Even if you are working for a dedicated company that has fully unmanaged servers there are two Iptables commands you should know for situations that come up. The reason for this is that as a DC tech you are ultimately obligated to ensure client access to their server. This being said, the first command you should know is:
iptables -I INPUT -j ACCEPT
This command makes it so that ALL traffic is accessible by remote systems and provides NO filtering. The reason this is important is because if you do enough DC work someone will lock themselves out of their server. Commonly speaking the symptoms of this are no access, and the trace route’s last hop will be the cabinet switch before their server. When you’re done adding this rule be sure you ping out and if you can ping into the server before returning to the NOC. You can save your self many steps in a day this way.
The other command you should know is:
iptables -I INPUT -s <sourceip> -j DROP
Where the IP in question is an attacker. Big attacks tend to get null routed however in a lot of cases smaller attacks may be plausible to block at the server especially if they don’t over run the network connection to the server entirely. Script kiddies are also very adaptive so it may be easier to block traffic server side than to add a ton of null routes.
iptables -I OUTPUT -d <destip> -j DROP
This command is the last one in our iptables survival toolbox. The reason this is here is that an out bound DoS can saturate an uplink rather quickly. This can make a machine unable to be SSHed into to isolate and remove the script. If the person is DoSing one IP address and you know it, all you have to do is make it so all traffic going to them is dropped. Even if the script continues to run getting the traffic off the NIC is enough to restore access without majorly disrupting the server further by stopping Apache.
This guide contains some extreme basics of IPtables. The learning curve for it is fairly steep, however with most Linux commands this is due to its intrinsic power.