Iptables usages
Wed, 20 Nov 2013 12:45:53 +0800
iptables -I INPUT -s 111.111.111.0/24 -j DROP
iptables will drop the packets from 111.111.111.0-111.111.111.255


Chain options
the options list below:
-A / --append 
add a rule to chain.
e.g 
iptables -A INPUT ... append a rule to INPUT chain.

-D / --delete 
delete a rule from chain
e.g
iptables -D INPUT 1 ... delete a rule which indicated by 1 from INPUT chain.

-R / --replace 
replace a rule in chain
e.g
iptables -R INPUT 1
iptables -R INPUT 1 -s 192.168.1.100 --dport 80 -j DROP

-I / --insert
insert a rule to chain
e.g
iptables -I INPUT -s 1.2.3.4 -j DROP

-L / --list
show current rule list in chain
e.g
iptables -L INPUT

-F / --flush
delete all rules in a chain
iptables -F INPUT

-Z / --zero
reset the packet counter
e.g iptables -Z INPUT

-N / --new-chain
create a chain
e.g iptables -N allowed

-X / --delete-chain
delete a chain
e.g iptables -X allowed

-P / --policy
define the rule policy. That means, the packets which unmatched the rule will do this rule.
e.g iptables -P INPUT DROP

-E / --rename-chain
rename a chain
e.g. iptables -E allowed disallowed

Packet options:
-p / --protocol
Indicate the protocol
e.g
iptables -A INPUT -p tcp
It can use operator, such as !, e.g iptables -A INPUT -p ! tcp, meaning that all protocol but TCP.

-s / --src / --source / -d / --dst / --distination
Indicate the source/distination packets
e.g iptables -A INPUT -s 1.2.3.0/24

-i / --in-interface / -o / --out-interface
Indicate which interface to match on.
e.g iptables -A INPUT -i eth0

--sport / --source-port / --dport / --distination-port
Indicate which port to match on.
e.g iptables -A INPUT -p tcp --dport 80

--tcp-flags
Match the packet's TCP flag
e.g iptables -A INPUT --tcp-flags SYN,ACK,FIN
flag values: SYN, ACK, FIN, RST, URG, PSH

Operation options:
-j operator, values: 
ACCEPT,REJECT,DROP,REDIRECT,MASQUERADE,LOG,DNAT,SNAT,MIRROR,QUEUE,RETURN,MARK

We use following ways to set the default policy:

1) Accept all packets first, then prevent the danger.
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

2) Reject all packets first, then accept the requisite.
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

Frequently used:

Open 80 port:
# iptables -A INPUT -p tcp -dport 80 -j ACCEPT
# iptables -A OUTPUT -p tcp -sport 80 -j ACCEPT

Prevent SyncFlood:
# iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j ACCEPT

Prevent scanning:
# iptables -A FORWARD -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPT

Prevent Ping of death:
# iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j ACCEPT


More »
Show coding system currently in emacs
Mon, 30 Sep 2013 01:55:02 +0800
C-x RET r utf-8-unix

More »
GODADDY 2013 VALID PROMO CODE
Thu, 08 Aug 2013 16:38:08 +0800
1. .COM Renewal
$8.49 for .COM renewal
cjc795dom

2. .NET Renewal
$7.99 for .NET renewal
cwm7

3. .ME Renewal
30% off for renewal
BIGWIN30
More »
YANNI - Renegade
Fri, 26 Apr 2013 20:11:52 +0800
 
 From: Yanni - Tribute, Track 03
More »
DEDECMS安全
Sun, 07 Apr 2013 19:23:18 +0800
为了提高DEDECMS的安全,照着DEDECMS官方的设置仍然有被非法上传。
这个,通过NGINX来更好点,看DEDECMS的设置有点头晕。

在配置文件加入以下设置,把除了后台外的有PHP文件的地方都关了。当然了,默认管理DEDE文件夹得改成另外的名字。

location ~ ^/(data|install|include|member|a|special) {
    return 404;
}

More »
SSL certificates inside
Tue, 01 Jan 2013 10:32:25 +0800
SSL certificate have installed on lewphee.com yesterday.

Thanks to StartSSL
More »
The life's wonderful show
Wed, 26 Dec 2012 20:48:21 +0800
That's so amazing! You could hear and recognize our voice, and understood our meaning!
You are so clever!
More »
lewphee.com is about to close the comments.
Sat, 11 Aug 2012 23:21:45 +0800
Yes, for anti-spam, i will close the comment.

Your patience and understanding is greatly appreciated.
More »
Using SSL to improve the security of SSH login
Sat, 11 Aug 2012 22:55:46 +0800
I can find out many alerts from system log that there're somebody attempt to try the password of server's root user in the past few months. Therefore, use the SSL certification in SSH is neccessary.

1. Generate the RSA Public Key and Private Key
ssh-keygen -t rsa

then to generate the RSA Pair Key(Public & Private)

2. Rename the Public Key.
SSH use the Public Key File named authorized_keys(in sshd_config), so,
mv id_rsa.pub authorized_keys
or configured in sshd_config

3. sshd_config
Protocol 2
ServerKeyBits 1024

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no
PermitEmptyPasswords no

4. Restart SSH Service

5. Dwnload the Private Key
Download the Private Key to local and delete it.

6. Putty Client.
   1) Transform the SSH Private Key into Putty(ppk)
       use puttygen to rebuild the local private key.

   2) Configure the Session use SSL certification.
More »
The Perl scripts occur 'No such file or directory' error on Unix
Tue, 17 Jul 2012 02:36:27 +0800
Please check the coding system of the file whether is a WINDOWS-DOS style, if it is, revert to Unix system resolve it.

In Emacs, use the following command to revert the buffer's coding system:
C-x RET r
More »
Tags
Recent Post
Recent Comments
Links
Copyright Notes
You can reship all of these articles without permission but MUST mark the original link in your post. Please contact with me() if u have advice or other arrangements.
Copyright©2007-2011 lewphee.com All rights reserved.