iptable examples

Display status

1
2
iptables -L -n -v
iptables -n -L -v --line-numbers #inspect firewall with line number

Display specific INPUT or OUTPUT chain rules

1
2
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v

Stop/Start/Restart iptables

1
2
3
service iptables stop
service iptables start
service iptables restart

Delete specific rule

1
2
3
4
5
6
7
8
9
# find line-number of rule
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
# delete specific rule with line-number
iptables -D INPUT 4
# delete all related rule
iptables -D INPUT -s 202.54.1.1 -j DROP

Save current friewall rules

1
service iptables save

Delete ALL Existing Rules

1
iptables --flush

Setup Default Policies

The defaul policy after flush is ACCEPT. Should block all with DROP at first.

1
2
3
4
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -L -v -n

ONLY block incoming traffic

1
2
3
4
5
6
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -L -v -n
### *** now ping and wget should work *** ###

Block Remote IP/sub-network

1
2
3
4
iptables -A INPUT -s "192.168.1.100" -j DROP
iptables -A INPUT -i eth0 -s "192.168.1.100" -j DROP
iptables -A INPUT -i eth0 -p tcp -s "192.168.1.100" -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP

Block Incoming Port

1
2
3
4
5
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
# block port on specific IP
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

Block Outgoing IP/sub-network

1
2
3
4
iptables -A OUTPUT -d 75.126.153.206 -j DROP
# on sub-network
iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

Block Facebook.com

1
2
3
4
5
6
7
8
9
host -t a www.facebook.com
#www.facebook.com has address 69.171.228.40
#find CIDR
whois 69.171.228.40 | grep CIDR
#CIDR:           69.171.224.0/19
iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
# can also use domain name
iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
iptables -A OUTPUT -p tcp -d facebook.com -j DROP

DROP/ACCEPT traffic on MAC address

1
2
3
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
# ONLY accept traffic for TCP port 22 from mac 00:50:56:3b:af:3d 
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:50:56:3b:af:3d -j ACCEPT

Allow All Incoming/Outgoing SSH

1
2
3
4
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

ONLY Allow Incoming/Outgoing SSH from a Specific Network

1
2
3
4
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow Incoming/Outgoing HTTP/HTTPS

1
2
3
4
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Allow All Incoming SSH/HTTP/HTTPS

1
2
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED

Block Incoming Ping

1
2
3
4
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -s 192.168.1.123 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

Allow Incoming Ping

1
2
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing Ping

1
2
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Loopback Access

1
2
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow Intranet to Internet

eth0: intranet
eth1: internet

1
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Allow outgoing DNS access

1
2
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

Allow rsync from a Specific Network

1
2
iptables -A INPUT -i eth0 -p tcp -s 192.168.2.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

Allow MySQL connection from a Specific Network

1
2
iptables -A INPUT -i eth0 -p tcp -s 192.168.3.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allow SMTP traffic

1
2
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

Allow POP3 traffic

1
2
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
1
2
3
#pop3 security
iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Open range of Port

1
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

Open range of IP

1
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

Prevent DoS attack

1
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
  • m limit: This uses the limit iptables extension
  • limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
  • limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

Port Forwarding

ex: incoming ssh connection can come from both port 22 and 422.

1
2
3
4
5
#allow incoming tcp on port 422
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
#forward port 422 to port 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 422 -j DNAT --to 192.168.1.10:22

Drop private network addresses on public interface

1
2
3
4
5
6
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP

Common allowed ports

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT

## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

Restrict the Number of Parallel Connections To a Server Per Client IP

1
2
3
4
# allow 3 ssh connections per IP
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# allow 20 connections per IP on port 80
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
  • connlimit-above 3 : Match if the number of existing connections is above 3.
  • connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

MySQL Grant Privileges command examples

Create and Grant

1
2
3
4
CREATE USER 'admin'@'%' IDENTIFIED BY 'password';
#GRANT ALL PRIVILEGES ON db.table TO 'username'@'hostlikestring';
GRANT ALL PRIVILEGES ON db.* TO 'admin'@'%';
FLUSH PRIVILEGES;

Create, Modify and Delete

1
2
3
4
5
6
7
8
9
10
11
12
13
14
select host,user,password from mysql.user;
GRANT ALL PRIVILEGES ON *.* TO 'username'@'192.168.1.%'
    IDENTIFIED BY 'password'
    WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost'
    IDENTIFIED BY 'password'
    WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'username'@'regionprefix%'
    IDENTIFIED BY 'password'
    WITH GRANT OPTION;
delete from mysql.user where host='%';
commit; flush table mysql.user;
FLUSH PRIVILEGES;
select host,user,password from mysql.user;

