IPTables, combine with IP Forwarding feature of Linux, can be configured for creating static nat.  This post will give example configuration to have static nat in Linux machine.

1.  Load nat module.
     Execute this command., and add this command in /etc/rc.local file so that this command will be executed every reboot.

     modprobe iptable_nat

2.  Enable IP Forwarding.  This command will enable ip forwarding in Linux machine.

     echo 1 > /proc/sys/net/ipv4/ip_forward

     You can edit /etc/sysctl.conf and uncomment his line,

     #net.ipv4.ip_forward=1

     To be like this

     net.ipv4.ip_forward=1

     So that it will have value 1, mean that ip forwarding si enable.

3.  Creating IPTables rule. 
     There are two nat, nat for source address (your home server), using POSTROUTING, nat for destination address (internet server), using PREROUTING. 
     For example, if you want nat your local server,    192.168.1.1, with  public address 201.1.1.1, you have to configure POSTROUTING.

     Configure static nat for local server to public ip,

     iptables -t nat -A POSTROUTING -s 192.168.1.1 -o eth0 -j SNAT --to-source 201.1.1.1

     Allow forwarding snat connection from local server,

     iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Save your configuration in your iptables script.

Linux Home Networking (http://www.linuxhomenetworking.com/) can be your source for Linux networking related.

By creating interface configuration, ip address, and gateway configuration will remain when machine reboot.  In Debian, this configuration can be writen in configuration file name "interfaces" in directory "/etc/network/".  The configuration file will have like this:


# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 10.10.10.10
        netmask 255.255.255.0
        network 10.10.10.0
        broadcast 10.10.10.255
        gateway 10.10.10.1

Fill address, netmask, network, broadcast, and gateway with your IP Address.  Also, if you want browse, you need add DNS configuration by creating file "/etc/resolv.conf", with configuration like this:

nameserver 10.10.10.2
nameserver 10.10.10.5

Iptables provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of iptables is to provide firewall support and NAT.

Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools (wizards) available to assist: e.g., fwbuilder, bastille, ferm.

Viewing current configuration

See what rules are already configured. Issue this command:

iptables -L

The output will be similar to this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This allows anyone access to anything from anywhere.

Storing iptables rules in a file

Let's tighten that up a bit by creating a test iptables file:

nano /etc/iptables.test.rules

In this file enter some basic rules:

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.

Activate these new rules:

iptables-restore < /etc/iptables.test.rules

And see the difference:

iptables -L

Now the output tells us that only the ports defined above are open. All the others are closed.

Once you are happy, save the new rules to the master iptables file:

iptables-save > /etc/iptables.up.rules

To make sure the iptables rules are started on a reboot we'll create a new file:

nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptables

Note: This HOWTO had been contributed by user Geejay to wiki.openvz.org as a part of installing container howto.

See also

• 
  
  
  
  Documentation about the netfilter/iptables:
  . http://www.netfilter.org/documentation/
• Gentle Introductions/Overviews
  
  
  
  • 
    
    
    
    Firewall and Advanced Routing Under Linux:
    . http://ornellas.apanela.com/dokuwiki/pub:firewall_and_adv_routing
  • 
    
    
    
    Iptables Basics:
    . http://www.justlinux.com/nhf/Security/IPtables_Basics.html
• 
  
  
  
  Firewalls
• 
  
  
  
  Securing Debian: Adding firewall capabilities:
  . http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup

Source: http://wiki.debian.org/iptables

This procedure is used for recover switch 2900, 3500, and 3750 series.
1. Connect to switch with console
2. Unplug power cable
3. Hold down mode button when reconnect the power cable to bring to switch: mode


Catalyst Switch Series
LED Behavior and Mode Button Release Action

2900XL, 3500XL, 3550
Release the Mode button when the LED above Port1x goes out.

2940, 2950
Release the Mode button after approximately 5 seconds when the Status (STAT) LED goes out. When you release the Mode button, the SYST LED blinks amber.

2960, 2970
Release the Mode button when the SYST LED blinks amber and then turns solid green. When you release the Mode button, the SYST LED blinks green.

3560, 3750
Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When you release the Mode button, the SYST LED blinks green.

