Handy Linux iptables script
Here is a script I put together some years ago to create a simple Iptables firewall on my linux webserver. Some of the code was borrowed from a linux security book but I do not remember which one. Anyway it is a pretty handy script to give you some control and protection.
First create three files in /usr/local/etc:
ipblack.lst – this file contains a list of ip addresses you want to blacklist. One ip or subnet per line.
Example:
94.178.222.17
87.0.0.0/8
ipwhite.lst – this file contains a list of ip addresses that you allow unrestricted access (Be careful with this). One ip or subnet per line. Make sure you add localhost to this file.
Example:
localhost
10.10.1.1 #Home IP Address
ports.lst – this file contains a list of ports you allow.
Example:
22 #SSH
25 #SMTP
53 #DNS/Domain
80 #HTTPD
443 #HTTPS
Add this iptables.sh script to /usr/local/sbin
#!/bin/sh
#Iptables for webserver
IPTABLES=/sbin/iptables
WHITELIST=/usr/local/etc/ipwhite.lst
BLACKLIST=/usr/local/etc/ipblack.lst
PORTSLIST=/usr/local/etc/ports.lst#—-Flood Variables—–#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT=”5/s”
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST=”10″# Overall Limit for Loggging in Logging-Chains
LOGLIMIT=”2/s”
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST=”10″# Overall Limit for Ping-Flood-Detection
PINGLIMIT=”5/s”# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST=”10″#Clear any current filters
$IPTABLES -F#Process Whitelist
for x in `grep -v ^# $WHITELIST | awk ‘{print $1}’`; do
echo “Permitting $x…”
$IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done#Process Blacklist
for x in `grep -v ^# $BLACKLIST | awk ‘{print $1}’`; do
echo “Blocking $x…”
#$IPTABLES -A INPUT -t filter -s $x -j LOG
$IPTABLES -A INPUT -t filter -s $x -j DROP
done#Allow Ports list
for port in `grep -v ^# $PORTSLIST | awk ‘{print $1}’`; do
echo “Accepting port $port…”
$IPTABLES -A INPUT -t filter -p tcp –dport $port -j ACCEPT
done$IPTABLES -A INPUT -t filter -p tcp –syn -j DROP
#ICMP TIMESTAMP REQUEST AND REPLY
$IPTABLES -A INPUT -p icmp –icmp-type timestamp-request -j DROP
$IPTABLES -A FORWARD -p icmp –icmp-type timestamp-request -j DROP#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit –limit $LOGLIMIT –limit-burst $LOGLIMITBURST -j LOG –log-prefix “fp=SYNFLOOD:1 a=DROP ”
$IPTABLES -A LSYNFLOOD -j DROP#INVALID SYN packets
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit –limit $LOGLIMIT –limit-burst $LOGLIMITBURST -j LOG –log-prefix “fp=PINGFLOOD:1 a=DROP ”
$IPTABLES -A LPINGFLOOD -j DROP
Add /usr/local/sbin/iptables.sh to rc.local so that it runs when the machine starts up.
Anytime you make changes to the ipblack.lst, ipwhite.lst, or ports.lst files rerun the iptables.sh script to apply the rules.
The script also applies iptable rules to help protect against ping floods, SYN flood, and invalid SYN packets.
Xmarks – Organizing Browser Bookmarks
Between my computer at work with IE and Firefox and my computer at home running IE and Firefox, I have bookmarks and favorites spread all over the place – hundreds of them. I go home at night to do some research and remember bookmarking a site earlier but that was at work, log in to the office VPN just to get a bookmark. Not the end of the world, but still frustrating and time consuming. Xmarks allows you to easily manage, organize, and share your browser bookmarks/favorites.
I generally use Firefox for most browsing, but there are some vendor portals, sites, and utilities that either require or simply work better with IE or Firefox. Occasionally I will favorite something in IE and want it later with Firefox.
Xmarks is a free utility/service that lets you manage and maintain your bookmarks/favorites between browsers and computers. You simply sync your bookmarks using different profiles (work/home/etc) that you create and configure.
You also have access to all of your bookmarks/favorites online from any computer using the My Xmarks portal and you can share your bookmarks with others.
Check out Xmarks at http://www.xmarks.com/
Minor Update to RVTools
Version 2.5.1 (April 15, 2009) – Bug fix! Better exception handling on the vDisk and vNetwork tab pages.
Download it here – http://www.robware.net/
AutoCopy Extension for Firefox
Thanks to @danieldoughty for the RT a couple days ago from @techhie about Lifehacker’s Top 10 Must-Have Firefox Extensions, 2009 Edition. Great list of useful extensions.
