≡ Menu

Virtuozzo iptables firewall

Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like --state and --log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • Anonymous March 23, 2005, 2:42 pm

    thanks a lot, this helped me a lot, please post it here, if you found a way to make it more secure,

    thanks
    kev

  • Anonymous April 19, 2005, 9:53 pm

    This looks great! Although I am using CPANEL on a VPS, and need to make sure this will help protect me, yet allow the CPANEL ports needed to work. How can I modify this script to allow the following ports:

    TCP_IN=”20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306″

    TCP_OUT=”21 22 25 37 43 53 80 443 873 2089″

    I there would be alot of us that could use this script if the above changes can be made to accomidate us CPANEL users.

  • nixcraft April 21, 2005, 6:23 pm

    Ok! Let me give some time and i will modify the script for specific ports in and out :) come back later here …

  • Anonymous April 25, 2005, 3:31 pm

    Any progress with the cpanel ports?

  • nixcraft April 26, 2005, 5:07 pm

    Okay see url.
    Test it and let me know… read the comments carefully before applying rules if any doubt comment it back Since I don’t have CPANEL and VPS now I did modified the old one you have to test it

  • Anonymous June 24, 2005, 6:23 pm

    hi

    thanks for this script. i am fairly new to vps and linux :/

    for myIPS section, do i use all the ips that are listed (some are 192.168. etc) ??

    the NS1 and NS2 sections – what are these for? how do I use them?

    thanks for any help :)

  • Vivek Gite June 25, 2005, 7:54 pm

    >for myIPS section, do i use all the ips that are listed (some are 192.168. etc) ??
    Assign all your IPS to variable so if you have 3 IPs 65.22.22.1 65.22.22.3 65.22.22.2 then it should look as follows:
    myISP=”65.22.22.1 65.22.22.3 65.22.22.2″

    >the NS1 and NS2 sections – what are these for? how do I use them?
    NS1= IP address of your own/ISP DNS server
    NS2= IP address of your own/ISP DNS server
    This can be found form file /etc/resolv.conf
    So if your Nameserver IPs are 202.54.1.2 202.54.2.20 then setup it as follows:
    NSIP=”202.54.1.2 202.54.2.20″

    Appreciate your post, if you have more question reply back.

  • Anonymous June 27, 2005, 5:46 pm

    thanks for all your help. i notice that the virtuozzo has two interfaces: venet0 and venet0:0 can you explain what they are? :)

    thanks. i will try and use the firewall tonight

  • Anonymous June 27, 2005, 9:29 pm

    after doing a bit of research i learned that venet0:0 is an alias of venet0. why is this necessary?

    the name servers that are in resolv.conf, what are they for and where did they come from?

    i am a big noob! :)

    after running your script all seems to be working! thank you so much for your effort and help!

    stewart (who is a web designer / noobie linux fan)

  • Vivek Gite June 28, 2005, 12:27 am

    >that venet0:0 is an alias of venet0. why is this necessary?

    venet0:0 is part of “Virtuozzo VPS” and it is created to assign IP address for your system.

    >the name servers that are in resolv.conf, what are they for and where did they come from?

    They are use to translate http://www.yahoo.com or http://www.yourdomain.com to IP address or vise-versa. They are added by your service provider admin i.e. the compnany from whom you brough the VPS server.

    Hope this helps!

  • Anonymous January 1, 2006, 5:50 pm

    I have purchased 2 VPS’s with 3 ip’s each, and i want to allow connection from the first VPS (from ip #1) to the second VPS (to ip #1). Unfortuantely the script doesn’t work.
    It looks like this:
    iptables -A INPUT -p tcp -s $IP1 –sport 1024:65535 -d $IP2 –dport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp -s $IP2 –sport 22 -d $IP1 –dport 1024:65535 -j ACCEPT

    before these lines, i set the policies of chains INPUT,OUTPUT and FORWARD to DROP.

    the result is that i can’t access from ip1 to ip2. could someone help me with that?

  • nixcraft January 1, 2006, 7:25 pm

    Your rules seems to ok. Try to set sport to 513:65535 as ssh may go that low. Another thing is you need to allow outgoing ssh access from IP1 to IP2

    IP1=”202.54.1.20″
    IP2=”202.54.1.22″

    iptables -A INPUT -p tcp -s $IP1 –sport 513:65535 -d $IP2 –dport 22 -j ACCEPT

    iptables -A OUTPUT -p tcp -s $IP2 –sport 22 -d $IP1 –dport 513:65535 -j ACCEPT

  • Anonymous March 2, 2006, 11:44 pm

    There is a bug in the script in DNS section. The last line for TCP case should be

    iptables -A INPUT -p tcp -s $mip –sport 53 -d $ip –dport 1024:65535 -j ACCEPT

    instead of

    iptables -A INPUT -p tcp -s $ip –sport 53 -d $ip –dport 1024:65535 -j ACCEPT

  • nixcraft March 3, 2006, 8:59 am

    Okai bug fixed :) thanks.

  • Anonymous March 8, 2006, 7:46 pm

    Will your script work with CentOS 4.2?

  • nixcraft March 8, 2006, 7:49 pm

    >Will your script work with CentOS 4.2?

    Yup, it should work as iptables is available on both distro. CentOS is nothing but Free Version of RHEL.

  • Anonymous March 8, 2006, 7:50 pm
  • Anonymous March 8, 2006, 9:49 pm

    Thanks for this script.

    As I use Cpanel, I would be interested to see your mods for it, but the URL you quoted elsewhere in the thread doesn’t seem to work any more (even after changing the extension to .php). Could you possibly put those mods up again?

    Regards,

    Norman

  • nixcraft March 8, 2006, 10:09 pm

    Opps!

    Look like I had deleted the modified script. Anyways it must be somewhere in backup copy; right now I am at work but I will post it tomorrow.

    Sorry for inconvenience :(

  • Anonymous March 12, 2006, 7:42 pm

    Any news with the Cpanel mods?

  • nixcraft March 13, 2006, 9:22 pm

    Ok, I found file in old backup and i had uploaded it here

    Test it and let me know. it is same file which was removed by me

  • Anderson October 2, 2007, 1:56 am

    Hello
    I’m really new in linux and vps server
    and under ddos attack

    Can i know what are the most important rules ?

    I already added mod_evasive for virtuozzo vps but don-t seems to be ok coz my httpd conf change after the first 10 second of the attack.

    How can i find the complete tutorial to add thisfirewall rules ?

    thank you.

  • Anderson October 15, 2007, 9:53 pm

    Hello
    I’m really new in linux and vps server
    and under ddos attack

    Can i know what are the most important rules ?

    I already added mod_evasive for virtuozzo vps but don-t seems to be ok coz my httpd conf change after the first 10 second of the attack.

    How can i find the complete tutorial to add thisfirewall rules ?

    thank you.

  • ecoagora January 5, 2008, 9:43 pm

    Sorry for the late post, hopefully I’m not opening a can of worms…

    Am I missing something, or should the following be part of the script (@ the bottom)? (first time using iptables)

    service iptables save
    service iptables restart

  • Ashraf July 28, 2009, 12:09 am

    Hello,

    When I add a IP to reject the connection, it does not work. And website is working for few minutes when I restart the VPS service. Again it does not load page or very slow. Is this something to do with the default firewall on virtuazzo?

  • Jigme January 23, 2010, 9:02 am

    Hi,

    Thanks so much for sharing!

    Would your script work with Debian Etch Virtuozzo VPS?

    Thanks so much again,