General documentation / cheat sheets for various languages and services


Here’s a little iptables primer, because the syntax is bizarre and I always forget it.

This is my /etc/iptables/iptables.rules on this server (Arch Linux):

# Comments start with a #, but must not share a line with a command.
# Not sure what *filter is for.

# The default policy for all incoming connections is to DROP (refuse them)
# Likewise for all forwarded connections (is this even used?)
# Outgoing connections are all accepted. If I was really paranoid I might change this.

# All localhost interface traffic is OK
-A INPUT -i lo -j ACCEPT

# All ICMP (management protocol, for ping and stuff I think) is OK
-A INPUT -p icmp -j ACCEPT

# I think this says "Don't boot me off if I've already got a connection". Not sure though.
# The next 8 commands just say accept all incoming TCP traffic on these ports
# (iptables knows a few keywords like http and https,
#  but I could have just as well have said 80 and 443)
-A INPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport https -j ACCEPT
# 110=pop3 143=imap 585=secure-imap 995=secure-pop3
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 585 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# Yeah not really sure what these were so I just commented them out.
#-A INPUT -p tcp -j REJECT --reject-with tcp-reset
#-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
#-A INPUT -j REJECT --reject-with icmp-proto-unreachable

The file in itself doesn’t really do anything, but the rc.d script to start it reads it in with iptables-restore.

A few other useful commands:

sudo iptables -L -v # print out the current rules
sudo /etc/rc.d/iptables restart # restart iptables

On Ubuntu

If you want to autoload some config settings, put them (the output of iptables-save) in some file, /etc/firewall.conf or whatever, and then in /etc/network/if-up.d/iptables (apparently this is like an optional-init.d-addendum for upstart, keyed off the filename, as far as I can tell), put this:

iptables-restore < /etc/firewall.conf

Then chmod +x the file.