UDP header

UDP header

Everything is quite self explanatory. Probably the only thing to mention is that UPD length includes header and data and that UDP offers no confirmation that the data has reached it’s detination. The header is fixed length.


IP datagram structure


The IP version (4 for IPv4).

IHL (Internet Header length, 4 bytes)

The IP header length in 32 bit words/4 bytes (octets). The minimum is 5 x 32 bit words, so 20 bytes. With options it can get to 60 bytes long.

Total length

This explains the total length of the IP datagram (header + data). As this is a 16 bit field, it can describe up to 64KB (2^16 = 65536) MTU.


All the fragments of a datagram have the same identification number.


Bit 1: reserved
Bit 2: DF (do not fragment)
Bit 3: more fragments (all fragments except the last one have this bit set).

Fragment offset

This describes the offset of the current fragment within the original datagram. As all fragments have to be integer of 8 bit and there are 13 bits in the fragment offset field, it results the maximum datagram size: 8 x 2^13 = 2^16 bytes = 64KB.

Time to live (TTL)

This represents the maximum number of hops (usually routers) that a package can transit.


This specifies the layer 4 protocol that will process the IP datagram.


TCP segment structure

TCP Header

Sequence number

It represents the offset of the first byte of the segment in relation to the first segment. It’s used to keep track of all segments (and retransmit if required).

Acknowledgement number

If the ACK flag is set (see below), the acknowledgement number contains the sequence number of the  next segment it expects. This is a type of forward acknowledgement .

Data offset (header length)

This specifies the number of rows in the header. In other words, this lets you know where the header ends and actual data (TCP payload) begins.

TCP Flags

URG: set if the Urgent Pointer is used.

ACK: set if the Acknowledgement number is valid and should be considered.

PSH: set to push the data as it comes without waiting for the buffer to get full.

RST: used to forcefully reset a connection that can’t continue due to unexpected reasons.

SYN: used to initiate a connection.

FIN:  this is set when there is no more data to send. It’s used to end cleanly a connection.

Window size

It is a 16 bit field and it notifies to the sender the quantity of data the receiver will accept without sending a confirmation. TCP window demonstration.

Urgent pointer

This relies (is validated by) on the URG flag above and it contains the sequence number of the first non-urgent segment after the urgent data has been sent.


Possible fix for "remote_smtp defer" | Exim

For fixing the “T=remote_smtp defer” error message from exim you may need to repair the Exim databases.

First off confirm this is a problem. Query the exim mail queue:

#exim -bp

Pick up a message ID (let’s say 1PVKjs-0008FT-4S) and view it’s log:

#exim -Mvl 1PVKjs-0008FT-4S

If it says something like remote_smtp defer than you may need to repair the exim databases.

/usr/sbin/exim_tidydb -t 1d /var/spool/exim “db”

Replace “db” by the name of the specific dbs on your system. At this time our cPanel servers have these: ratelimit, retry, wait-dk_remote_smtp and wait-remote_smtp. So in a nutshell:

/usr/sbin/exim_tidydb -t 1h /var/spool/exim ratelimit

/usr/sbin/exim_tidydb -t 1h /var/spool/exim retry

/usr/sbin/exim_tidydb -t 1h /var/spool/exim wait-dk_remote_smtp

/usr/sbin/exim_tidydb -t 1h /var/spool/exim wait-remote_smtp

You may want to increase the time: instead of 1h (one hour) you may set 1d (one day) or whatever and you may want to redirect the output to /dev/null (add /dev/null to the end of the above rows).

Alternatively you may want to update exim and courier:

/scripts/courierup — force
/scripts/eximup –force


nmap usage

This is used for port scanning, OS figerprinting etc. A well secured server

-sS = TCP Syn scan – many servers don’t log this
-sT = TCP connect scan – always logged
-sX = Xmas-tree scan
-sF = Fin scan
-sN = null scan mode
-sP = ping scanning
-sU = UDP scan
-sI = zombie scan
-sA = ack scan
-sW = window scan
-sL = list scan
-PT = tcp ping to determine which host are up
-O = identifiies OS, uptime and TCP Sequence Prediction (-sS -v)
-sR = rpc scan
-D = decoy scan
-sV = Scan Version
-iR = scans random IP
Example: nmap -sS -p 80 -iR 3 -P0 -> scans until it finds 3 webservers using random IP destinations

-P0 = don’t ping hosts before scanning (very important if ping is blocked).

-PP = uses ICMP timestamp request to see if the host is up (instead of echo-request)
-oN log_file = saves in log_file
-v, -vv = verbose level
-T {paranoid | sneaky | polite | normal | aggressive | insane}
– paranoid = 5 minutes between packets
– sneaky = 15 seconds
– polite = 0.4 sec
– aggressive & insane = max speed
–scan_delay milliseconds = same as -T, exact values possible
-f <–mtu val> = fragments packages
–data-length <8-1457>
nmap –spoof-mac A1:b2:c3:d4:e5:f6


dovecot installation

The install proccess is pretty straightforward. However if you want to use PAM you need to add to the configure script the –with-pam option. Also you may need to “yum install pam-devel”. Also you may need to enter into /etc/pam.d a file called dovecot for instance (if this is the user under which dovecot will run) with these contents:

auth    required        pam_unix.so nullok
account required        pam_unix.so

The configuration file is a bit more complicated.

