Avatar
Before we can really get to grips with iptables, we need to have at least a basic understanding of the way it works. Iptables uses the concept of IP addresses, protocols (tcp, udp, icmp) and ports. We don't need to be experts in these to get started (as we can look up any of the information we need), but it helps to have a general understanding.
Iptables places rules into predefined chains (INPUT, OUTPUT and FORWARD) that are checked against any network traffic (IP packets) relevant to those chains and a decision is made about what to do with each packet based upon the outcome of those rules, i.e. accepting or dropping the packet. These actions are referred to as targets, of which the two most common predefined targets are DROP to drop a packet or ACCEPT to accept a packet.
Chains
These are 3 predefined chains in the filter table to which we can add rules for processing IP packets passing through those chains. These chains are:
INPUT - All packets destined for the host computer.
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.
For the most part, we are going to be dealing with the INPUT chain to filter packets entering our machine - that is, keeping the bad guys out.
Rules are added in a list to each chain. A packet is checked against each rule in turn, starting at the top, and if it matches that rule, then an action is taken such as accepting (ACCEPT) or dropping (DROP) the packet. Once a rule has been matched and an action taken, then the packet is processed according to the outcome of that rule and isn't processed by further rules in the chain. If a packet passes down through all the rules in the chain and reaches the bottom without being matched against any rule, then the default action for that chain is taken. This is referred to as the default policy and may be set to either ACCEPT or DROP the packet.
The concept of default policies within chains raises two fundamental possibilities that we must first consider before we decide how we are going to organize our firewall.
1. We can set a default policy to DROP all packets and then add rules to specifically allow (ACCEPT) packets that may be from trusted IP addresses, or for certain ports on which we have services running such as bittorrent, FTP server, Web Server, Samba file server etc.
or alternatively,
2. We can set a default policy to ACCEPT all packets and then add rules to specifically block (DROP) packets that may be from specific nuisance IP addresses or ranges, or for certain ports on which we have private services or no services running.
Generally, option 1 above is used for the INPUT chain where we want to control what is allowed to access our machine and option 2 would be used for the OUTPUT chain where we generally trust the traffic that is leaving (originating from) our machine.
We will use an example based approach to examine the various iptables commands. In this first example, we will create a very simple set of rules to set up a Stateful Packet Inspection (SPI) firewall that will allow all outgoing connections but block all unwanted incoming connections:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -L -v
which should give the following output:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Now lets look at each of the 8 commands above in turn and understand exactly what we've just done:
iptables -P INPUT ACCEPT
If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT otherwise once we flush the current rules we will be locked out of our server.
iptables -F
We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
iptables -A INPUT -i lo -j ACCEPT
Now it's time to start adding some rules. We use the -A switch to append (or add) a rule to a specific chain, the INPUT chain in this instance. Then we use the -i switch (for interface) to specify packets matching or destined for the lo (localhost, 127.0.0.1) interface and finally -j (jump) to the target action for packets matching the rule - in this case ACCEPT. So this rule will allow all incoming packets destined for the localhost interface to be accepted. This is generally required as many software applications expect to be able to communicate with the localhost adaptor.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This is the rule that does most of the work, and again we are adding (-A) it to the INPUT chain. Here we're using the -m switch to load a module (state). The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system. ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Here we add a rule allowing SSH connections over tcp port 22. This is to prevent accidental lockouts when working on remote systems over an SSH connection. We will explain this rule in more detail later.
iptables -P INPUT DROP
The -P switch sets the default policy on the specified chain. So now we can set the default policy on the INPUT chain to DROP. This means that if an incoming packet does not match one of the following rules it will be dropped. If we were connecting remotely via SSH and had not added the rule above, we would have just locked ourself out of the system at this point.
iptables -P FORWARD DROP Similarly, here we've set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packets passing through our computer.
iptables -P OUTPUT ACCEPT
and finally, we've set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).
iptables -L -v Finally, we can list (-L) the rules we've just added to check they've been loaded correctly.
Finally, the last thing we need to do is save our rules so that next time we reboot our computer our rules are automatically reloaded:
# /sbin/service iptables save
==================================================
See: http://wiki.centos.org/HowTos/Network/IPTables
See ip6tables command.
