Iptables usages
Wed, 20 Nov 2013 12:45:53 +0800
iptables -I INPUT -s -j DROP
iptables will drop the packets from

Chain options
the options list below:
-A / --append 
add a rule to chain.
iptables -A INPUT ... append a rule to INPUT chain.

-D / --delete 
delete a rule from chain
iptables -D INPUT 1 ... delete a rule which indicated by 1 from INPUT chain.

-R / --replace 
replace a rule in chain
iptables -R INPUT 1
iptables -R INPUT 1 -s --dport 80 -j DROP

-I / --insert
insert a rule to chain
iptables -I INPUT -s -j DROP

-L / --list
show current rule list in chain
iptables -L INPUT

-F / --flush
delete all rules in a chain
iptables -F INPUT

-Z / --zero
reset the packet counter
e.g iptables -Z INPUT

-N / --new-chain
create a chain
e.g iptables -N allowed

-X / --delete-chain
delete a chain
e.g iptables -X allowed

-P / --policy
define the rule policy. That means, the packets which unmatched the rule will do this rule.
e.g iptables -P INPUT DROP

-E / --rename-chain
rename a chain
e.g. iptables -E allowed disallowed

Packet options:
-p / --protocol
Indicate the protocol
iptables -A INPUT -p tcp
It can use operator, such as !, e.g iptables -A INPUT -p ! tcp, meaning that all protocol but TCP.

-s / --src / --source / -d / --dst / --distination
Indicate the source/distination packets
e.g iptables -A INPUT -s

-i / --in-interface / -o / --out-interface
Indicate which interface to match on.
e.g iptables -A INPUT -i eth0

--sport / --source-port / --dport / --distination-port
Indicate which port to match on.
e.g iptables -A INPUT -p tcp --dport 80

Match the packet's TCP flag
e.g iptables -A INPUT --tcp-flags SYN,ACK,FIN
flag values: SYN, ACK, FIN, RST, URG, PSH

Operation options:
-j operator, values: 

We use following ways to set the default policy:

1) Accept all packets first, then prevent the danger.
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT

2) Reject all packets first, then accept the requisite.
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

Frequently used:

Open 80 port:
# iptables -A INPUT -p tcp -dport 80 -j ACCEPT
# iptables -A OUTPUT -p tcp -sport 80 -j ACCEPT

Prevent SyncFlood:
# iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j ACCEPT

Prevent scanning:
# iptables -A FORWARD -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPT

Prevent Ping of death:
# iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j ACCEPT

More »
Show coding system currently in emacs
Mon, 30 Sep 2013 01:55:02 +0800
C-x RET r utf-8-unix

More »
Thu, 08 Aug 2013 16:38:08 +0800
1. .COM Renewal
$8.49 for .COM renewal

2. .NET Renewal
$7.99 for .NET renewal

3. .ME Renewal
30% off for renewal
More »
YANNI - Renegade
Fri, 26 Apr 2013 20:11:52 +0800
 From: Yanni - Tribute, Track 03
More »
Sun, 07 Apr 2013 19:23:18 +0800


location ~ ^/(data|install|include|member|a|special) {
    return 404;

More »
SSL certificates inside
Tue, 01 Jan 2013 10:32:25 +0800
SSL certificate have installed on lewphee.com yesterday.

Thanks to StartSSL
More »
The life's wonderful show
Wed, 26 Dec 2012 20:48:21 +0800
That's so amazing! You could hear and recognize our voice, and understood our meaning!
You are so clever!
More »
lewphee.com is about to close the comments.
Sat, 11 Aug 2012 23:21:45 +0800
Yes, for anti-spam, i will close the comment.

Your patience and understanding is greatly appreciated.
More »
Using SSL to improve the security of SSH login
Sat, 11 Aug 2012 22:55:46 +0800
I can find out many alerts from system log that there're somebody attempt to try the password of server's root user in the past few months. Therefore, use the SSL certification in SSH is neccessary.

1. Generate the RSA Public Key and Private Key
ssh-keygen -t rsa

then to generate the RSA Pair Key(Public & Private)

2. Rename the Public Key.
SSH use the Public Key File named authorized_keys(in sshd_config), so,
mv id_rsa.pub authorized_keys
or configured in sshd_config

3. sshd_config
Protocol 2
ServerKeyBits 1024

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no
PermitEmptyPasswords no

4. Restart SSH Service

5. Dwnload the Private Key
Download the Private Key to local and delete it.

6. Putty Client.
   1) Transform the SSH Private Key into Putty(ppk)
       use puttygen to rebuild the local private key.

   2) Configure the Session use SSL certification.
More »
The Perl scripts occur 'No such file or directory' error on Unix
Tue, 17 Jul 2012 02:36:27 +0800
Please check the coding system of the file whether is a WINDOWS-DOS style, if it is, revert to Unix system resolve it.

In Emacs, use the following command to revert the buffer's coding system:
C-x RET r
More »
Recent Post
Recent Comments
Copyright Notes
You can reship all of these articles without permission but MUST mark the original link in your post. Please contact with me() if u have advice or other arrangements.
Copyright©2007-2011 lewphee.com All rights reserved.