How to Use tcpdump to Capture and Analyze Network Traffic

One of the major drawbacks of the VNC (Virtual Network Computing) protocol for remote access to computers is the complete lack of session encryption.  Image source: FAQ on the TightVNC website One way to address this issue is by creating an SSH tunnel over which the VNC session will run, ensuring full encryption of the VNC session. An SSH tunnel creates an encrypted data channel between the client device and the server. In addition to establishing a secure connection to the remote device, an SSH tunnel can also be used to transfer data. In this article, we will explore several methods for creating an SSH tunnel, including using the standard ssh utility, as well as third-party client applications such as PuTTY and MobaXterm. Prerequisites A server or virtual machine with VNC installed. You can use TightVNC for this. We explain how to install it in another article. A second server or virtual machine with a pre-installed Linux OS with a graphical interface. You can use any modern Linux distribution or a home computer or laptop running Windows. Both Home and Professional editions, as well as Windows Server versions, are suitable. Creating an SSH Tunnel  Method 1. The ssh Utility Let’s start by setting up an SSH tunnel using the standard OpenSSH client, which comes pre-installed by default on almost all modern Linux distributions, as well as on Windows operating systems starting from Windows 10 version 1709 and above. Windows Server 2019 and Windows Server 2022 would also work.  On Windows systems, you can also use any WSL distribution (Windows Subsystem for Linux). The following command for setting up an SSH tunnel works the same on both Linux and Windows: ssh -L 5901:localhost:5901 root@<server-IP-address> Where: -L — the flag for local port forwarding. In local forwarding, a port from the client device is forwarded to the server. All subsequent connections to this local port will pass through the SSH tunnel. 5901:localhost:5901 — syntax for forwarding the remote port. In this example, we inform SSH that we want to forward port 5901 (the port of the VNC server) located on the remote server to gain access to the VNC server. At the same time, we also open port 5901 on our local device (localhost). root@<server-IP-address> — the standard syntax for SSH connection. After entering the command, the system will prompt for the user’s password, and upon successful entry, you will log into the server. After this, the SSH tunnel will be established. It's important to remain connected to the server; otherwise, the SSH session (and the tunnel) will be interrupted. If you need to launch the SSH tunnel in "daemon" mode (in the background), use the -fNT options, for example: ssh -fNT -L 5901:localhost:5901 root@<server-IP-address> Where: -f — after the password is entered, instead of launching a shell, the ssh process will switch to the background; -N — do not execute any command on the remote server after starting the tunnel; -T — disables the use of a terminal. Once the SSH tunnel is successfully established, you can connect using any VNC client utility, for example, TightVNC Connection. Launch the utility and enter the address localhost::5901 in the “Remote Host” field: Note: The use of two colons after localhost applies only to the TightVNC Connection program. After entering the address, click the “Connect” button. The program will request the password for the VNC session, which is set during the VNC server configuration: After entering the password, a window with the graphical interface of the server will open: All traffic between your device and the VNC server is now fully protected and encrypted. Method 2. PuTTY In addition to using the standard ssh utility, a tunnel can also be set up using the popular client utility for connecting to remote servers — PuTTY. To do this, follow these steps: Launch PuTTY and in the main menu fill in the following fields: Host Name (or IP address): enter the IP address of the VNC server; Port: specify the port used by SSH; Saved Sessions: enter any name for the session so that it can be saved and launched quickly in the future. Click the “Save” button to save the current session. In the left menu, find the “Connection” section, expand it, and go to “Tunnels”: In the opened section, fill in the following details: Source port: specify the port to be opened on the client device, e.g., 5901; Destination: enter the IP address of the VNC server and the VNC server’s port. After entering the data, click the “Add” button: Return to the PuTTY main menu (the “Session” section) and connect to the server by clicking the “Open” button. During the first login, you will need to accept the host key by clicking the “Accept” button. After entering the user account password, the server terminal will open: Without closing the PuTTY session window, open your VNC client application (e.g., TightVNC Connection) and enter the address localhost:5901: After entering the VNC session password, the server’s graphical interface will be displayed. Method 3. MobaXterm Another popular program for Windows OS used to connect to remote servers is MobaXterm. It can also be used to create an SSH tunnel. To do so, follow these steps: Launch the program and click on the “Tunneling” tab at the top: In the tunnel settings window, make sure the option “Local port forwarding” is selected and fill in the following information: In the “My computer with MobaXterm” section, enter the local port (5901) to be opened on the device; In the “SSH server” section, enter the address of the remote VNC server, along with the login and password to connect to the server; In the “Remote server” section, enter localhost as the address and 5901 as the port. Click the “Save” button to save the settings. In the opened window, click the start button in the “Start/stop” section: Once the SSH tunnel is launched, go to the “Session” section: In the “Remote hostname or IP address” field, enter localhost, and in the “Port” field, enter 5901: Click the “OK” button to connect. After entering the VNC session password, the server’s graphical interface will appear: Conclusion Although the VNC protocol does not encrypt its traffic by default, this issue can be resolved by using an SSH tunnel. In this article, we reviewed several methods for setting up an SSH tunnel on your device.

