Code Retard

The Japanese Nintendo website is revealing a 25th Anniversary Artbook for Zelda, which is looking like more than a quick bit of cash for Nintendo; the effort put into it looks immense, and a definite must have for any Zelda fan. I will almost definitely be picking this up, depending on what I decide to get for others for Christmas; I may just buy/give them my combs and spare USB sticks.

 

 

It’s going to be 247 pages, containing concept art, information on the history of Hyrule, and the games.

Set for release in Japan on 21st December, it’ll sell for what translated to about $42 (3,255 Yen).

Are you excited or is it just me?

 

Thank you to QJ.net longtime reader Mr Pham for the news update.  If you would like to submit news or an opinion article to be published on QJ.net send an email to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
and we will provide you with all of the details you need.

The new TweetDeck.

(Credit:
Screenshot by Seth Rosenblatt/CNET)

The new TweetDeck (download for Windows
and Mac) has launched, and it’s the first version since Twitter bought the company. There’s a new logo and blue skin to reflect that, but far bigger changes happened under the hood.

It’s not entirely clear when the new versions were released, since Twitter didn’t announce them, but the company has completely abandoned the old program. Gone is the cross-platform program built on Adobe AIR, and gone are many of its features. In its place, Twitter has built two new programs native to Windows and
Mac, respectively, and streamlined their functionality to more closely reflect the official Twitter workflow. TweetDeck is still available as a Chrome Web App, and for iOS and
Android, although they haven’t recent an upgrade like the Windows and Mac clients.

Before its purchase, TweetDeck had released native clients alongside the AIR version, but the new releases appear unrelated.

The basics of TweetDeck’s functions remain, including multiple Twitter and Facebook account support and customizable columns, while new-Twitter style retweeting and direct messaging have been improved. There’s also separate columns for Facebook newsfeeds and Facebook notifications.

Old TweetDeck users can log in with their TweetDeck accounts to save the trouble of re-entering in multiple account usernames and passwords.

Facebook is now the only non-Twitter account that TweetDeck supports. MySpace, LinkedIn, Foursquare, and Google Buzz have all been dropped. The loss of Buzz is not exactly catastrophic, but it does indicate that Twitter isn’t about to drop its hard line on cross-social network pollination. Also gone are color and font customizations, keyboard shortcuts, URL shortening service options, and TweetDeck’s tweaks to minimize API calls.

Notification box moving still exists, but now you simply grab it when it appears and drag it to the part of the screen you want it to be in. That’s a definite improvement over the weird X-Y axis widget in the old TweetDeck’s settings.

Overall, I found the new TweetDeck experience to be better than the old one. There’s less behavioral wonkiness, and it feels like it’s natural extension of Twitter. However, dropping support for all accounts besides Twitter and Facebook doesn’t bode well for people who have their hopes up for Google Plus integration.

 

If you’ve been browsing the Internet at all over the past couple of months, you’ve probably come across several Flash advertisements on pages that produce sound. While this isn’t a problem if the sound is muted by default, several of these ads begin playback immediately while also defaulting to max volume. Flash Control, an extension for Google Chrome, blocks these Flash applets from loading until you say it’s OK.

Begin by downloading and installing the Flash Control extension.

(Credit:
Screenshot by Nicole Cozma)

Navigate to a page with a Flash applet on it. You’ll notice it no longer automatically loads. You can load individual applets by left-clicking on them.

(Credit:
Screenshot by Nicole Cozma)

Alternatively, you can choose to enable Flash applets by clicking on the Flash Control icon in the navigation pane.

(Credit:
Screenshot by Nicole Cozma)

A menu of options will appear from which you can choose to enable Flash until the session closes (that is, until you close this window), just for this page, or you can add the Web site to your whitelist (recommended for sites like YouTube).

Not only does this extension improve user experience by blocking really annoying ads, there are other practical bonuses to it as well. For one, the applets that don’t load won’t be wasting any of your bandwidth. On top of that, any dangerous Flash vulnerabilities sometimes present in ads won’t be exploitable.

Love Grand Theft Auto III but can’t be bothered to pull out your PS2 or backwards-compatible PS3? Perhaps you want to steal cars and murder prostitutes at a local coffee shop or while waiting for a holiday flight? If that sound like you, then Rockstar Games’ 10-year anniversary edition of GTA III is exactly what you need, and it’s available now on the iTunes store.

 

 

Don’t have an iPad? No worries – according to the iTunes entry, the game is supported on “iPhone 4, iPhone 4S, iPod Touch 4, iPad 1 and iPad 2.” I’m not sure how enjoyable GTA III would be on an iPhone, but I can certainly see potential for the iPad version.

