Sunday, 2 October 2011

Recovery


Recovery in Linux

1. Repairing Linux ext2 or ext3 file system

            1. File system must be unmounted, we cannot repair it while it is running. Take system down to runlevel one (make sure to run all command as root user):
# init 1
            2. Unmount file system, for example if it is /home (/dev/sda3) file system then type command:
# umount /home     or
# umount /dev/sda3
            3. Now run fsck on the partition:
# fsck /dev/sda3
            However be sure to specify the file system type using -t option.
# fsck -t ext3 /dev/sda3     or
# fsck.ext3 /dev/sda3
            If we don't know our file system type then typing mount command will display file system type.
# mount
            The fsck will check the file system and ask which problems should be fixed or corrected. If we don't want type “y” every time then we can use pass -y option to fsck.
# fsck -y /dev/sda3
            Please not if any files are recovered then they are placed in /home/lost+found directory by fsck command.
            4. Once fsck finished, remount the file system:
# mount /home
            5. Go to multiuser mode
# init 3
            Read man page of fsck for more information. Make sure we replace “/dev/sda3” with our actual device name which filesystem is curupted.


2. Recover Root filesystem

            1. Try the fsck /dev/hda2 command to check the filesystem out.

            If that doesn't work. Try mke2fs -S /dev/hda2 which should write a new superblock without writing new inodes.
            Warning: Depending upon what the damage is, this (mkefs) command may make the missing data unsalvagable.

            2. We can try running this command that will run a check of your filesystem.

# /sbin/fsck -C -a /dev/hda2

            3. Open a terminal window.
# su -                                      (To switch to the root user)
# init 1                                                (To bring the system down to run level one)
            This only allows root access with no network access or daemons running.
# umount /dev/sda2                       (Unmount “/dev/sda2" file system, or partition, that we want to repair)
            Replace "/dev/sda2" with the correct device name for the partition. If the partition contains a single file system such as "/home", we can type the command "umount /home".
# fsck -y /dev/sda2             (To repair the file system)
# fsck -y -t ext3 /dev/sda2 (To repair the ext3 file system)
            This will ensure the file system is not corrupted by using the wrong file system type. The "-y" option will cause fsck to automatically fix any problems that are found.
            Repeat the "fsck" command until no more errors are reported.
# mount /dev/sda2             (To remount the file system)
# init 3                                                (To bring the system back to multi user mode)


3. Recover grub.conf boot loader file

            Step1: Insert Linux installer disk and boot with it. Go to Linux Rescue mode by firing this command.
boot: linux rescue

            Press Enter twice then select No and press Enter, then again press Enter for continue and finally press Enter for OK.  The sh prompt has appear.
sh-3.1# chroot /mnt/sysimage                (For make system the root environment)

            Step2: If we don’t know which is the boot directory, then fire bellow command? This will search and show the devices which contain the file.
sh-3.1# grub
grub> find /boot/grub/stage1 or,
grub> find /grub/stage1
            (hd0,0)
grub> root (hd0,0)
grub> setup (hd0)
grub> quit
           
Step3: Creating grub.conf file:
sh-3.1# ls /boot/ > /boot/grub/grub.conf
sh-3.1# vi /boot/grub/grub.conf

            Delete all lines except vmlinuz-x.x.xx-x.xxx and initrd-x.x.xx-x.xxx.img also add and edit some lines. Here we add only minimum and necessary entries for booting Linux OS.

title Red Hat Enterprise Linux (2.6.18-8.el5)
            root (hd0,0)
            kernel /boot/vmlinuz-2.6.18-8.el5 ro root=LABEL=/ rhgb quiet
            initrd /boot/initrd-2.6.18-8.el5.img

:wq
Descriptions:
            First line: This is the title which display during booting. You may change any title name.
            Second line: This is the boot directory. It includes hdd and its partition number.
            Third line: This is the kernel file path with its version number.  It include “ro” means read only, “root=LABLE=/” set / lable for root partition, rhgb means Red Hat Graphical Boot.

sh-3.1#          exit
            Remove Installer disk and boot system normally.


          Second Method
            You may boot Red Hat Linux which are Corrupted or Deleted grub.conf file without installere disk and also recovergrub.conf.
            Follow these steps:
            Boot the system normally.
grub> root (hd0,0)
grub> kernel /boot/vmlinuz-2.6.18-8.el5 ro root=LABEL=/ rhgb quiet
grub> initrd /boot/initrd-2.6.18-8.el5.img
grub> boot

            After fire boot command the system is going to boot. After that create or edit the grub.conf file with vi editor.