Have you ever hosted a server (game or web) on your home computer and shared your IP address with friends, but no one could connect? The issue lies in your router, which hides connected devices behind its own IP address. Everything within the router is a local network, while everything outside is a global network. However, there is no direct mediator between them, only a barrier preventing external connections. The solution is port forwarding, a technology that directs external requests to an internal device and vice versa. In Linux operating systems, the iptables utility is used for this purpose, which will be the focus of this article. The commands shown in this guide were executed on a Hostman cloud server running Ubuntu 22.04. What Is Port Forwarding? Port forwarding (also known as port mapping) redirects network traffic from one port to another, either through a router (hardware-level) or a firewall (software-level). With port forwarding, devices within a local network become accessible from the global network. Without it, external requests cannot reach internal devices. Common scenarios where port forwarding is needed: Connecting to a home server (game server, surveillance cameras, data storage). Hosting game servers or websites on a home PC. Accessing a remote desktop. Remote device management. For example, if a server in a local network operates on port 8080, port forwarding allows it to be accessed from the global network through port 80. Example Setup: A computer with IP 192.168.1.100 (internal/gray IP) runs a web server listening on port 8080. The computer is within a Wi-Fi router’s local network, which has an external IP 203.0.113.10 (public/white IP), listening on port 80. All global network requests to port 80 on the router are forwarded to port 8080 on the internal computer. This setup allows us to redirect incoming traffic from the global network to the local network. How Does Port Forwarding Work in Linux? Linux has built-in tools for handling incoming and outgoing traffic. These tools act as a packet filtering and modification pipeline. Port forwarding in Linux is based on NAT (Network Address Translation), configured using the iptables system utility. What Is NAT? NAT (Network Address Translation) is a technique that converts external requests from the global network into internal requests within the local network (and vice versa). Technically, NAT modifies IP addresses and ports in data packets. It is not a standalone utility but a concept or approach. There are two main types of NAT: SNAT (Source NAT) – Modifies the source IP address in outgoing packets. DNAT (Destination NAT) – Modifies the destination IP address in incoming packets. While NAT protects the local network from external access, it requires port forwarding for incoming connections. What Is Iptables and How Does It Work? Iptables is a Linux utility used to configure NAT (and more) by modifying tables with rule chains that control traffic. Iptables has five main rule chains: INPUT – Handles incoming packets. FORWARD – Handles forwarded packets. OUTPUT – Handles outgoing packets. PREROUTING – Handles packets before routing. POSTROUTING – Handles packets after routing. Iptables has five tables, each using specific rule chains: filter – Allows or blocks packets (INPUT, FORWARD, OUTPUT). nat – Modifies IP addresses and ports (OUTPUT, PREROUTING, POSTROUTING). mangle – Alters packet headers (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING). raw – Controls connection filtering (OUTPUT, PREROUTING). security – Applies additional security policies (INPUT, FORWARD, OUTPUT). The rule chains act as hooks in the packet processing pipeline, allowing iptables to implement port forwarding in Linux. How Port Forwarding Works in Iptables Port forwarding in iptables follows a standard packet processing flow based on three possible directions: Incoming (INPUT) – Packets