The game has been optimized for a touchscreen interface, received a slight makeover with HD textures and contains all of the classic Grand Theft Auto action you’ve come to expect from the franchise. This is basically the game that started it all, so if you haven’t played it you should definitely give it a look. The mobile version is raking in near-perfect review scores – it’s worth the $4.99.

What is your favorite Grand Theft Auto III memory? Are you going to pick up the iOS version?

[iTunes Store]

Google’s Cloud Print now is the default print manager in Chrome.

(Credit:
Screenshot by Seth Rosenblatt/CNET)

Google’s remote printing feature called Cloud Print got a big boost with Chrome 16, the company announced today. Cloud Print now comes directly integrated into the browser, along with a host of useful changes to the service.

The update expands Cloud Print into a more robust tool, which Google said has more than 6 million connected printers and numerous
Android and iOS apps to support it since its debut in April. Along with the Chrome integration, the new Cloud Print update gives Chromebook users a full, traditional Print Preview option, and the service now lets you save Web pages such as receipts and confirmation pages to Google Docs.

Cloud Print now can share and control printer access; its interface has been tweaked to be more
tablet-friendly; and the Print button has been developed into an element that site designers can add independently to their Web sites.

Hitting Control+P (or Command+P on a
Mac) will now default to the Cloud Print interface, although your local printer will still be selected. Cloud Print is an option from the drop-down on the left, and there’s an option below it to choose to run the print job through your operating system’s print manager.

A Google spokesperson clarified that Chrome previously had limited Cloud Print integration that depended on a Web app or Chrome extension, but it didn’t use the browser’s print flow directly. This means that both Chrome the browser and the Chrome OS have identical Cloud Print workflow.

I am 26 years old. I graduated from high-school with an unimpressive GPA, despite my intellect. In my youth, I lacked motivation and focus. I was not outspoken among any but my closest of friends, and I had no real passions in life. To this day, I have accomplished very little. To put it simply, I don’t feel I deserve a watch as nice as the Orient Automatic CFA05001B.

That’s not to say that I don’t appreciate the watch. I am, in fact, admittedly covetous of it for a number of reasons. While I admittedly find some functions of the watch to some extent superfluous, I can certainly see the usefulness of those functions to someone who is driven to travel, and whose success allows him or her to do so. I find the battery-free and power indicator mechanism to be the most useful to me, and I admit that I have had my eye on watches with similar mechanisms, albeit without the power indicator, for some time.

I did say, however, that I don’t feel I deserve a watch this nice, but there is someone who I believe is most deserving of something like this. The video of his speech at the Iowa House of Representatives in February went viral, accruing over a million hits on YouTube. The clip was shown on a variety of news channels, and although the speech was not able to prevent the passing of House Joint Resolution Six, it has not been taken up in senate, and marriage among gay and lesbian couples remains legal in Iowa. I speak, of course, of Zach Wahls.

Among his generation, or mine, I have not heard a more powerful voice. Maybe I wasn’t listening so well before, but a speech that resonates as well as Wahls’s would be heard even by those who weren’t. For the first time, I was able to hear the words of someone speaking passionately about something in which he believed, something in which I believe, and something upon which this country was founded: equality and freedom.

Many are more deserving of this watch than I, but not so many as deserving as Zach. Please consider him as the recipient of this gift.

Music has always been an important part of the Final Fantasy series. The popular role-playing games have typically featured catchy, eclectic soundtracks filled with beautiful orchestrated melodies.

Things are a bit different in Final Fantasy XIII-2, which publisher Square Enix will release on Jan. 31 for PlayStation 3 and Xbox 360. The sequel to 2010?s Final Fantasy XIII not only has terrible rap, as Wired.com pointed out in our E3 preview of the game, but a heavy metal rendition of the Chocobo theme song and other assorted pieces of atrocious music. The game’s soundtrack leaked on the Internet on Tuesday morning, and we’ve been more than a little disturbed with its contents.

Don’t believe us? Let’s play a guessing game: Read the below list of song lyrics, telling us which are from the Final Fantasy XIII-2 soundtrack and which are from the rock band Nickelback. Can you guess the source of each lyrical facepalm? (Answers on page 2.)

Final Fantasy XIII-2 or Nickelback?

