Iptables Command Switch
Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port.
-t ‘table.
If you don’t specify a table, then the filter table is assumed. The possible built-in tables include: filter, nat, mangle
-j ‘target’
Jump to the specified target chain when the packet matches the current rule.
-A
Append rule to end of a chain
-F
Flush. Deletes all the rules in the selected table
-p ‘protocol-type’
Match protocol. Types include, icmp, tcp, udp, and all
-s ‘ip-address’
Match source IP address
-d ‘ip-address’
Match destination IP address
-i ‘interface-name’
Match “input” interface on which the packet enters.
-o ‘interface-name’
Match “output” interface on which the packet exits
Protect portmap With iptables
The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.
Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer requires it. If you plan to implement an NFSv2 or NFSv3 server, then portmap is required, and the following section applies.
Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost.
Example:
iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 –dport 111 -j ACCEPT
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP
Shared Libraries
Shared libraries are units of code, such as glibc, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.
To determine which running applications link against a particular library, use the lsof command as in the following example:
Example
$ lsof /lib/libnsl.so.1
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dbus-laun 3337 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
dbus-daem 3338 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
xscreensa 3343 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
xfce4-ses 3347 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
Verifying Signed Packages using GNU Privacy Guard
GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by OS does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system)
rpm –import /mnt/cdrom/RPM-GPG-KEY
To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns gpg OK.
To find out what a particular driver/module does, the modinfo command can be used in many cases:
root@:~# modinfo -d i915
Intel Graphics
modinfo — program to show information about a Linux Kernel module
root@:~# modinfo -d soundcore
Core sound module
modinfo extracts information from the Linux Kernel modules given on the command line. If the module name is not a filename, then the /lib/modules/version directory is searched, as done by modprobe(8).
root@:~# modinfo -d ext3
Second Extended Filesystem with journaling extensions
To set parameters during module loads, you can add entries to /etc/modprobe.conf on RHEL or /etc/modprobe.conf.local on SLES.