sent to the local system. Outgoing (OUTPUT) – Packets sent from the local system. Forwarded (FORWARD) – Packets routed through the system. Incoming Packets (INPUT) Processing Order raw (PREROUTING) – Connection filtering. mangle (PREROUTING) – Packet modification. nat (PREROUTING) – Changes the destination address. If the packet is for this system, continue to INPUT processing. Otherwise, forward it. mangle (INPUT) – Final packet modification. filter (INPUT) – Packet filtering. security (INPUT) – Security policy enforcement. Outgoing Packets (OUTPUT) Processing Order raw (OUTPUT) – Connection filtering. mangle (OUTPUT) – Packet modification. nat (OUTPUT) – Changes the destination address. filter (OUTPUT) – Final packet filtering. security (OUTPUT) – Security policy enforcement. mangle (POSTROUTING) – Final packet modification. nat (POSTROUTING) – Changes the source address. Forwarded Packets (FORWARD) Processing Order raw (PREROUTING) – Connection filtering. mangle (PREROUTING) – Packet modification. nat (PREROUTING) – Changes the destination address. Forwarding decision is made. mangle (FORWARD) – Packet modification. filter (FORWARD) – Packet filtering. security (FORWARD) – Security policy enforcement. mangle (POSTROUTING) – Final packet modification. nat (POSTROUTING) – Changes the source address. General Processing Order of Tables: raw mangle nat filter security Types of Port Forwarding Common types of port forwarding include: Local Forwarding – Redirects traffic within the same machine. Example: An application on a local server sends a request to a specific port. Interface Forwarding – Redirects traffic between different network interfaces. Example: A packet from the global network arrives on one interface and is forwarded to another. Remote Host Forwarding – Redirects traffic from a remote server to a local host. Example: A request from a remote server is forwarded to a local machine. Each type of port forwarding is implemented using a specific set of rules in the iptables tables. Using the Iptables Command In most Linux distributions, the iptables utility is already installed. You can check this by querying its version: iptables --version If iptables is not installed, you need to install it manually. First, update the package list: sudo apt update Then, install it: sudo apt install iptables -y By default, Linux uses the ufw firewall, which automatically configures iptables. To avoid conflicts, you must stop the ufw service first: sudo systemctl stop ufw Then, disable it: sudo systemctl disable ufw Iptables Command Structure The basic syntax of the iptables command is as follows: iptables [TABLE] [COMMAND] [CHAIN] [NUMBER] [CONDITION] [ACTION] In each specific command, only some of these parameters are used: TABLE: The name of one of the five tables where the rule is added. COMMAND: The operation to perform on a specific rule or chain. CHAIN: The name of the chain where the operation is performed. NUMBER: The rule number to manipulate. CONDITION: The condition under which the rule applies. ACTION: The transformation to be applied to the packet. Selecting a Table The -t flag specifies the table to operate within: For filter: iptables -t filter For nat: iptables -t nat For mangle: iptables -t mangle For raw: iptables -t raw For security: iptables -t security If the -t flag is not specified, the default table is filter. The security table is rarely used. Manipulating Rules We can perform different operations on rules within each chain: Add a rule to the end of a chain (-A): iptables -A INPUT -s 192.168.123.132 -j DROP This rule blocks incoming connections from the specified IP address. Delete a rule by its number (-D): iptables -D OUTPUT 7 Insert a rule at a specific position (-I): iptables -I INPUT 5 -s 192.168.123.132 -j DROP Replace a rule (-R): iptables -R INPUT 5 -s 192.168.123.132 -j ACCEPT This replaces a previously added blocking