fw & iptables

# saving iptable config
1
iptables-save > /etc/iptables.conf
echo 'iptables-restore < /etc/iptables.conf' >> /etc/rc.local

2
yum install iptables-services

#
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

miss config reth on fw and ae on switch result connection unstable, like on and off often

package before Mark era

root@raspberrypi:~# iptables-apply
Applying new iptables rules from '/etc/network/iptables.up.rules'... done.
root@raspberrypi:~# iptables-save > /etc/network/iptables.up.rules'

 -A adds the rule at the end.
Typically the last rule will be to drop all packets.
-p is for protocol
Possible values are tcp, udp, icmp
Use “all” to allow all protocols. When you don’t specify -p, by default “all” protocols will be used.
Use either the name (for example: tcp), or the number (for example: 6 for tcp) for protocol.
/etc/protocols file contains all allowed protocol name and number.

-s is for source
This can be ip address, or network address, or hostname
 -s 192.168.1.101
 “-s 192.168.1.0/24” represents a network mask of 255.255.255.0 for that network. This matches 192.168.1.x network.
-d is for destination


"j" specifies what needs to happened. Possible values are ACCEPT, DROP, QUEUE, RETURN
-i for input interface and -o for output interface.
If you don’t specify -o option, all available interfaces on the system will be considered for output packets.
to use “–sport” option, you should’ve specified “-p tcp” (or “-p udp”) parameter in your firewall rule.
–sport is for source port (for -p tcp, or -p udp)

To match range of ports, use colon. For example, 22:100 matches port number from 22 until 100.
You can also use –source-port, –dport is for destination port (for -p tcp, or -p udp)

This can contain multiple values separated by comma.
Possible values are: SYN, ACK, FIN, RST, URG, PSH. You can also use ALL or NONE
–icmp-type is for ICMP Type (for -p icmp)

When you use icmp protocol “-p icmp”, you can also specify the ICMP type using “–icmp-type” parameter.
For example: use “–icmp-type 0” for “Echo Reply”, and “–icmp-type 8” for “Echo”.

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
The above iptables command has the following 4 components.

“-A INPUT” – This indicates that we are appending a new rule (or adding) to the INPUT chain. So, this rule is for incoming traffic.
“-i eth0” – Incoming packets through the interface eth0 will be checked against this rule.
“-p tcp –dport 22” – This rule is for TCP packets. This has one tcp option called “–dport 22”, which indicates that the destination port for this rule on the server is 22 (which is ssh).
“-j ACCEPT” – Jump to accept, which just ACCEPTS the packet.

iptables -A INPUT -j DROP

srx VPN setup :
main mode: public IP needed
aggressive mode: for dynamic IP, single public IP needed, 1st, hostname auth. 2nd, ket auth.

two main element:
key
interface( two side ) st.: secret turnal
st: connect private IP


?how do i decide what salt-like i ll use?