4. Type flash_init
switch: flash_init
5. Issue load_helper command
switch: load_helper
6. Issue dir flash: command
switch: dir flash:
7. Type rename flash:config.txt flash:config.old to rename configuration file
switch: rename flash:config.txt flash:config.old
8. Issue boot command to boot the system
switch: boot
9. Enter "n" to abort initial configuration dialog
10. Enter enable mode
switch>en
switch#
11. Restore configuration file using rename flash:config.old flash:config.txt
switch#rename flash:config.old flash:config.txt
12. Copy configuration file into memory
switch#copy flash:config.txt system:running-config
13. Overwrite current password
switch#conf t
switch(config)#ena sec cisco
switch(config)#line vty 0 4
switch(config-line)#login
swicth(config-line)#pass cisco
switch(config)#line con 0
switch(config)#line con 0
switch(config-line)#pass cisco
14. Save configuration
switch#wr mem

Sometimes you lost your router password, or you work as network administrator in new places, that no one knows the password of your new company router. Here the procedure for recover the password.

1. Connect to your router through console
2. Power off your router
3. Power on while press the ctrl-break key until you get romon
4. Type confreg 0x2142 at romon
romon>confreg 0x2142
5. Type reset to reboot the router
romon>reset
6. Type no when router prompt to using automatic configuration
7. Type enable to get into configuration mode
Router>enable
Router#
8. Type copy start run. When you sho run, you will gte the old configuration
Router#copy start run
9. Change line vty password, console password, and enable password
Router(config)#ena sec cisco
Router(config)#line console 0
Router(config-line)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Router(config)#line con 0
Router(config-line)#pass cisco
10. Change configuration register to 0x2102
Router(config)#config-register 0x2102
11. Quit from configuration mode then save configuration
Router#copy run start
or
Router#wr mem

Configuring nat and without nat is pretty simple. It's just configuring nat and global configuration. Nat id correspond with with same global id. For example, you want all traffic from inside interface will be been nat to outside interface ip address when going to internet through outside interface, then you need configure this.


nat (inside) 1 0 0
global (outside) 1 interface

If you don't want particular ip address will no be been nat, for example network 192.168.1.0/24, the you need configure like this.

nat (inside) 0 192.168.1.0 255.255.255.0

This post will show example of configuring firewall filter to protect routing engine in Juniper.  In Junos, to protect router itself (local routing engine) against attack, like DDoS attack, and TCP Sync attack, or unauthorized access, can be created using firewall filter then apply filter in loopback interface. This post will describe examples for protecting local routing engine against unauthorized access, also icmp, and tcp floods.

Protecting Local Routing Engine Against Unauthorized Access
Creating Firewall Filter

[edit]
firewall {
filter protect-RE {
term trusted-telnet {
from {
source-address {
192.168.1.0/24;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term untrusted-telnet {
from {
protocol tcp;
destination-port telnet;
}
then {
reject;
}
}
term all-traffic {
then accept;
}
}

Protecting Local Routing Engine Against ICMP and TCP Floods
Creating Firewall Filter and ICMP and TCP Policer

[edit]
firewall {
filter protect-RE {
policer small-bw-policer {
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 16k;
}
then discard;
}
term protect-icmp-flooding {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}
then {
policer small-bw-policer;
accept;
}
}
term all-traffic {
then accept;
}
}


Apply Filter in Loopback Interface

[edit]
interface loopback 0 unit 0{
family inet {
filter {
input protect-RE;
}
address 192.168.255.254/32;
}

Those firewalls filter above can be configured in one firewall filter like this:

[edit]
firewall {
filter protect-RE {
policer small-bw-policer {
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 16k;
}
then discard;
}

term trusted-telnet {
from {
source-address {
192.168.1.0/24;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term untrusted-telnet {
from {
protocol tcp;
destination-port telnet;
}
then {
reject;
}
}
term protect-icmp-flooding {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}
then {
policer small-bw-policer;
accept;
}
}
term all-traffic {
then accept;
}
}

Remember, always configure term statement with accept condition in the end of policy so that others traffics are not blocked.

By creating new folder, and rename it to GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}, you have all you need for configuring your Windows 7.

If you have familiar with Linux or Unix, you must know about change ownership or chown. Windows 7 has such a concept like that. Like on Linux or Unix, if you are an administrator, you can change or take ownership of file and folder. To do that, here are the way:

1. Right click on file or folder you want to take ownership, click Properties, click Security tab.
2. Click Advanced, then click on Owner tab.
3. Click on Edit tab.
4. Click on Other users or groups.
5. Fill with user or group that you want to be owner of the file or folder. Click Ok.