4. Reinstall Grub in Linux Using a Live CD

            "Grub" is the bootloader most commonly used by Linux operating systems, allowing the loading of both the Linux OS as well as Windows and Mac-based systems. If the Grub bootloader becomes corrupted or the boot file is otherwise damaged, Linux or any other operating systems loaded by Grub will not be able to launch. Fortunately, a Grub bootloader installation is easy to fix if it becomes damaged; all we need is a "live CD" of the Linux installation that installed Grub, which is a special version of the operating system that is designed to run directly from a CD or DVD.

            Instructions:
            1. Insert the Linux live CD in our computer's CD or DVD drive, then reboot the computer. When the first BIOS page appears, press the key indicated to access the "Boot Menu" or "Boot Options."
            2. Select the drive that contains our Linux live CD. When prompted, press a key to allow computer to boot from the disc.
            3. Wait while the live CD loads the version of Linux that is installed on it. Once it has loaded, access the terminal (this is done in Linux distros such as Ubuntu by opening the "Applications" menu, selecting the "Accessories" folder, then choosing "Terminal" from the list of accessories.)
            4. Type "sudo grub" and press "Enter" key. This will set the operating system to "Grub mode" so that it can edit the bootloader.
            5. Type "find /boot/grub/stage1" and press "Enter" to locate the hard drive and partition where bootloader is located. Once we have find this information, type "root (hdX,Y)" and press "Enter" to access that partition; "X" should be the number of the hard drive and "Y" should be the number of the partition for the bootloader.
            6. Type "setup (hdX)" with "X" being the hard drive number and press "Enter." This will set up a new copy of the Grub bootloader in the partition. Once this is finished, type "quit" and press the "Enter" key again to quit the terminal.
            7. Remove the live CD from our computer and reboot it. The Grub bootloader should load as normal without the need for the live CD.


5. ext3 Filesystem Bad Superblock Recovery

            First, obtain the size of the damaged filesystem. If our system still has df functioning, we can run df and grab the filesystem size that way. The output reports the number of 1K (1,024 bytes) blocks the filesystem is using.
            Next, find a working system if the box with the broken filesystem has lost its root filesystem. Now, invoke the magic of dd. For example, my filesystem showed up as using 101,086 blocks. So I used the following command:
# dd if=/dev/zero of=/tmp/temp bs=1024 count=101086
            Now, we’re nearly finished. Finally, build an ext3 filesystem on our new file.
# mkfs.ext2 /tmp/temp
mke2fs 1.32 (09-Nov-2002)
/tmp/temp is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
25272 inodes, 101086 blocks
5054 blocks (5.00%) reserved for the super user
First data block=1
13 block groups
8192 blocks per group, 8192 fragments per group
1944 inodes per group
Superblock backups stored on blocks:
        8193, 24577, 40961, 57345, 73729
            (Not here I used “mkfs.ext2”, but the results are the same.)
            Look, our missing superblocks are revealed!
            Now, to recover, call fsck.ext3 on the damaged system.
# /sbin/fsck.ext3 -b 57345 /dev/sda1
            Carefully evaluate the prompts and decide if we want to allow fsck to proceed with filesystem repairs. If the backup superblock is also invalid, try another or follow the steps above again and double check the numbers.
            But what if we don’t have enough space to create a file as big as our lost partition? If that is the case or the partition is so huge we don’t want to wait that long for dd to complete, there is another option. The superblock locations vary depending on the blocksize used. The ext3 filesystem varies between 1024, 2048, and 4096 bytes depending on the size of the filesystem. Since the locations are neither magic or random, we can create, say, a 500MB partition and force the blocksize to match that of the damaged filesystem.
# /sbin/mkfs.ext3 -j -b 4096 /tmp/temp
            The presence or absence of a journal does not effect the location of the backup superblocks.

6. Recovering deleted /etc/shadow file

Boot system in single user mode.
sh-3.1# pwconv                              (It create shadow file from passwd file)
sh-3.1# passwd                              (For change root password)
            Enter new root password twice.
sh-3.1# startx                                   (Start system in run level 5)
            After that restore original shadow file from the backup.

IPtables

                                                               IP TABLES

IP tables is a user space application program that allows a system administrator to configure the tables provided by Linux Kernel firewall and the chains and rules it stores. IP tables is also commonly used to inclusively refer to the Kernel-Level components. X_tables is the name of the Kernel module carrying the shared code portion used by all four modules .These four modules are listed below.
1.      iptables  to IPV4.
2.      ip6tables to IPV6
3.      arptables to ARP
4.      ebtables to Ethernet Frames.

IP Tables modules are called iptable_filter.0, which should be automatically loaded when we first run iptables.It can also be built into the Kernel permanently.

Main configuration files for iptables:
1.      /etc/init.d/iptables                 (init script for start/stop/restart the services and save the rules.)
2.      /etc/sysconfig/iptables         (iptables-save conter files.)
3.      /sbin/iptables                         (The administration utility and the binary.)