PPPOE on CentOS

Install

1
2
3
yum search pppoe
yum install rp-pppoe -y
yum erase NetworkManager #有時NetworkManager會造成干擾,必需移除。

Configure

1
pppoe-setup

input
dialup account ex. 12345678@hinet.net
network interface. by default eth0
no
8.8.8.8 for dns
dialup password
repeat dialup password
no
0
yes for dialup at boot time
y to confirm all good

dialup
1
/sbin/ifup ppp0
disconnect and check statup
1
2
/sbin/ifdown ppp0
/sbin/pppoe-status

Git Installation & Usage

Download

https://msysgit.github.io/
https://code.google.com/p/tortoisegit/wiki/Download

Install TortoiseGit-1.8.14.0-64bit.msi

Install Git-1.9.5-preview20150319.exe

安裝過程中遇到 Use (Tortoise)Plink 的選項時要選這個這個。
因為前面先裝了tortoiseGit,所以選項下的路徑會自帶C:\Program Files\TortoiseGit\bin\TortoiseGitPlink.exe

Generate SSH key

使用tortoiseGit/puttygen來產生跟github間加密用的key。
預設產生ssh-2 rsa的key即可。產生後分別儲存private/public key。
如有之前產生的key可以Load功能載入回來看public key as string用來匯入github。

Install key

在第一次使用git時必需把key安裝好才能在跟github連線時用上。

  1. 可以使用tortoiseGit/pageant的add key把private key加入。
  2. 也可以在在第一次使用tortoiseGit介面時,把Load Putty Key勾選後指定private key,操作後private key就會進pageant裡,之後就能使用。

Enviroment Setup

把C:\Program Files (x86)\Git\bin加入path。
tortoiseGit會自已自動加入,可以不處理。

設定git config

1
2
3
4
cd "Program Files (x86)\Git\bin"
git config --global user.name username
git config --global user.email "username@gmail.com"
git config --list

Try it

到這裡就可以開始使用git指令或tortoiseGit介面來clone github上的repository了。

  • 直接用git下指令
    git clone git@github.com:{githubAccountName}/{repositoryName}.git

  • 或是使用tortoiseGit介面操作。

把本地的project folder同步上github(20150722 補充)

首先先在github上建新的repository。
接著進到本地的project folder下指令把這個本地目錄git化

1
2
3
4
5
6
7
8
cd /xxxxxxxx
git init 
git add .  # Adds the files in the local repository and stages them for commit. To unstage a file, use 'git reset HEAD YOUR-FILE'.
git commit -m 'First commit'
git remote add origin git@github.com:username/reponame.git
git remote -v   # Verifies the new remote URL
git pull # make sure remote repositry is sync.
git push -u origin master

中文檔名encoding

預設是會把中文做htmlencode,如果不要encode可以用下面指令關掉
git config —global core.quotepath false

Archlinux Installation

preparation

開VM
指定archlinux installation DVD disk

1
2
3
4
5
6
7
8
cgdisk /dev/sda
	primary /dev/sda1 bootable 83 linux
	primary /dev/sda2   82 swap
mkswap /dev/sda2
mkfs.ext4 /dev/sda1
mount /dev/sda1 /mnt
nano /etc/pacman.d/mirrorlit
	最前加上 Server=http://archlinux.cs.nctu.edu.tw/$repo/os/$arch

installation

1
2
3
~~pacstrap /mnt base base-devel brub~~
pacstrap /mnt base
genfstab -p -U /mnt > /mnt/etc/fstab

setup

1
2
3
arch-chroot /mnt
echo "archserver" > /etc/hostname
ln -s /usr/share/zoneinfo/Asia/Taipei /etc/localtime

lang

1
2
3
4
5
6
vi /etc/locale.gen
	en_us.UTF-8 UTF-8
	zh_TW.UTF-8 UTF-8
	zh_CN.UTF-8 UTF-8 
vi /etc/locale.conf
	LANG="en_us.UTF-8

make boot image

1
mkinitcpio -p linux

setup brub

1
2
3
4
pacman -S grub-bios
modprobe dm-mod
grub -install --recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

setup

1
passwd

finalize & reboot

1
2
3
exit
umount -R /mnt
reboot

after reboot check swap

1
2
3
cat /proc/swaps
~~swapoff -a; swapon /dev/sda2~~
echo "/dev/sda2 none swap default 0 0" >> /etc/fstab

