69 lines
2.3 KiB
Markdown
69 lines
2.3 KiB
Markdown
|
# Suricata & Iptables cheatsheet
|
|||
|
|
|
|||
|
|
## Iptables
|
|||
|
|
|
|||
|
|
### Chains
|
|||
|
|
|
|||
|
|
Iptables chains are just lists of rules, processed in order. You will always find the following 3, but others such as NAT might also be supported.
|
|||
|
|
|
|||
|
|
* **Input** – This chain is used to control the behavior for incoming connections.
|
|||
|
|
* **Forward** – This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.
|
|||
|
|
* **Output** – This chain is used for outgoing connections.
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
# Delete all rules
|
|||
|
|
iptables -F
|
|||
|
|
|
|||
|
|
# List all rules
|
|||
|
|
iptables -L
|
|||
|
|
iptables -S
|
|||
|
|
|
|||
|
|
# Block IP addresses & ports
|
|||
|
|
iptables -A INPUT -s ip1,ip2,ip3 -j DROP
|
|||
|
|
iptables -A INPUT -p tcp --dport 443 -j DROP
|
|||
|
|
iptables -A INPUT -s ip1,ip2 -p tcp --dport 443 -j DROP
|
|||
|
|
|
|||
|
|
# String based drop
|
|||
|
|
## Strings are case sansitive (pretty easy to bypass if you want to check a SQLi for example)
|
|||
|
|
iptables -I INPUT -p tcp --dport <port_listening> -m string --algo bm --string '<payload>' -j DROP
|
|||
|
|
iptables -I OUTPUT -p tcp --sport <port_listening> -m string --algo bm --string 'CTF{' -j DROP
|
|||
|
|
## You can also check for the hex, base64 and double base64 of the expected CTF flag chars
|
|||
|
|
|
|||
|
|
# Drop every input port except some
|
|||
|
|
iptables -P INPUT DROP # Default to drop
|
|||
|
|
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
|
|||
|
|
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
|
|||
|
|
|
|||
|
|
|
|||
|
|
# Persist Iptables
|
|||
|
|
## Debian/Ubuntu:
|
|||
|
|
apt-get install iptables-persistent
|
|||
|
|
iptables-save > /etc/iptables/rules.v4
|
|||
|
|
ip6tables-save > /etc/iptables/rules.v6
|
|||
|
|
iptables-restore < /etc/iptables/rules.v4
|
|||
|
|
##RHEL/CentOS:
|
|||
|
|
iptables-save > /etc/sysconfig/iptables
|
|||
|
|
ip6tables-save > /etc/sysconfig/ip6tables
|
|||
|
|
iptables-restore < /etc/sysconfig/iptables
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## Suricata
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
# Install details from: https://suricata.readthedocs.io/en/suricata-6.0.0/install.html#install-binary-packages
|
|||
|
|
# Ubuntu
|
|||
|
|
sudo add-apt-repository ppa:oisf/suricata-stable
|
|||
|
|
sudo apt-get update
|
|||
|
|
sudo apt-get install suricata
|
|||
|
|
|
|||
|
|
# Debian
|
|||
|
|
echo "deb http://http.debian.net/debian buster-backports main" > \
|
|||
|
|
/etc/apt/sources.list.d/backports.list
|
|||
|
|
apt-get update
|
|||
|
|
apt-get install suricata -t buster-backports
|
|||
|
|
|
|||
|
|
# CentOS
|
|||
|
|
yum install epel-release
|
|||
|
|
yum install suricata
|
|||
|
|
```
|