For check the current status of iptables in system.
#rpm -qa | grep iptables   (For check the required packages installed or not)
# iptables - -list                    (To see what rules are currently implemented in iptables.)

Some basic terms of iptables:
1.      INPUT: Holds rules for traffic directed at this server.
2.      FORWARD: Holds rules for traffic that will be forwarding on to an IP behind this server .(i.e If the box serves as a firewall for other servers)
3.      OUTPUT: Holds rules for traffic that is coming from this server out to the Internet .
4.      ACCEPT: Traffic is accepted for delivery.
5.      REJECT: Traffic is rejected, sending a packet back to the sending host.
6.      DROP: The traffic is dropped and nothing is sent back to the sending host.
7.      NEW: Server 1.connects to Server2 issuing a synchronize packet.
8.      RELATED: Server2 receives the SYN packet and then responds with a SYN-ACK (i.e Synchronize Acknowledgment packet).
9.      ESTABLISHED: Server1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment Packet.)

IP Tables Configuration:
First install the required rpm and check it for install:
# rpm –ivh iptables-1.3.5-4.el5
# rpm –ivh iptables-ipv6-1.3.5-4.el5
# rpm -qa | grep iptables                          (For check installed rpms)

Start the services
# service iptables start
# service iptables stop
# service iptables restart

Start the iptables at various run levels
#chkconfig –list iptables
# chkconfig iptables on
# service iptables status

Current Iptables  Status
# iptables - - list       or,
# iptables –L

Remove All Entries from Iptables
# iptables –flush     or,
# iptables -F

 Examples:
# iptables -A INPUT -s 192.168.1.10 -d 10.1.15.1 -p tcp  - - dport 22  -j  ACCEPT

Its means that iptables is being configured to allow the firewall to accept tcp packets coming in from source 192.168.1.10 to destination 10.1.15.21.

Description:
-A:         tells iptables to appened the rules to the INPUT chain. It makes changes in the iptables list but in the last line.
-s:          Source address, this rule only pertains to traffic coming from this IP.
-d:          Destination address, this rule only pertains to traffic going to this IP.
-p:          Protocol, specifying traffic which is either TCP/UDP or if anyone else.
--dport: Destination port specifying traffic which is for TCP/UDP port (Here port 22 is used for ssh if we want to smtp put –dport25)
-j:           Jump, if everything in this rule are correct.

Apart from then two more terms are used:
1.  Pre-routing: NAT's packet when the destination address of the packet needs to be changed.
2.  Post-routing: NAT's packet when the source address of the packets needs to be changed.

SOME WORKING RELATED EXAMPLES:

1.     Set Default Chain Policies: The default chain policy is ACCEPT.
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP

2.     To accept the Packet from any particular IP on particular Ethernet.
# iptables -A INPUT -s 0/0  -i eth0 -d 192.168.0.200 -p TCP -j ACCEPT
# service iptables save
(This rule allow to the accept any packet from the IP 192.168.0.200 only on interface eth0)

3.     To block the incoming packet from any particular IP.
# iptables -A INPUT -s 192.168.0.200 -j DROP
# service iptables save
(This rule stops the pinging from the particular IP 192.168.0.200)

4.     To delete any particular RULE from the iptables.
# iptables -D INPUT -s 192.168.0.200 -j DROP
# service iptables save .
(This rule delete the entry of pinging restriction from IP 192.168.0.200 and start the pinging as usual).

5.     To Block any particular websites on the system.
# iptables -A  INPUT -s www.gmail.com  -j  DROP
# service iptables save
(This rule block the particular site www.gmail.com to open on the system to reopen same as step3)
6.    Block a Specific ip-address.
# iptables -A INPUT -s 192.168.2.100 -j DROP
# iptables -A INPUT -i eth0 -s 192.168.2.100 -j DROP
# iptables -A INPUT -i eth0 -p tcp -s 192.168.2.100 -j DROP

7.    Allow ALL Incoming SSH on eth0 interface.
# iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

8.    Allow Incoming SSH only from a Sepcific Network.
# iptables -A INPUT -i eth0 -p tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

