Virtuozzo iptables firewall

by on December 5, 2004 · 26 comments· LAST UPDATED October 2, 2007

in , ,

Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like --state and --log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 26 comments… read them below or add one }

1 Anonymous March 23, 2005 at 2:42 pm

thanks a lot, this helped me a lot, please post it here, if you found a way to make it more secure,

thanks
kev

Reply

2 Anonymous April 19, 2005 at 9:53 pm

This looks great! Although I am using CPANEL on a VPS, and need to make sure this will help protect me, yet allow the CPANEL ports needed to work. How can I modify this script to allow the following ports:

TCP_IN=”20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306″

TCP_OUT=”21 22 25 37 43 53 80 443 873 2089″

I there would be alot of us that could use this script if the above changes can be made to accomidate us CPANEL users.

Reply

3 nixcraft April 21, 2005 at 6:23 pm

Ok! Let me give some time and i will modify the script for specific ports in and out :) come back later here …

Reply

4 Anonymous April 25, 2005 at 3:31 pm

Any progress with the cpanel ports?

Reply

5 nixcraft April 26, 2005 at 5:07 pm

Okay see url.
Test it and let me know… read the comments carefully before applying rules if any doubt comment it back Since I don’t have CPANEL and VPS now I did modified the old one you have to test it

Reply

6 Anonymous June 24, 2005 at 6:23 pm

hi

thanks for this script. i am fairly new to vps and linux :/

for myIPS section, do i use all the ips that are listed (some are 192.168. etc) ??

the NS1 and NS2 sections – what are these for? how do I use them?

thanks for any help :)

Reply

7 Vivek Gite June 25, 2005 at 7:54 pm

>for myIPS section, do i use all the ips that are listed (some are 192.168. etc) ??
Assign all your IPS to variable so if you have 3 IPs 65.22.22.1 65.22.22.3 65.22.22.2 then it should look as follows:
myISP=”65.22.22.1 65.22.22.3 65.22.22.2″

>the NS1 and NS2 sections – what are these for? how do I use them?
NS1= IP address of your own/ISP DNS server
NS2= IP address of your own/ISP DNS server
This can be found form file /etc/resolv.conf
So if your Nameserver IPs are 202.54.1.2 202.54.2.20 then setup it as follows:
NSIP=”202.54.1.2 202.54.2.20″

Appreciate your post, if you have more question reply back.

Reply

8 Anonymous June 27, 2005 at 5:46 pm

thanks for all your help. i notice that the virtuozzo has two interfaces: venet0 and venet0:0 can you explain what they are? :)

thanks. i will try and use the firewall tonight

Reply

9 Anonymous June 27, 2005 at 9:29 pm

after doing a bit of research i learned that venet0:0 is an alias of venet0. why is this necessary?

the name servers that are in resolv.conf, what are they for and where did they come from?

i am a big noob! :)

after running your script all seems to be working! thank you so much for your effort and help!

stewart (who is a web designer / noobie linux fan)

Reply

10 Vivek Gite June 28, 2005 at 12:27 am

>that venet0:0 is an alias of venet0. why is this necessary?

venet0:0 is part of “Virtuozzo VPS” and it is created to assign IP address for your system.

>the name servers that are in resolv.conf, what are they for and where did they come from?

They are use to translate http://www.yahoo.com or http://www.yourdomain.com to IP address or vise-versa. They are added by your service provider admin i.e. the compnany from whom you brough the VPS server.

Hope this helps!

Reply

11 Anonymous January 1, 2006 at 5:50 pm

I have purchased 2 VPS’s with 3 ip’s each, and i want to allow connection from the first VPS (from ip #1) to the second VPS (to ip #1). Unfortuantely the script doesn’t work.
It looks like this:
iptables -A INPUT -p tcp -s $IP1 –sport 1024:65535 -d $IP2 –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP2 –sport 22 -d $IP1 –dport 1024:65535 -j ACCEPT

before these lines, i set the policies of chains INPUT,OUTPUT and FORWARD to DROP.

the result is that i can’t access from ip1 to ip2. could someone help me with that?

