How to RESET, FLUSH, DELETE all iptables in Linux

Take backup

iptables-save > ~/iptables-`date +%Y%m%d_%H%M%S`.bak

Flush now

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Again to restore from backup

iptables-restore < bak.file

Setting up Reverse Proxy in Apache/httpd

Install and enable apache2 proxy modules

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
sudo systemctl restart apache2

proxies all requests (“/”) to a single backend:

ProxyPass "/"  "http://www.example.com/"

to point to the reverse proxy, instead of back to itself, the ProxyPassReverse directive is most often required:

ProxyPass "/"  "http://www.example.com/"
ProxyPassReverse "/"  "http://www.example.com/"

Only specific URIs can be proxied

ProxyPass "/images"  "http://www.example.com/"
ProxyPassReverse "/images"  "http://www.example.com/"

Example

<VirtualHost *:80>

ServerName example.net
Documentroot /var/www/html/

ProxyPass "/"  "http://www.example.com/"
ProxyPassReverse "/"  "http://www.example.com/"

</VirtualHost>

How To Redirect www to non-www OR non-www to www with Apache

1. Configure DNS Records

In order to set up the desired redirect, www.example.com to example.com or vice versa, you must have an A record for each name.

2. Enable the mod_rewrite module

 a2enmod rewrite

3.1 Update site.conf or .htaccess file ( www to non-www)

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.yoursite.com 
RewriteRule (.*) http://yoursite.com/$1 [R=301,L]

3.2 Update site.conf or .htaccess file ( non-www to www)

RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com 
RewriteRule (.*) http://www.yoursite.com/$1 [R=301,L]

Example

<VirtualHost *:80>

ServerName example.net
Documentroot /var/www/html/

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.yoursite.com 
RewriteRule (.*) http://yoursite.com/$1 [R=301,L]

</VirtualHost>

How to set up an SPF record for your domain?

What are the SPF records?

A Sender Policy Framework (SPFrecord is a type of Domain Name Service (DNS) TXT record that identifies which mail servers are permitted to send an email on behalf of your domain. The purpose of an SPF record is to detect and prevent spammers from sending messages with forged From addresses on your domain.

Overview

Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this protocol will be used as one of the standard methods of fighting spam on the Internet. An SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized hostnames/IP addresses that mail can originate from for a given domain name. Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems. This SPF record is added the same way as a regular A, MX, or CNAME record.

Collect all IP addresses that are used to send email

The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP addresses are allowed to send an email on behalf of the specific domain.

In order to successfully implement SPF, you first need to identify which mail servers are used to send an email for your domain. These mail servers can be any sending organization, you should think of your Email Service Provider, Office mail server and any other third-party mail servers that may be used to send an email for you.

Create your SPF record

v=spf1 ip4:34.243.61.237 ~all

Example

named (bind DNS server) config

@                       IN       TXT   "v=spf1 a mx ~all"

Testing

Test online

https://www.kitterman.com/spf/validate.html

Shell context menu’s for Windows 10

context-menus

Open Command Prompt here, Open PowerShell here, Open Bash Shell here – (with Elevated privileges)

save these in a .reg file and open to apply.

1. Open Command Prompt and PowerShell here – registry file

Windows Registry Editor Version 5.00

; Command Prompt

[HKEY_CLASSES_ROOT\Directory\shell\01MenuCmd]
"MUIVerb"="Command Prompts"
"Icon"="cmd.exe"
"ExtendedSubCommandsKey"="Directory\\ContextMenus\\MenuCmd"

[HKEY_CLASSES_ROOT\Directory\background\shell\01MenuCmd]
"MUIVerb"="Command Prompts"
"Icon"="cmd.exe"
"ExtendedSubCommandsKey"="Directory\\ContextMenus\\MenuCmd"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuCmd\shell\open]
"MUIVerb"="Command Prompt"
"Icon"="cmd.exe"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuCmd\shell\open\command]
@="cmd.exe /s /k pushd \"%V\""

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuCmd\shell\runas]
"MUIVerb"="Command Prompt Elevated"
"Icon"="cmd.exe"
"HasLUAShield"=""

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuCmd\shell\runas\command]
@="cmd.exe /s /k pushd \"%V\""


; PowerShell

[HKEY_CLASSES_ROOT\Directory\shell\02MenuPowerShell]
"MUIVerb"="PowerShell Prompts"
"Icon"="powershell.exe"
"ExtendedSubCommandsKey"="Directory\\ContextMenus\\MenuPowerShell"

[HKEY_CLASSES_ROOT\Directory\background\shell\02MenuPowerShell]
"MUIVerb"="PowerShell Prompts"
"Icon"="powershell.exe"
"ExtendedSubCommandsKey"="Directory\\ContextMenus\\MenuPowerShell"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuPowerShell\shell\open]
"MUIVerb"="PowerShell"
"Icon"="powershell.exe"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuPowerShell\shell\open\command]
@="powershell.exe -noexit -command Set-Location '%V'"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuPowerShell\shell\runas]
"MUIVerb"="PowerShell Elevated"
"Icon"="powershell.exe"
"HasLUAShield"=""

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuPowerShell\shell\runas\command]
@="powershell.exe -noexit -command Set-Location '%V'"


; Ensure OS Entries are on the Extended Menu (Shift-Right Click)

[HKEY_CLASSES_ROOT\Directory\shell\cmd]
"Extended"=""

[HKEY_CLASSES_ROOT\Directory\background\shell\cmd]
"Extended"=""

[HKEY_CLASSES_ROOT\Directory\shell\Powershell]
"Extended"=""

[HKEY_CLASSES_ROOT\Directory\background\shell\Powershell]
"Extended"=""

2. Open bash here – registry file

Windows Registry Editor Version 5.00

; Bash Prompt

[HKEY_CLASSES_ROOT\Directory\shell\MenuBash]
"MUIVerb"="Bash Prompts"

"ExtendedSubCommandsKey"="Directory\\ContextMenus\\MenuBash"

[HKEY_CLASSES_ROOT\Directory\background\shell\MenuBash]
"MUIVerb"="Bash Prompts"
"ExtendedSubCommandsKey"="Directory\\ContextMenus\\MenuBash"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuBash\shell\open]
"MUIVerb"="Bash Prompt"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuBash\shell\open\command]
@="cmd.exe /c pushd \"%V\" && bash.exe"

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuBash\shell\runas]
"MUIVerb"="Bash Prompt Elevated"
"HasLUAShield"=""

[HKEY_CLASSES_ROOT\Directory\ContextMenus\MenuBash\shell\runas\command]
@="cmd.exe /c pushd \"%V\" && bash.exe"

Testing IPSEC VPN Systems with ike-scan

ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.

ike-scan does two things:

  1. Discovery: Determine which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
  2. Fingerprinting: Determine which IKE implementation the hosts are using. There are several ways to do this: (a) Backoff fingerprinting – recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; (b) vendor id fingerprinting – matching the vendor-specific vendor IDs against known vendor ID patterns; and (c) proprietary notify message codes.

Basic scan

# ike-scan x.x.x.x
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
65.111.172.164 Main Mode Handshake returned HDR=(CKY-R=e6e1202cb8c44f2d) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=cd60464335df21f87cfdb2fc68b6a448 (draft-ietf-ipsec-nat-t-ike-02) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.512 seconds (1.95 hosts/sec).  1 returned handshake; 0 returned notify

Aggressive mode with user-id

# ike-scan --aggressive --multiline --id akhil x.x.x.x
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
65.111.172.164 Aggressive Mode Handshake returned
 HDR=(CKY-R=4fb76b5165da9e05)
 SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
 KeyExchange(128 bytes)
 Nonce(16 bytes)
 ID(Type=ID_IPV4_ADDR, Value=65.111.172.164)
 Hash(20 bytes)
 VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
 VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
 VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
 VID=cd60464335df21f87cfdb2fc68b6a448 (draft-ietf-ipsec-nat-t-ike-02)
 VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
 VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.512 seconds (1.95 hosts/sec).  1 returned handshake; 0 returned notify

iptables explained

iptables

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a ‘target’, which may be a jump to a user-defined chain in the same table.

Tables

  • The filter table: This is the default and perhaps the most widely used table. It is used to make decisions about whether a packet should be allowed to reach its destination.
  • The mangle table: This table allows you to alter packet headers in various ways, such as changing TTL values.
  • The nat table: This table allows you to route packets to different hosts on NAT (Network Address Translation) networks by changing the source and destination addresses of packets. It is often used to allow access to services that can’t be accessed directly because they’re on a NAT network.
  • The raw table: iptables is a stateful firewall, which means that packets are inspected with respect to their “state”. (For example, a packet could be part of a new connection, or it could be part of an existing connection.) The raw table allows you to work with packets before the kernel starts tracking its state. In addition, you can also exempt certain packets from the state-tracking machinery.

Chains

  • The PREROUTING chain: Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the natmangle and raw tables.
  • The INPUT chain: Rules in this chain apply to packets just before they’re given to a local process. This chain is present in the mangle and filter tables.
  • The OUTPUT chain: The rules here apply to packets just after they’ve been produced by a process. This chain is present in the rawmangle, nat and filter tables.
  • The FORWARD chain: The rules here apply to any packets that are routed through the current host. This chain is only present in the mangle and filter tables.
  • The POSTROUTING chain: The rules in this chain apply to packets as they just leave the network interface. This chain is present in the nat and mangle tables.