For me the real gem in this list is the AutoCopy extension. With AutoCopy text you select in Firefox is automatically copied to the clipboard. To paste you just click the middle mouse button. The official AutoCopy website is here – http://autocopy.mozdev.org/
RVTools – Free VMWare ESX/Virtual Center Management Tool
This small but useful tool is a must have for any ESX 3.x/Virtual Center 2.x admin. It gives you easy access to tons of useful information about your virtual environment. How much disk space is available on what datastore, what virtual machines have snapshots, what virtual machines have the CDROM currently mounted, how many processors assigned to each VM, and a ton of other information with just the click of the mouse.
Download RVTools here – http://www.robware.net/
Here is the developers description:
RVTools is a small .NET 2.0 application which uses the VI SDK to display information about your virtual machines. Interacting with VirtualCenter 2.x or ESX 3.x RVTools is able to list information about cpu, memory, disks, nics, cd-rom, floppy drives, snapshots, VMware tools, ESX hosts, datastores and health checks. With RVTools you can disconnect the cd-rom or floppy drives from the virtual machines and RVTools is able to list the current version of the VMware Tools installed inside each virtual machine. and update them to the latest version.
Sociable WordPress Plugin
This afternoon I installed a WordPress Plugin called Sociable that automatically adds icons that link to different social networking/bookmarking sites such as Twitter and Facebook to post. Neat little tool since it allow people to share your post with others on these networks by basically just clicking on the icons. Just check out the Share & Enjoy icons at the bottom of this post.
I regularly post to Twitter and it updates my Facebook status. Anyway the Sociable plugin works well but I found another version Sociable-Italia that has a feature that creates TinyUrls to help you keep to the 140 character limit of twitter. Other than TinyUrls and the settings page being in Italian in Sociable-Italia, I think the plugins are basically identical.
Anyway I added the code that generates the TinyUrl from Sociable-Italia to the Sociable plugin by editing sociable.php in the wp-content/plugins/sociable directory. Find the line
$url = $site['url'];
and add this after it
if ($sitename == ‘TwitThis’) {
$twitperma = file_get_contents(‘http://tinyurl.com/api-create.php?url=’.$permalink);
$url = str_replace(‘PERMALINK’, $twitperma, $url);
} else {
$url = str_replace(‘PERMALINK’, $permalink, $url);
}
I also added the title of the post to the twitthis icon. Find the line:
‘url’ => ‘http://twitter.com/home?status=PERMALINK’,
and change it to this
‘url’ => ‘http://twitter.com/home?status=PERMALINK :: TITLE’,
Of course if I have to update the plugin in the future this will stop working unless I remember to redo this, perhaps the author of the plugin will add this to a future release.
Great little plugin – download it here.
Wireshark is a must have tool
Wireshark is a FREE network protocol analyzer. A must have tool for tracking down network traffic issues. The VoIP analysis has saved me tons of time tracking down phone issues.
Download it here http://www.wireshark.org/
Windows Disk Defrag Tool
Free, easy, and quick.
UltraDefrag – Windows Disk Defragmentation Utility
UltraDefrag is powerful disk defragmentation tool for Windows NT/Vista/XP/Server2003. Extremely fast and useful. Some of the unique features of UD are ability to defragment system files at boot time and defragmenting single file or directory.
WinSCP – Free sftp and ftp client
WinSCP is an open source sftp/ftp client for windows. An absolute necessity for any administrator needing to transfer files from Windows to Linux hosts securely.
Download it at http://winscp.net/
Welcome
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. Enjoy!
Not into geek stuff? Check out The VABiker.Net or SuffolkSky.com.
Why not Follow Me on Twitter?
-
Geek Reads
VMware vSphere 4.1 HA and DRS Technical Deepdive
This technical guide covers the basic steps needed to create a VMware HA and DRS cluster, but even more important explains the concepts and mechanisms behind HA and DRS which will enable you to make well educated decisions. This book will take you in to the trenches of HA and DRS and will give you the tools to understand and implement e.g. HA admission control policies, DRS resource pools and resource allocation settings.
Mastering vSphere 4 by Scott Lowe
Install and manage one or one thousand virtual servers in your enterprise with the latest generation of VMware virtualization software, vSphere 4, and this comprehensive guide.
vSphere 4.0 Quick Start Guide
vSphere 4.0 Quick Start Guide continues from an idea started several years ago by a few engineers. The idea was simple, provide an easy to use reference guide for all level administrators, consultants and architects.