1. If everyone cared and nobody cried / If everyone loved and nobody lied / If everyone shared and swallowed their pride / Then we’d see the day when nobody died

2. People of the light come out stand tall / Be strong through the night come one come all / Warriors stay loud stay proud don’t shroud the features you are blessed with

3. Don’t be ashamed of your race or the place that you’re from

4. It’s not a human walk, it’s the human race / If we were living on the edge, taking too much space

5. Saddle up if you think you can ride in this rodeo

6. So I’ll be holdin’ my own breath / Right up to the end

7. This is where time ends

8. Now is the time, today is a new day, no shadows of doubt all has been done away / A feeling washes over me make me into a higher being wash away this anguish / I am feeling

9. So cute yet fierce, is he from hell? / I cannot tell, yet I don’t even wanna know

10. [unintelligible screaming]

Pages: 1 2 View All

Fixed some bugs for you guys, enjoy!

Here is the full changelog:
**** FSD2.2 Final – Released December 11th, 2011 ****
* Thanks go out to our dedicated beta testers and the community!
* Quick Change Info: Skin functions should be faster. Scanning should be faster.
* Quick Change Info: Updating Skin faults, Basically everything should be faster :D.
* Enjoy!

(Added) ConsoleFont override. Place arial.ttf in your /Media/Fonts/ folder to override the ConsoleFont on console. This is used to get more character support
(Added) Support for Xbox 1 Icons 0×6 and 0×7 (thanks lprot)
(Fixed) Issue where missing title in xex/spa would result in missing icon
(Fixed) Xbox 1 Crash When Extracting Unknown Image Type
(Fixed) Focus bug in the customize tab UI
(Fixed) Cut off Text in System Settings
(Fixed) Cut off Game Description in FSD Flow List
(Changed) Many of the popup messages
(Fixed) File Opening Problems in SPA
(Renamed) chance of storm so it would properly load
(Fixed) ConnectX not scanning.
(Fixed) Missing icons not showing
(Changed) HTTP “BOARD” to “CASE” to match Status Bar
(Added) Meta Tag to /getdb and /gettable
(Removed) “The Weather Channel” Logo from Settings, using Google API now
(Renamed) “Shutdown FSD” to “Shutdown Xbox” for clarity in HTTP UI
(Fixed) HTML Document for Paths
(Updated) REmoved unneeded file exists checks.
(Updated) Core Optimizations
(Fixed) Access Denied Bug when Reading XEX or XBE from DVD Drive
(Fixed) Crash on DVD Tab when Xbox1 Game Executable Failed to Open
(Fixed) FSD dual pane crashing when actioning ..
(Added) SMCConfig Class to FSD (thanks cOz)
(Updated) ExConfig structs
(Updated) Converted FOpen to CreateFile
(Replaced) FileExists with FileExistsA
(Updated) FileExists to be faster
(Added) Pause and Resume to Content Manager for Title Update Scans
(Fixed) Spacing on Version Number
(Added) a Sort Algorithm to Title Update List ( Descending Version )
(Changed) Updater Scene default focus when list is empty.
(Added) HTTP Pause and Resume to Content Scanner
(Updated) File Routines to use CreateFile instead of Fopen
(Fixed) HTTP Game Launching Bug ( using incorrectly converted content id )
(Added) Launch Command To Game List in HTTP Server
(Optimized) Xbox1 Thumbnail Untiling
(Fixed) About Clipping
(Fixed) Xbox1 Icons displaying too large in HTTP Server
(Fixed) Incorrectly reported XBE Media Id (doesn’t exist)
(Updated) SQL to use more cache
(Updated) Skin to be stored in memory.
(Fixed) Xbox1 Uncompressed Icons From Displaying Incorrectly (Thanks to lprot)
(Updated) Wind in weather now matchs Temp for units.
(Readded) Code for Same Disc Swap
(Fixed) Weather for spaces in State Name
(Fixed) More weather special characters
(Fix) 7z update process.
(Fixed) Issue where Avatar Arms and Fingers wouldn’t move (makes props look funny)
(Added) Avatar Transition Effect when Signing In and Switching Profiles
(Fixed) Missing Avatar At Boot
(Added) Support for XN_SYS_AVATARCHANGED – (effective during profile creation while running FSD)
(Added) Support for XN_SYS_PROFILESETTINGSCHANGE – (effective when profile gamertag or gamerpic change while running FSD)
(Fixed) Crash when Randomizing Wallpapers
(Fixed) Focus Loss in General Settings
(Fixed) DVD Remounting after booting with no disc in drive

Linux comes with a host based firewall called Netfilter. According to the official project site:

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.

IPTABLES Rules Example

• Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
• For demonstration purpose I’ve used RHEL 6.x, but the following command should work with any modern Linux distro.
• This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.