[ view entry ] ( 1383 views ) | print article
//Set cookies with:
setcookie();
//see or read cookies with:
var_dump($_COOKIE);
//IE8 cookie location for Win7 64b
C:\Users\Angel Cool\AppData\Roaming\Microsoft\Windows\Cookies\Low
yummy.
[ view entry ] ( 2299 views ) | print article
Streaming is a video delivery method that plays the video file without saving any of the video clip on the viewers machine. This is the most secure delivery method. If you are concerned about your intellectual property, this is the delivery method for you. The downside to streaming is this format is extremely particular about bandwidth. If a user is on a slower connection they may encounter buffering/choppiness issues.
Progressive downloading allows the viewer to play the video while the file downloads to their computer. This is how YouTube works. Using this method also allows the user to download the video file to their own machine. This delivery method allows users to pause the video while the video loads; this may be useful if you have viewers on slower connections.
http://ksutube.kent.edu/delivery.php
[ view entry ] ( 1878 views ) | print article
--DDL (Data Definition Language) refers to the CREATE, ALTER and DROP statements
DDL allows to add / modify / delete the logical structures which contain the data or which allow users to access / mantain the data (databases, tables, keys, views...). DDL is about "metadata".
--DML (Data Manipulation Language) refers to the INSERT, UPDATE and DELETE statements
DML allows to add / modify / delete data itself.
--DQL (Data Query Language) refers to the SELECT, SHOW and HELP statements (queries)
SELECT is the main DQL instruction. It retrieves data you need. SHOW retrieves infos about the metadata. HELP... is for people who need help.
--DCL (Data Control Language) refers to the GRANT and REVOKE statements
DCL is used to grant / revoke permissions on databases and their contents. DCL is simple, but MySQL's permissions are rather complex. DCL is about security.
--DTL (Data Transaction Language) refers to the START TRANSACTION, SAVEPOINT, COMMIT and ROLLBACK [TO SAVEPOINT] statements
DTL is used to manage transactions (operations which include more instructions none of which can be executed if one of them fails).
[ view entry ] ( 1967 views ) | print article
Absolute path contains full name of file including the source, for instance, c:\Windows\Temp\log.txt. Relative path contains only the path relativaly to a certain folder, for instance, relative path of log.txt relativaly to the folder Windows is Temp\log.txt.
This also applies to URLs:
Full path:
dev.ourbiz.net/full/path/to/file.html
Relative path:
relative/path/to/file.html
[ view entry ] ( 1606 views ) | print article
This section includes my notes from different sources: web, man pages, documentation, manuals, etc.
This is how google defines a note:
(noun) A brief record, especially one written down to aid the memory.
I re-categorized the notes section! Misc. section includes JS, HTML and CSS. 5-12-2013 :)
[ view entry ] ( 1313 views ) | print article
//Reconciling with trunk
svn merge --depth infinity --accept theirs-full https://server02.company.com/repos/main/branches/acool https://server02.company.com/repos/main/trunk .
//Reverting
svn revert -R .
//Updating a file to an old version (cannot commit)
svn update -r 3678 myfile.txt
//reverse merge a directory
cd events
svn merge -r HEAD:2688 .
//reverse merge a file
svn -c -3445 myfile.txt //reverts to 3444
DEV
TEST CHANGES
/usr/bin/ssh admin@dev.company.com /usr/bin/svn --summarize diff https://server02.company.com/repos/main/trunk@32185 https://server02.company.com/repos/main/trunk@HEAD
PUSH
/usr/bin/ssh admin@dev.company.com /usr/bin/svn --depth infinity --accept theirs-full --force sw https://server02.company.com/repos/main/trunk@HEAD /var/www/html/main
STAGING
TEST CHANGES
/usr/bin/ssh admin@staging.company.com /usr/bin/svn --summarize diff https://server02.company.com/repos/main/releases/3.14@32188 https://server02.company.com/repos/main/releases/3.14@HEAD
PUSH
/usr/bin/ssh admin@staging.company.com /usr/bin/svn --depth infinity --accept theirs-full --force sw https://server02.company.com/repos/main/releases/3.14/@HEAD /var/www/html/main
LIVE
TEST CHANGES
