Generally Useful Iptables Rules

This section includes a variety of iptables commands that will create rules that are generally useful on most servers.

Allow Loopback Connections

To accept all traffic on your loopback interface, run these commands:

sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A OUTPUT -o lo -j ACCEPT

Allow Established and Related Incoming Connections

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow Established Outgoing Connections

sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Internal to External

sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Drop Invalid Packets

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Block an IP Address

sudo iptables -A INPUT -s 15.15.15.51 -j DROP

In this example, -s 15.15.15.51 specifies a source IP address of "15.15.15.51". The source IP address can be specified in any firewall rule, including an allow rule.

If you want to reject the connection instead, which will respond to the connection request with a "connection refused" error, replace "DROP" with "REJECT" like this:

sudo iptables -A INPUT -s 15.15.15.51 -j REJECT

Block Connections to a Network Interface
iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP

This is the same as the previous example, with the addition of -i eth0. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.

Service: SSH
Allow All Incoming SSH

To allow all incoming SSH connections run these commands:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allow Incoming SSH from Specific IP address or subnet

sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allow Outgoing SSH

sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow Incoming Rsync from Specific IP Address or Subnet

sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established rsync connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

Service: Web Server

Allow All Incoming HTTP

sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTPS

sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP and HTTPS

sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Service: MySQL
Allow MySQL from Specific IP Address or Subnet

sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow MySQL to Specific Network Interface

sudo iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT

PostgreSQL from Specific IP Address or Subnet

sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow PostgreSQL to Specific Network Interface

sudo iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Service: Mail
Block Outgoing SMTP Mail

sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT

Allow All Incoming SMTP

sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Note: It is common for SMTP servers to use port 587 for outbound mail.
Allow All Incoming IMAP

sudo iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAPS

sudo iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3

sudo iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3S

sudo iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Good luck!

BGP Neighbor States

- idel

The BGP process either administratively down or awaiting the next retry attempt.

- Connet

The BGP process process is waiting for the TCP connection to be completed. You can not determine from this state information whether the TCP connection can complete.

- Active

The TCP connection has been completed, but no BGP message had been yet sent to your peer

- Opensent

The TCP connection exist, BGP Open message has been sent to the peer, but the matching Open message has not yet been received from the other router.

- Openconfirm

An Open message has been both sent to and received from the other router. The next step is to receive a BFP Keepalive message(to confirm that all neighbor-related parameters match) or a BFP Notification message (to learn that there is some mismatch in neighbor parameters). 

- Established

All neighbor parameters match, the neighbor relationship works, and the  peers can now exchange Update messages.

Four Year Later.

I have leave this board for about four year.
Four year before I was working as primary school and study at night. That was a hard period. After study I have quit my school job. I joined for a telecommunication vendor job. Another hard period....
After another two year, I change job again. From past year and half I had worked at next media and now at Gameloft.
Looking forward to me to create better life.

I think I need spend more time for study English. More writing in both Chinese and English. This Gameloft is such a relax working place.

Things to do

為這次的工作留一個紀念品(正在進行)
為我的學習申請留一個紀念品(正在進行)
重考及更我的証書及報讀新的証書及牌照。這個還未在做

暫時就想到這些，以後再想到就讓我再加上去吧

First Summer Semester at Part time university

The 2nd of June 2012 this is the summer semester if my study at city University of my topup degree course. This following 12 week i will study for two subject, one of the subject. The Business subject need to work a individual report, This report weight for 100% of the Business subject. I have to hard for it, this is the first time for my study without examination. However my writing skill is regress. I have to do more reading and write for more.

個人網頁。

其實Blogger也算是個人網頁的一種，真的不用每次都用到全都是完原的才會叫做擁有一個個人的網頁的。Blogger是個個人網誌的一類，它前身是blogger後來給Google收購了現在是Google下的其中一個服務。使用Google 的服務其中一個好處是你只需要使用你的谷歌賬戶就可以用到當中的全套服務了。所以我選擇了這裏Blogger作為我的網誌。如果我要是真的使用像wordpress樣的來架一個網誌的話，我最需要都可能是一個可以長開的伺服器以及一直在線的網絡。要做到這的都需錢，而且自行架設的網誌都不會像Blogger 樣的容易給搜索得到的。

所以我認為，如果沒有特別需要的話都是使用人家的專門服好了！

每天都有的瀏覽人次

一段時間沒有再作更新了，而且連這裏的控制面版都沒有進來。
整個的blogger都變得有點陌生了，發現這裏每天都會有一到兩次的點擊。
這些是甚麼人來的呢？我不知道。但我的寫作技巧都在退步中…
本來都不是很好的而再在這樣的退步，會不會連小學生的寫水平都比我的好呢？

農曆新年的假期

三天的農曆新年公眾假期已經過了，
Wrote the start of this essay and save for this line for few month, i have no idea what i am thinking three month ago. i forgot what i have did this Chinese New Year. Just forget about it.
For the holiday of my work place, i have to sleep for a day.
This year i have to go for learn at the 初六.