#1: Displaying the Status of Your Firewall

Type the following command as root:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  394 43586 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   93 17292 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1   142 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination

Where,

• -L : List rules.
• -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
• -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

#1.1: To inspect firewall with line numbers, enter:

# iptables -n -L -v --line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
5    wanin      all  --  0.0.0.0/0            0.0.0.0/0
6    wanout     all  --  0.0.0.0/0            0.0.0.0/0
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain wanin (1 references)
num  target     prot opt source               destination
Chain wanout (1 references)
num  target     prot opt source               destination

You can use line numbers to delete or insert new rules into the firewall.

#1.2: To display INPUT or OUTPUT chain rules, enter:

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

#2: Stop / Start / Restart the Firewall

If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where,

• -F : Deleting (flushing) all the rules.
• -X : Delete chain.
• -t table_name : Select table (called nat or mangle) and delete/flush rules.
• -P : Set the default policy (such as DROP, REJECT, or ACCEPT).

#3: Delete Firewall Rules

To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Where,

• -D : Delete one or more rules from the selected chain

#4: Insert Firewall Rules

To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n –line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 

To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    DROP       all  --  202.54.1.2           0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED

#5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save
For all other distros use the iptables-save command:
# iptables-save /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules

#6: Restore Firewall Rules

To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart

#7: Set the Default Firewall Policies

To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#7.1: Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#8:Drop Private Network Address On Public Interface

IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)

• 10.0.0.0/8 -j (A)
• 172.16.0.0/12 (B)
• 192.168.0.0/16 (C)
• 224.0.0.0/4 (MULTICAST D)
• 240.0.0.0/5 (E)
• 127.0.0.0/8 (LOOPBACK)

#9: Blocking an IP Address (BLOCK IP)

To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

#10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

#11: Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
# host -t a cyberciti.biz
Sample outputs:

cyberciti.biz has address 75.126.153.206

Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
# iptables -A OUTPUT -d 75.126.153.206 -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

#11.1: Example – Block Facebook.com Domain

First, find out all ip address of facebook.com, enter:
# host -t a www.facebook.com
Sample outputs:

www.facebook.com has address 69.171.228.40

Find CIDR for 69.171.228.40, enter:
# whois 69.171.228.40 | grep CIDR
Sample outputs:

CIDR:           69.171.224.0/19

To prevent outgoing access to www.facebook.com, enter:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

From the iptables man page:

… specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address …

#12: Log and Drop Packets

Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

#13: Log and Drop Packets with Limited Number of Log Entries

The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#14: Drop or Accept Traffic From Mac Address

Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

#15: Block or Allow ICMP Ping Request

Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#16: Open Range of Ports

Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

#17: Open Range of IP Addresses

Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

## nat example ##
iptables -t nat -A POSTROUTING -j SNAT –to-source 192.168.1.20-192.168.1.25

#17: Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:

IPTABLES_MODULES_UNLOAD = no

#18: Help Iptables Flooding My Server Screen

Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit

#19: Block or Open Common Ports

The following shows syntax for opening and closing common TCP and UDP ports:

 
Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
 

#20: Restrict the Number of Parallel Connections To a Server Per Client IP

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,

1. –connlimit-above 3 : Match if the number of existing connections is above 3.
2. –connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

#21: HowTO: Use iptables Like a Pro

For more information about iptables, please see the manual page by typing man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables -h
To see help with specific commands and targets, enter:
# iptables -j DROP -h

#21.1: Testing Your Firewall

Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:
$ telnet www.cyberciti.biz 80
Sample outputs:

Trying 75.126.153.206...
Connected to www.cyberciti.biz.
Escape character is '^]'.
^]
telnet quit
Connection closed.

You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.cyberciti.biz
Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
Interesting ports on www.cyberciti.biz (75.126.153.206):
PORT   STATE SERVICE
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.

Conclusion:

This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:

• Stateful packet inspection.
• Using connection tracking helpers.
• Network address translation.
• Layer 2 filtering.
• Firewall testing tools.
• Dealing with VPNs, DNS, Web, Proxy, and other protocols.

Featured Articles:

• 20 Linux System Monitoring Tools Every SysAdmin Should Know
• 20 Linux Server Hardening Security Tips
• Linux: 20 Iptables Examples For New SysAdmins
• My 10 UNIX Command Line Mistakes
• 25 PHP Security Best Practices For Sys Admins
• The Novice Guide To Buying A Linux Laptop
• Top 5 Email Client For Linux, Mac OS X, and Windows Users
• Top 20 OpenSSH Server Best Security Practices
• Top 10 Open Source Web-Based Project Management Software