Reply

12 nixcraft January 1, 2006 at 7:25 pm

Your rules seems to ok. Try to set sport to 513:65535 as ssh may go that low. Another thing is you need to allow outgoing ssh access from IP1 to IP2

IP1=”202.54.1.20″
IP2=”202.54.1.22″

iptables -A INPUT -p tcp -s $IP1 –sport 513:65535 -d $IP2 –dport 22 -j ACCEPT

iptables -A OUTPUT -p tcp -s $IP2 –sport 22 -d $IP1 –dport 513:65535 -j ACCEPT

Reply

13 Anonymous March 2, 2006 at 11:44 pm

There is a bug in the script in DNS section. The last line for TCP case should be

iptables -A INPUT -p tcp -s $mip –sport 53 -d $ip –dport 1024:65535 -j ACCEPT

instead of

iptables -A INPUT -p tcp -s $ip –sport 53 -d $ip –dport 1024:65535 -j ACCEPT

Reply

14 nixcraft March 3, 2006 at 8:59 am

Okai bug fixed :) thanks.

Reply

15 Anonymous March 8, 2006 at 7:46 pm

Will your script work with CentOS 4.2?

Reply

16 nixcraft March 8, 2006 at 7:49 pm

>Will your script work with CentOS 4.2?

Yup, it should work as iptables is available on both distro. CentOS is nothing but Free Version of RHEL.

Reply

17 Anonymous March 8, 2006 at 7:50 pm
18 Anonymous March 8, 2006 at 9:49 pm

Thanks for this script.

As I use Cpanel, I would be interested to see your mods for it, but the URL you quoted elsewhere in the thread doesn’t seem to work any more (even after changing the extension to .php). Could you possibly put those mods up again?

Regards,

Norman

Reply

19 nixcraft March 8, 2006 at 10:09 pm

Opps!

Look like I had deleted the modified script. Anyways it must be somewhere in backup copy; right now I am at work but I will post it tomorrow.

Sorry for inconvenience :(

Reply

20 Anonymous March 12, 2006 at 7:42 pm

Any news with the Cpanel mods?

Reply

21 nixcraft March 13, 2006 at 9:22 pm

Ok, I found file in old backup and i had uploaded it here

Test it and let me know. it is same file which was removed by me

Reply

22 Anderson October 2, 2007 at 1:56 am

Hello
I’m really new in linux and vps server
and under ddos attack

Can i know what are the most important rules ?

I already added mod_evasive for virtuozzo vps but don-t seems to be ok coz my httpd conf change after the first 10 second of the attack.

How can i find the complete tutorial to add thisfirewall rules ?

thank you.

Reply

23 Anderson October 15, 2007 at 9:53 pm

Hello
I’m really new in linux and vps server
and under ddos attack

Can i know what are the most important rules ?

I already added mod_evasive for virtuozzo vps but don-t seems to be ok coz my httpd conf change after the first 10 second of the attack.

How can i find the complete tutorial to add thisfirewall rules ?

thank you.

Reply

24 ecoagora January 5, 2008 at 9:43 pm

Sorry for the late post, hopefully I’m not opening a can of worms…

Am I missing something, or should the following be part of the script (@ the bottom)? (first time using iptables)

service iptables save
service iptables restart

Reply

25 Ashraf July 28, 2009 at 12:09 am

Hello,

When I add a IP to reject the connection, it does not work. And website is working for few minutes when I restart the VPS service. Again it does not load page or very slow. Is this something to do with the default firewall on virtuazzo?

Reply

26 Jigme January 23, 2010 at 9:02 am

Hi,

Thanks so much for sharing!

Would your script work with Debian Etch Virtuozzo VPS?

Thanks so much again,

Reply

Leave a Comment

Tagged as: , , , , ,

Previous post:

Next post: