Loading
Mastering IPTables, Part I
Linux comes with a powerful firewall built-in, although the interface can be a little intimidating. This is the first in a multi-part tutorial on how to master basic and not-so-basic IPTables functionality and create the perfect firewall for your home network.
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- Reply to comment | Linux Journal
1 hour 51 min ago - Nice article, thanks for the
12 hours 32 min ago - I once had a better way I
18 hours 17 min ago - Not only you I too assumed
18 hours 35 min ago - another very interesting
20 hours 28 min ago - Reply to comment | Linux Journal
22 hours 21 min ago - Reply to comment | Linux Journal
1 day 5 hours ago - Reply to comment | Linux Journal
1 day 5 hours ago - Favorite (and easily brute-forced) pw's
1 day 7 hours ago - Have you tried Boxen? It's a
1 day 13 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Featured Jobs
| Linux Systems Administrator | Houston and Austin, Texas | Host Gator |
| Senior Perl Developer | Austin, Texas | Host Gator |
| Technical Support Rep | Houston and Austin, Texas | Host Gator |
| UX Designer | Austin, Texas | Host Gator |
| Web & UI Developer (JavaScript & j Query) | Austin, Texas | Host Gator |
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
DROP everything
I even set OUTPUT to drop ... what happens if you get a virus or a worm? (does linux have one of those?)
Or somebody on your network (most likely w/ a windows machine) gets a virus or worm? Those packets might go thru FORWARD but if they somehow hack into your firewall then those packets would be thru OUTPUT.
I go way paranoid on my rules. I set interface names, I allow each protocol out 1 by 1, set expected ip ranges, always tcp reset when I reject, etc.... It may be a pain to setup, but I only do that once; and it protects me better 24x7 IMO.
vim user, set
vim user,
set bg=dark
Thanks.
seems like it keeps getting
seems like it keeps getting hung up on digg.
Does anyone else have troubles viewing this?
I took a snapshot.
http://fayettedigital.com/images/firewall.png
I can't read much of what's on the screen. Red on black is very hard to read and I have no idea what the colors are for the text I can't see. This is a fairly new system with a nvidia card running Ubuntu Hardy to a 20" SGI monitor (hi res). I'm viewing it with Firefox 3.x.
Thanks,
Jim.
Transcript
Greetings,
For all future videos I will include links to the transcript and script (if applicable). Here is the transcript and firewall script for this one:
Transcript: http://dark-code.bulix.org/z5svtd-68680?raw
Script: http://dark-code.bulix.org/y8t9ur-68683
These will be available in the video description from now on.
Elliot
Gracias por el post, era muy
Gracias por el post, era muy interesante leer
your gay
your gay
help
hi iluv linux "fedore" mainly....!
i dont hav much experience of linux.
if anyone can help me.
i started a wireless isp business and running a "mikrotik AP" router.
my internet connection runs from (PC-1) with DSL & from there link to Linux Server with (Radius Manager) and also Link to the "Mikrotik AP".
My (Mikrotik AP) is already good firewall but thats for blocking my clients, i need advise or help on setting firewall for the othe side (my dsl router) to protect my main pc with windows xp & my linux radius manager pc. (bellow is a my setup connection)
Isp-----windows xp--------radius manager<<<<--->>>>mikrotok<<<<<----->>>>>Wireless Clients
IPTables Part 1
I was able to copy the script Elliot creates while watching the video. It's not exactly the same, but captures all the same stuff
#!/bin/sh
#locate iptables (this will cause issues if the command fails, but is flexible)
IPT=`which iptables`
#or possibly the following, but on CYGWIN it's not in the right format)
#IPT=`whereis iptables`
#flush iptables
$IPT -F
#-----------------------
# POLICIES
#-----------------------
#
# DEFAULT POLICIES
#-----------------------
#For outbound traffic
$IPT -P OUTPUT ACCEPT
#For inbound traffic
$IPT -P INPUT DROP
#For routed traffic is to drop for now
$IPT -P FORWARD DROP
#
# ALLOWED INBOUND TRAFFIC
#-----------------------------
#ALLOW loopback traffic
$IPT -A INPUT --in-interface lo -j ACCEPT
#ALLOW http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#ALLOW ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#ALLOW Responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
IPTables script
PS. I did not verify the script works, so don't shoot any flaming arrows my way, but I will update it if I find any
The text in the captured screen in not clear
The text in the captured screen in not clear, I can not read it.
Advise: use black background and white foreground, do not use colors.
Shell Script (Text on screen)
I recreated the script Elliot used. It's not exactly the same, but has the same functionality
#!/bin/sh
#locate iptables (this will cause issues if the command fails, but is flexible)
IPT=`which iptables`
#or possibly the following, but on CYGWIN it's not in the right format)
#IPT=`whereis iptables`
#flush iptables
$IPT -F
#-----------------------
# POLICIES
#-----------------------
#
# DEFAULT POLICIES
#-----------------------
#For outbound traffic
$IPT -P OUTPUT ACCEPT
#For inbound traffic
$IPT -P INPUT DROP
#For routed traffic is to drop for now
$IPT -P FORWARD DROP
#
# ALLOWED INBOUND TRAFFIC
#-----------------------------
#ALLOW loopback traffic
$IPT -A INPUT --in-interface lo -j ACCEPT
#ALLOW http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#ALLOW ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#ALLOW Responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Fantastic tutorial
Well done Elliot. Your timing couldn't have been more perfect. IPTables has always been a pain in the butt to understand. Being able to see and hear someone explain how it works is a great way to learn. I have enjoyed watching the video and will definitely tune in for the next part.
I've just installed a new Linux server at work which acts as our internet gateway via an ADSL router modem. It took me two days to setup the iptable rules and it is finally working (after reading lots of HOWTO docs). Now it will be nice to verify that what I have done is actually correct, and be able to understand all the rules I copied from the HOWTO's. ;-)
As for a transcript.
That would be nice, but I simply did the following. If you use Firefox web browser, simply look in your profile's Cache directory for a 10Mb file. That's the local copy of the video clip you watched. Simply copy it out for archiving purposes and for later enjoyment. :-)
Regards,
- Graeme -
Transcript
+1
Transcript?
It would be nice if there were a transcript to these videos. A transcript can be read in a short amount of time to gain knowledge, or skimmed to see if the material is relevant, or used for later reference, or even used to capture notes so all eyes can be on the viewing.
Thank you.