Sample dovecot.conf file:

base_dir = /var/run/dovecot/
disable_plaintext_auth = no
log_path = /var/log/dovecot
passdb {
driver = pam
protocols = imap pop3
service auth {
user = dovecot
service imap-login {
process_limit = 128
process_min_avail = 3
service_count = 1
user = dovecot
service pop3-login {
process_limit = 128
process_min_avail = 3
service_count = 1
user = dovecot
ssl = no
userdb {
driver = passwd
protocol lda {
postmaster_address = [email protected]


postfix installation

After getting the tarball from postfix.org and untaring you first need to run make (there is no ./configure available in this one). You might hit an error that sounds like:

No <db.h> include file found.
Install the appropriate db*-devel package first.

In this case (at least on CentOS 5) install db4 and db4-devel using yum

yum install db4

yum install db4-devel

After that run make and add 2 system users: postfix and postdrop.


useradd -s /bin/false postfix

useradd -s /bin/false postdrop

You will have to provide a number of paths (if you want them different from defaults. These are the main defaults:

/etc/postfix                  # config dir

/usr/sbin/                   #administrative binaries

/usr/libexec/postfix   #postfix daemon

/var/lib/postfix           #cache and other random data

/usr/bin/mailq            #Sendmail compatible mail queue listing command

/usr/bin/newaliases   #Postfix newaliases command

/var/spool/postfix      #Postfix queue directory

/usr/sbin/sendmail    #Sendmail compatible mail posting interface


iptables matches

Complete listing of ICMP types and names:

iptables -p icmp –help


iptables related commands


iptables [-t table] command [match] [target/jump]

-t table: the default is for filter table; otherwise you must use the -t flag;

command must come first or right after the table specification; it is used to insert, add or delete a rule;

iptables -m tos -h

This lists the TOS match types.

iptables commands list

-A, –append appends the rule to the end of a chain

iptables -A rule_to_append

-D, –delete (deletes a rule)

iptables -D exact_rule_to_delete

iptables -D ‘chain’ number

-R, –replace (replaces a rule)

-I, –insert (inserts a new rule at the specified position in the chain)

iptables -I INPUT 1 –dport 80 -j ACCEPT

The above will insert the rule in the INPUT chain on the first position.

-L (lists the rules in a chain)

iptables -L [chain]

You can specify no chain in which case all the rules will be listed.

-F, –flush

iptables -F [chain]

This deletes all rules (from the specified chain if you specify one).

-Z, –zero

iptables -Z [chain]

This will reset all counters for the specified chain.

-N, –new-chain

iptables -N ‘custom_chain’

This will create a new (custom) chain.

-X, –delete-chain

The chain to be deteleted must be empty.

-P, –policy

iptables -P chain target

target can be DROP or ACCEPT.

-E, –rename-chain

iptables -E old_chain new_name

iptables options

-v, –verbose

This can be used with list, insert, append, delete, replace. Used with list, this lists the interface address, TOS and masks. Used along with the -x option it will also lists the exact counters for packets and bytes. Used with insert, append, delete or replace it will output detailed information on how the rules was interpreted and if it was accepted.

-x, –exact

See above. Only relevant to list.

-n, –numeric

This will output numeric values. Only relevant to list. IPs and port numbers will be listed istead of the host, network or application names (which is the default).


This is only relevant to list. It displays the rule number.

-c, –set-counters

This is relevant to insert, append and replace. It initialises the counters for a rule.

–set-counter 20 4000

This would be used to set the counters to 20 packets and 4000 bytes.


This is relevant to all commands and it’s used to tell iptables which module to use when probing for modules or adding them to the kernel.


iptables-save -c -t > file

-c flag does not reset the packet and byte counters

-t can be used to specify a specific table to be saved


cat text_file > iptables-restore -c -n

-c flag keeps the packet and byte counters from the file
-n does not overwrite the current rules from iptables (the default is to flush all rules previous to import)

Audit tools

– nmap

– nessus


NETFILTER structure

proc setup


Set to 1 for IP forwarding (routing).


Set to 1 for dynamic IPs.

Netfilter system calls


Netfilter modules


The lowercase modules are for maches and the uppercase ones are for targets.


Conntrack table: /proc/net/ip_conntrack

Named hashlimit hashes: /proc/net/ipt_hashlimit/

Conntrack helper modules



#probably a bad idea on production non-irc servers will all the kids planting irc bots where ever they can


#the helper module for trivial FTP – probably not needed


Note that if you also use NAT you need to also load the helper modules for NAT (they should be starting with ip_nat_):