rule with an allow rule. Flush all rules in a chain (-F): iptables -F INPUT Manipulating Chains We can also perform operations on entire chains: Create a new chain (-N): iptables -N SOMENAME Delete a chain (-X): iptables -X SOMENAME Rename a chain (-E): iptables -E SOMENAME NEWNAME Set default policy for a chain (-P): iptables -P INPUT DROP This blocks all incoming connections to the server. Reset statistics for a chain (-Z): iptables -Z INPUT Setting Conditions Each rule can have conditions for its execution: Specify the protocol (-p): iptables -A INPUT -p tcp -j ACCEPT This allows incoming connections using the TCP protocol. Specify the source address (-s): iptables -A INPUT -s 192.168.123.132 -j DROP Specify the destination address (-d): iptables -A OUTPUT -d 192.168.123.132 -j DROP Specify network interface for incoming traffic (-i): iptables -A INPUT -i eth2 -j DROP Specify network interface for outgoing traffic (-o): iptables -A OUTPUT -o eth3 -j ACCEPT Specify the destination port (--dport): iptables -A INPUT -p tcp --dport 80 -j ACCEPT Specify the source port (--sport): iptables -A INPUT -p tcp --sport 1023 -j DROP Negate a condition (!): iptables -A INPUT ! -s 192.168.123.132 -j DROP This blocks all incoming connections except from the specified IP address. Specifying Actions Each table supports different actions: For the filter table: ACCEPT – Allow the packet. DROP – Block the packet. REJECT – Block the packet and send a response. LOG – Log packet information. RETURN – Stop processing in the current chain. For the nat table: DNAT – Change the packet’s destination address. SNAT – Change the packet’s source address. MASQUERADE – Change the source address dynamically. REDIRECT – Redirect traffic to the local machine. Port Forwarding with Iptables Local Port Forwarding To redirect local traffic from one port to another: sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80 To remove the rule: sudo iptables -t nat -D PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80 Forwarding Between Interfaces To forward port 8080 from interface eth0 to port 80 on eth1: sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.100:80 Then, allow packet forwarding: sudo iptables -A FORWARD -p tcp -d 10.0.0.100 --dport 80 -j ACCEPT Forwarding to a Remote Host To forward incoming packets to a remote server: Enable packet forwarding in the system settings: echo 1 > /proc/sys/net/ipv4/ip_forward Add a port forwarding rule: sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80 Allow forwarded packets to be sent out: sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.100 --dport 80 -j MASQUERADE Alternatives to iptables for Port Forwarding It should be noted that iptables is not the only tool for traffic management. There are several popular alternatives. nftables nftables is a more modern tool for managing traffic in Linux. Unlike iptables, it does not have predefined tables, and its syntax is more straightforward and concise. Additionally, this utility uses a single command, nft, to manage all types of traffic: IPv4, IPv6, ARP, and Ethernet. In contrast, iptables requires additional commands such as ip6tables, arptables, and ebtables for these tasks. firewalld firewalld is a more complex traffic management tool in Linux, built around the concept of zones and services. This allows network resources to be assigned different levels of security. The configuration of firewalld is broader and more flexible. For example, instead of manually defining rules for each port, we can specify specific services. Additionally, firewalld provides a more interactive command-line interface, allowing real-time traffic management. Conclusion While there are alternatives, iptables remains the primary tool for traffic control in Linux. It provides a structured way to filter, modify, and forward packets, making it a powerful solution for managing network traffic.