Targets

  • ACCEPT: This causes iptables to accept the packet.
  • DROP: iptables drops the packet. To anyone trying to connect to your system, it would appear like the system didn’t even exist.
  • REJECT: iptables “rejects” the packet. It sends a “connection reset” packet in case of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.

The connection tracking module – conntrack

  • NEW: This state represents the very first packet of a connection.
  • ESTABLISHED: This state is used for packets that are part of an existing connection.
  • RELATED: This state is used for connections that are related to another ESTABLISHEDconnection.
  • INVALID: This state means the packet doesn’t have a proper state. This may be due to several reasons, such as the system running out of memory or due to some types of ICMP traffic.
  • UNTRACKED: Any packets exempted from connection tracking in the raw table with the NOTRACK target end up in this state.
  • DNAT: This is a virtual state used to represent packets whose destination address was changed by rules in the nat table.
  • SNAT: Like DNAT, this state represents packets whose source address was changed.

The new architecture for the Windows Subsystem for Linux: WSL 2!

wsl2

Changes in this new architecture will allow for: dramatic file system performance increases, and full system call compatibility, meaning you can run more Linux apps in WSL 2 such as Docker.

WSL 2 is a new version of the architecture that powers the Windows Subsystem for Linux to run ELF64 Linux binaries on Windows. This new architecture changes how these Linux binaries interact with Windows and your computer’s hardware, but still provides the same user experience as in WSL 1 (the current widely available version). Individual Linux distros can be run either as a WSL 1 distro, or as a WSL 2 distro, can be upgraded or downgraded at any time, and you can run WSL 1 and WSL 2 distros side by side. WSL 2 uses an entirely new architecture that uses a real Linux kernel.

Microsoft will be shipping a Linux kernel with Windows

Yes, you did just read that heading correctly! We will be shipping a real Linux kernel with Windows that will make full system call compatibility possible. This isn’t the first time Microsoft has shipped a Linux kernel, as we have already shipped one in 2018 when we announced Azure Sphere. However, this will be the first time a Linux kernel as shipped with Windows, which is a true testament to how much Microsoft loves Linux!

This kernel has been specially tuned for WSL 2. It has been optimized for size and performance to give an amazing Linux experience on Windows. We will service this Linux kernel through Windows updates, which means you will get the latest security fixes and kernel improvements without needing to manage it yourself.

Lastly, of course, this Linux kernel will be fully open source! When we release WSL 2 we will have the full configuration available online on Github, so you can see how it works and builds it yourself. If you’d like to read more about this kernel you can check out this blog post written by the team that built it.

A quick explanation of the architectural changes in WSL 2

WSL 2 uses the latest and greatest in virtualization technology to run its Linux kernel inside of a lightweight utility virtual machine (VM). However, WSL 2 will NOT be a traditional VM experience. When you think of a VM, you probably think of something that is slow to boot up, exists in a very isolated environment, consumes lots of computer resources and requires your time to manage it. WSL 2 does not have these attributes. It will still give the remarkable benefits of WSL 1: High levels of integration between Windows and Linux, extremely fast boot times, small resource footprint, and best of all will require no VM configuration or management.

How much faster is WSL 2?

File intensive operations like git clonenpm installapt updateapt upgrade, and more will all be noticeably faster. The actual speed increase will depend on which app you’re running and how it is interacting with the file system. Initial tests that we’ve run have WSL 2 running up to 20x faster compared to WSL 1 when unpacking a gzipped tarball, and around 2-5x faster when using git clone, npm install and CMake on various projects. We’re looking forward to seeing speed comparisons from the community when we release!

Full System Call Compatibility

Linux binaries use system calls to perform many functions such as accessing files, requesting memory, creating processes, and more. In WSL 1 we created a translation layer that interprets many of these system calls and allows them to work on the Windows NT kernel. However, it’s challenging to implement all of these system calls, resulting in some apps being unable to run in WSL 1. Now that WSL 2 includes its own Linux kernel it has full system call compatibility. This introduces a whole new set of apps that you can run inside of WSL. Some exciting examples are the Linux version of Docker, as well as FUSE!

Using WSL 2 means you can also get the most recent improvements to the Linux kernel much faster than in WSL 1, as we can simply update the WSL 2 kernel rather than needing to reimplement the changes ourselves.

WSL 2 will be a much more powerful platform for you to run your Linux apps on and will empower you to do more with a Linux environment on Windows.

Reference