install X11

1
2
3
pacman -S xorg-twm xorg-xclock xterm
~~xinit~~
startx

install KDE

1
2
~~pacman -S kde~~
#pacman -S kde-meta-* 要查一下

Hexo Installation & Usage

Current node.js and hexo version information

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
node -v
v0.12.4

npm -v
2.10.1

hexo -v
hexo-cli: 0.1.6
os: Windows_NT 6.1.7601 win32 x64
http_parser: 2.3
node: 0.12.4
v8: 3.28.71.19
uv: 1.5.0
zlib: 1.2.8
modules: 14
openssl: 1.0.1m
Install Node.js

https://nodejs.org/download/

Install Hexo

啟動command box使用ndoe.js的rpm工具安裝hexo

1
npm install hexo -g

測試一下hexo是否安裝成功

1
hexo

開個目錄放hexo資料

1
2
3
4
5
cd \
mkdir hexo
cd hexo
hexo init blog
cd blog

安裝hexo的套件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
npm install -g hexo-cli --save
npm install hexo-server --save

npm install hexo-renderer-ejs --save
npm install hexo-renderer-marked --save
npm install hexo-renderer-stylus --save

npm install hexo-generator-index --save
npm install hexo-generator-archive --save
npm install hexo-generator-category --save
npm install hexo-generator-tag --save
npm install hexo-generator-feed --save
npm install hexo-generator-sitemap --save

npm install hexo-tag-bootstrap --save

安裝終了
試寫文章
1
hexo new "test new post"

source/_posts/test-new-post.md會被產生,內容附上post需要的標頭。

試一下hexo產生static web pages的功能。

1
hexo g

☹ 如果一篇post都沒有,在hexo g時會發生錯誤。

可以執行hexo自帶的local http server來驗證一下內容。 http://localhost:4000/

1
hexo s

Deploy to github

You need to install git deployer. ref: http://hexo.io/docs/deployment.html

1
npm install hexo-deployer-git --save

Edit _config.yml to configure git in hexo.

1
deploy:
    type: git
    repository: git@github.com:zhengda/zhengda.github.io.git
    branch: master

先在github上建一個名叫zhengda.github.io的新repository讓hexo deploy。
https://zhengda.github.io 也是github所提供對映zhengda.github.io這個repository的二級域名。

產生static web pages然後deploy到github上。

1
2
hexo g
hexo d

若有買自己的一級域名(ex: xxxx.com)可以設定對映到這個repository空間。
github還讓你能自定404頁面,只要建一個404.html在一級域名下即可。

Change Themes

hexo theme evalutaion on zhihu http://www.zhihu.com/question/24422335

edit /_config.xml to change theme as yilia

1
#### theme: landscape
theme: yilia

configure /themes/yilia/_config.yml

重新產生static pages然後deploy

1
2
hexo g
hexo d

用-g參數可以在deploy前generate,就不用打二次指令了。

1
hexo d -g

有時要弄乾淨點時會這樣

1
del db.json & hexo clean & hexo d -g

Other themes

ref: http://www.cnblogs.com/liulangmao/p/4323064.html
ref: http://jinyanhuan.github.io/2015/03/12/hexo-build-two/ , http://jinyanhuan.github.io/2015/03/12/hexo-build-three/

More

目前必需自己產生tags/index.md。並在title/date後補上type: “tags”

1
hexo new page tags

☹ 大多數theme在處理/tags/index.html時都有問題。目前唯知next theme有處理正確。

rss feed和sitemap必需先裝好generator

1
2
npm install hexo-generator-feed --save
npm install hexo-generator-sitemap --save

_config.yml

1
plugins:
- hexo-generator-feed
- hexo-generator-sitemap

sitemap:
    path: sitemap.xml

feed:
    type: atom
    path: atom.xml
    limit: 20

關掉git的crlf置換

內定git會把檔案的LF換成CRLF,造成
The file will have its original line endings in your working directory.
warning: LF will be replaced by CRLF in index.html.

有點煩人,只要下git指令就可以關掉

1
git config --global core.autocrlf false

SEO

即使你在hexo中建立了sitemap.xml,google可能還是不會主動index內容。
這時你必需要透過google webmaster central頁面 https://www.google.com/webmasters/verification/home?hl=en
增加網站並為google驗證網頁所有權。
這樣過幾天後,網站頁面就會開始能被google搜尋到。

google analytics

比如說用的theme是minos,只要在themes/minos/_config.yaml裡
原本是空值的google_analytics: 補上google analytics的GAID再下hexo -d g重建網站內容即可。
注意 google_analytics: UA-888888-99 ,:後必需有空格不然會解析yaml失敗。