioTunnel process at either end.
All that is required for StdioTunnel to make a connection is that the standard input and output of the remote side appear to be connected through an 8-bit clear channel to the standard input and output of the process started by the local side. ssh with the -e none option to turn off the escape character works quite nicely as the connecting process.
Please note that using ANY software, StdioTunnel included, to work-around firewall restrictions may make systems on either side of the firewall more vulnerable to any number of attacks. StdioTunnel may have bugs that make such vulnerabilities even worse. The user takes sole responsibility for any adverse consequences of using this software.
Download (0.085MB)
Added: 2006-09-11 License: GPL (GNU General Public License) Price:
1138 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above tcp connections for ibgp search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