The OAuth 2 is an authorization protocol designed to restrict access to personal accounts created on HTTP resources. Typical implementations include DigitalOcean, GitHub, and Facebook. OAuth 2 works by delegating the authentication process to the server where the account is located. This approach allows third-party applications to request access to user data, such as for registration using pre-filled credentials. OAuth 2 can be used in cloud services, desktop computers, and mobile applications for smartphones and tablets. In this guide, we will explore how OAuth works and discuss the main practical applications of this tool. OAuth Roles OAuth 2 defines four main roles: the resource owner, the client, the resource server, and the authorization server. Let’s go through each role in detail. Resource Owner The resource owner is the user who is authenticated using their credentials to access their personal account. The accessible area may have restricted permissions—either read-only or with write and modification capabilities. Server (Resource Server and Authorization Server) The resource server stores user account data in a protected form. The authorization server verifies the authenticity of entered login credentials and generates authorization tokens for applications. These tokens allow applications to access user data. Both servers are logically combined into a unified system, which is perceived by external services through the API interface. Thus, we will refer to the resource and authorization servers collectively as the Service or API. Client (Application) The client refers to the application requesting access to the user’s account. Before activation, two conditions must be met: authentication within the application and a positive response from the API. Protocol Overview Having reviewed the OAuth 2 roles, let's look at the authorization protocol and the information exchange process. Below is a sequence of typical operations: The application prompts the user to enter authentication credentials. If the login and password are correct, an authorization grant is issued. The application sends a request to the API, including the authorization grant. If the application is authenticated, the server generates an access token for the specific instance, completing the authorization process. The application requests resources using the API. The resource server validates the token and provides data only upon confirmation. The sequence may vary depending on the developer and the software’s purpose, but the general scheme remains consistent. Registering an Application Before using OAuth, an application must be registered with the service. This is typically done under the Developer or API section on the website. The following details are required: Application name Website where the application is hosted Callback URL (Redirect URL) The Callback URL is a link to the page that the service will open in case of access denial or after successful authorization. Client Identification Upon registering the application, user credentials are created—these include the Client ID and Client Secret: Client ID is a public string used by the API to verify the application's legitimacy and generate URLs for authorized users. Client Secret is used for authentication within the API and is only visible to the API and the application. Authorization Grants OAuth 2 provides four types of authorization grants depending on the situation: Authorization Code – Used for server-side applications. Implicit Grant – Suitable for mobile applications, including web versions. Resource Owner Password Credentials – Used for trusted applications, such as those integrated with an online service. Client Credentials – Used for API-based operations. Now, let's examine each type in more detail. Authorization Code Grant This is the most common authorization method, as it is secure and suitable for applications where the source code and client secret are stored on a protected server. Step 1: Create an Authorization Link The application presents the user with the following link: https://cloud.example.com/v1/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read Components: authorize endpoint: Used for OAuth authentication via API. client_id: Identifies the requesting application. redirect_uri: Redirects the user after authorization. response_type=code: Requests an authorization code. scope=read: Specifies read-only access. Step 2: User Authentication When the user clicks the link, they are prompted to log in. Upon successful authentication, the application is either authorized or denied access. Step 3: Authorization Code is Sent to the Application If authorization is granted, the system redirects the browser to: https://example.com/callback?code=AUTHORIZATION_CODE Step 4: Request an Access Token The application sends the authorization code to the server along with authentication details: https://cloud.example.com/v1/oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=CALLBACK_URL Step 5: Server Returns an Access Token If authentication is successful, the API returns an access token: { "access_token":"ACCESS_TOKEN", "token_type":"bearer", "expires_in":2592000, "refresh_token":"REFRESH_TOKEN", "scope":"read", "uid":100101, "info":{ "name":"User", "email":"info@example.com" } } The application is now connected to the server. Implicit Grant This method is used in mobile applications and web browsers. Unlike the Authorization Code Grant, it does not ensure the confidentiality of the client secret. Step 1: Generate an Authorization Link The authorization service provides a link: https://cloud.example.com/v1/oauth/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read Step 2: Authenticate the User Upon successful authentication, the server returns an access token directly to the browser: https://example.com/callback#token=ACCESS_TOKEN Step 3: Extract and Use the Token The application extracts the token from the URL and uses it for API requests. Resource Owner Password Credentials Grant This method involves the user entering credentials directly into the service. It is used when other methods are not viable, such as system-integrated applications. https://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID Upon successful authentication, the server returns an access token. Client Credentials Grant This method allows access to the service’s own resources: https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET If authentication is successful, an access token is returned. Refreshing an Access Token To refresh an access token before it expires: https://cloud.example.com/v1/oauth/token?grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN Conclusion We have explored the different ways to use OAuth in applications, depending on their requirements. Now, users understand how access to remote services is managed and what factors to consider when choosing an authorization method.