9.    Allow Incoming HTTP and HTTPS.
# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

7. Combine Multiple Rules together using Multi Ports
# iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

8. Allow Outgoing SSH
# iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

9. Allow Outgoing SSH only to a Specific Network
# iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

10. Allow Outgoing HTTPS
# iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

11. Load Balance Incoming Web Traffic
# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

12. Allow Ping from Outside to Inside
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

13. Allow Ping from Inside to Outside
# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

14. Allow Loopback Access
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT

15. Allow Internal Network to External network.
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

16. Allow outbound DNS
# iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

17. Allow NIS Connections
If NIS to manage our user accounts, we should allow the NIS connections. Even when the SSH connection is allowed, if we don't allow the NIS related ypbind connections, users will not be able to login.
The NIS ports are dynamic. i.e When the ypbind starts it allocates the ports.
First do a rpcinfo -p as shown below and get the port numbers. In this example, it was using port 853 and 850.
# rpcinfo -p | grep ypbind
Now allow incoming connection to the port 111, and the ports that were used by ypbind.
# iptables -A INPUT -p tcp --dport 111 -j ACCEPT
# iptables -A INPUT -p udp --dport 111 -j ACCEPT
# iptables -A INPUT -p tcp --dport 853 -j ACCEPT
# iptables -A INPUT -p udp --dport 853 -j ACCEPT
# iptables -A INPUT -p tcp --dport 850 -j ACCEPT
# iptables -A INPUT -p udp --dport 850 -j ACCEPT
The above will not work when you restart the ypbind, as it will have different port numbers that time.
There are two solutions to this: 1) Use static ip-address for your NIS, or 2) Use some clever shell scripting techniques to automatically grab the dynamic port number from the "rpcinfo -p" command output, and use those in the above iptables rules.

18. Allow Rsync From a Specific Network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

19. Allow MySQL connection only from a specific network
If you are running MySQL, typically you don't want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.
# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

20. Allow Sendmail or Postfix Traffic
# iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

21. Allow IMAP and IMAPS
# iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
The following rules allow IMAPS traffic.
# iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

22. Allow POP3 and POP3S
# iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
The following rules allow POP3S access.
# iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

23. Prevent DoS (Denial of Service) Attack
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
In the above example:
-m limit: This uses the limit iptables extension
-limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
-limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

24. Port Forwarding
The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.
# iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
If you do the above, you also need to explicitly allow incoming connection on the port 422.
# iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

25. Log Dropped Packets
You might also want to log all the dropped packets. These rules should be at the bottom.
First, create a new chain called LOGGING.
# iptables -N LOGGING
Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.
# iptables -A INPUT -j LOGGING
Next, log these packets by specifying a custom "log-prefix".
# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
Finally, drop these packets.
# iptables -A LOGGING -j DROP



IP Tables NAT:
It is responsible for network address translation. It has two built-in chains.

PREROUTING: Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.

POSTROUTING: Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.

Configure NAT:
Step 1: First need to tell the kernel that we want to allow IP forwarding. For this do the following.
# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2:          
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state - -state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Forward a packet from our internal network “/dev/eth1” to your external network on “/dev/eth0”.

Step 3: For checking this we can ping on external hosts from one of any internal hosts.

Step 4:
# vim /etc/sysctl.conf
            Change in the line no. 7 “net.ipv4.ip_forward = 0” to “net.ipv4.ip_forward = 1”. After change this no need to re-boot for kernel update.

Step 5:
# service iptables save
# service iptables restart

Step 6:
# vim /etc/sysconfig/iptables-config
            IPTABLES_MODULES_UNLOAD=“yes”
            IPTABLES_SAVE_ON_STOP=“yes”
            IPTABLES_SAVE_ON_RESTART=“yes”


        Routing traffic between two networks with iptables
Actually, you don't really need iptables for basic routing - iptables helps you with filtering and NAT (and other things too).

You can activate packet forwarding with:
sysctl -w net.ipv4.conf.all.forwarding=1

Add net.ipv4.conf.all.forwarding=1 to /etc/sysctl.conf to make the setting stick.

In case you are filtering on the server (you can check this with iptables -nvL - if the FORWARD chain has policy ACCEPT you're not filtering), you need to add rules to allow the packets to be forwarded between networks:

iptables -I FORWARD -i eth0 -o wlan0 -s wi.red.net.work/24 -d wire.less.net.work/24 -j ACCEPT
iptables -I FORWARD -i wlan0 -o eth0 -s wire.less.net.work/24 -d wi.red.net.work/24 -j ACCEPT

If you aren't filtering but want to (you should too, by the way - see @Red Tux's comment, it's good practice to filter by default and allow only the minimum) add the previous rules plus this one:

iptables -P FORWARD DROP

This changes the policy so all packets not matching any rules are discarded.

Also, if you're going for real security, you should probably filter on the INPUT chain as well. This chain processes requests coming to your router with a destination IP that matches one of its own - that is, incoming connections (for example SSH). A sensible default would be:

iptables -I INPUT -i eth0 -s allowed.admin.ip.here -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
# make sure you've put your IP on the first rule before running this
# or you'll lock you out of the server

This allows SSH only from a designed host in the wired network (take note of the warning), allows all traffic on the loop back interface (required by some software) and discards all the rest.

As you can see you can allow only some ports through using -p tcp|udp --dport N. You should consider doing this on the FORWARD chain too for increased security.

Boot to UEFI Mode or legacy BIOS mode

Boot to UEFI Mode or legacy BIOS mode Choose UEFI or legacy BIOS modes while installing Windows. After Windows is installed, if you nee...