/usr/bin/ssh admin@preview.company.com /usr/bin/svn --summarize diff https://server02.company.com/repos/main/releases/3.14@32186 https://server02.company.com/repos/main/releases/3.14@HEAD
/usr/bin/ssh admin@www-server01.lax.company.com /usr/bin/svn --summarize diff https://server02.company.com/repos/main/releases/3.14@31313 https://server02.company.com/repos/main/releases/3.14@HEAD
/usr/bin/ssh admin@www-server02.lax.company.com /usr/bin/svn --summarize diff https://server02.company.com/repos/main/releases/3.14@31313 https://server02.company.com/repos/main/releases/3.14@HEAD
/usr/bin/ssh admin@www-server03.lax.company.com /usr/bin/svn --summarize diff https://server02.company.com/repos/main/releases/3.14@31313 https://server02.company.com/repos/main/releases/3.14@HEAD
PUSH
/usr/bin/ssh admin@www-server01.lax.company.com /usr/bin/svn --depth infinity --accept theirs-full --force sw https://server02.company.com/repos/main/releases/3.14/@HEAD /var/www/html/main
/usr/bin/ssh admin@www-server02.lax.company.com /usr/bin/svn --depth infinity --accept theirs-full --force sw https://server02.company.com/repos/main/releases/3.14/@HEAD /var/www/html/main
/usr/bin/ssh admin@www-server03.lax.company.com /usr/bin/svn --depth infinity --accept theirs-full --force sw https://server02.company.com/repos/main/releases/3.14/@HEAD /var/www/html/main
/usr/bin/ssh admin@preview.company.com /usr/bin/svn --depth infinity --accept theirs-full --force sw https://server02.company.com/repos/main/releases/3.14/@HEAD /var/www/html/main
//check out
svn co
//determine current branch (svn client)
svn info
//adding new files
svn add
//check in
svn commit
svn ci
//
svn status
//
svn switch
// to create branches in server (to verify this)
svn copy
//
svn log -vl 5
//
svn export
//
svn revert
/************other info************/
svn uses port 3690/tcp
/etc/init.rd/svnserve start|restart|stop
svnadmin create REPO
vim REPO/conf/authz
vim REPO/conf/passwd
vim REPO/conf/svnserve.conf
[ view entry ] ( 1620 views ) | print article
//In Vim, what's an elegant way to grab output from the command-line? (see :help :r!)
:r !echo "foo"
//inserting a new line after current line
o
//inserting a line before current line
O
//Piping output of a command to vim and 'save as'
uname | vi -
:saveas
//VIM Terminology
yank (copy in windows lingo)
delete (cut in windows lingo)
put (paste in windows lingo)
//yank (copy) a line
yy
//delete (cut) a line
dd
//put (paste) a line
p
//using marks to yank multiple lines
ma
y'a
//Example:
ma~~~~~~~~~~~~~~
~~~~~text~~~~~~~~
y'a~~~~~~~~~~~~~~
//Inserting a character X number of times
<ESC>
250
i
a
<ESC>
//cut a line
v this-is-the-line d
//undo
u
//search
/
//search next
n
//write and copy (save and exit in windows lingo)
wq
//the ! overwrites
wq!
//comparing two files
vimdiff -O test1.txt test2.txt
vimdiff -o test1.txt test2.txt //horizontally
//opening multiple files
vim -O file1.txt file2.txt
vim -o file1.txt file2.txt //horizontally
//creating another file while editing one
:vert new test.txt
:vsplit test.txt
:vsp test.txt
//horizontally
:split
:sp
//changing windows
ctrl ww
//go to specific line
:77
//practice
shell$ vimtutor
[ view entry ] ( 1543 views ) | print article
/*
You can delete the mbr (master boot recored) using the dd command itself. The following command will completely delete your MBR, which contains all your partition information. So make sure you use the correct device name:
*/
# dd if=/dev/zero of=/dev/sdc bs=512 count=1
http://www.cyberciti.biz/faq/linux-clea ... d-command/
[ view entry ] ( 1514 views ) | print article
Speed up load times by automatically compressing CSS, HTML and JavaScript files in Apache. Compressed files are smaller and faster to send, for Apache 2.x, use mod_gzip or the built-in mod_deflate module.
The mod_gzip and mod_deflate modules both add file compression features to Apache. When enabled and configured, text-based files and script output is automatically compressed before it is sent to the visitor’s browser. While the effort to compress a file slows down the web server, this slow down is easily offset by the time saved to send the much smaller compressed file. This is particularly true when the server or the site visitor have a slow network connection.
[ view entry ] ( 1643 views ) | print article
<<First | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | Next> Last>>