Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like –state and –log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.
26 comment
thanks a lot, this helped me a lot, please post it here, if you found a way to make it more secure,
thanks
kev
This looks great! Although I am using CPANEL on a VPS, and need to make sure this will help protect me, yet allow the CPANEL ports needed to work. How can I modify this script to allow the following ports:
TCP_IN=”20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306″
TCP_OUT=”21 22 25 37 43 53 80 443 873 2089″
I there would be alot of us that could use this script if the above changes can be made to accomidate us CPANEL users.
Ok! Let me give some time and i will modify the script for specific ports in and out π come back later here …
Any progress with the cpanel ports?
Okay see url.
Test it and let me know… read the comments carefully before applying rules if any doubt comment it back Since I donΓ’β¬β’t have CPANEL and VPS now I did modified the old one you have to test it
hi
thanks for this script. i am fairly new to vps and linux :/
for myIPS section, do i use all the ips that are listed (some are 192.168. etc) ??
the NS1 and NS2 sections – what are these for? how do I use them?
thanks for any help π
>for myIPS section, do i use all the ips that are listed (some are 192.168. etc) ??
Assign all your IPS to variable so if you have 3 IPs 65.22.22.1 65.22.22.3 65.22.22.2 then it should look as follows:
myISP=”65.22.22.1 65.22.22.3 65.22.22.2″
>the NS1 and NS2 sections – what are these for? how do I use them?
NS1= IP address of your own/ISP DNS server
NS2= IP address of your own/ISP DNS server
This can be found form file /etc/resolv.conf
So if your Nameserver IPs are 202.54.1.2 202.54.2.20 then setup it as follows:
NSIP=”202.54.1.2 202.54.2.20″
Appreciate your post, if you have more question reply back.
thanks for all your help. i notice that the virtuozzo has two interfaces: venet0 and venet0:0 can you explain what they are? π
thanks. i will try and use the firewall tonight
after doing a bit of research i learned that venet0:0 is an alias of venet0. why is this necessary?
the name servers that are in resolv.conf, what are they for and where did they come from?
i am a big noob! π
after running your script all seems to be working! thank you so much for your effort and help!
stewart (who is a web designer / noobie linux fan)
>that venet0:0 is an alias of venet0. why is this necessary?
venet0:0 is part of “Virtuozzo VPS” and it is created to assign IP address for your system.
>the name servers that are in resolv.conf, what are they for and where did they come from?
They are use to translate http://www.yahoo.com or http://www.yourdomain.com to IP address or vise-versa. They are added by your service provider admin i.e. the compnany from whom you brough the VPS server.
Hope this helps!
I have purchased 2 VPS’s with 3 ip’s each, and i want to allow connection from the first VPS (from ip #1) to the second VPS (to ip #1). Unfortuantely the script doesn’t work.
It looks like this:
iptables -A INPUT -p tcp -s $IP1 –sport 1024:65535 -d $IP2 –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP2 –sport 22 -d $IP1 –dport 1024:65535 -j ACCEPT
before these lines, i set the policies of chains INPUT,OUTPUT and FORWARD to DROP.
the result is that i can’t access from ip1 to ip2. could someone help me with that?
Your rules seems to ok. Try to set sport to 513:65535 as ssh may go that low. Another thing is you need to allow outgoing ssh access from IP1 to IP2
IP1=”202.54.1.20″
IP2=”202.54.1.22″
iptables -A INPUT -p tcp -s $IP1 –sport 513:65535 -d $IP2 –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP2 –sport 22 -d $IP1 –dport 513:65535 -j ACCEPT
There is a bug in the script in DNS section. The last line for TCP case should be
iptables -A INPUT -p tcp -s $mip –sport 53 -d $ip –dport 1024:65535 -j ACCEPT
instead of
iptables -A INPUT -p tcp -s $ip –sport 53 -d $ip –dport 1024:65535 -j ACCEPT
Okai bug fixed π thanks.
Will your script work with CentOS 4.2?
>Will your script work with CentOS 4.2?
Yup, it should work as iptables is available on both distro. CentOS is nothing but Free Version of RHEL.
This URL doesn’t seem to be working:
http://cyberciti.biz/nixcraft/projects/linux/scripts/Virtuozzo/firewall_mod.txt
Thanks.
Thanks for this script.
As I use Cpanel, I would be interested to see your mods for it, but the URL you quoted elsewhere in the thread doesn’t seem to work any more (even after changing the extension to .php). Could you possibly put those mods up again?
Regards,
Norman
Opps!
Look like I had deleted the modified script. Anyways it must be somewhere in backup copy; right now I am at work but I will post it tomorrow.
Sorry for inconvenience π
Any news with the Cpanel mods?
Ok, I found file in old backup and i had uploaded it here
Test it and let me know. it is same file which was removed by me
Hello
I’m really new in linux and vps server
and under ddos attack
Can i know what are the most important rules ?
I already added mod_evasive for virtuozzo vps but don-t seems to be ok coz my httpd conf change after the first 10 second of the attack.
How can i find the complete tutorial to add thisfirewall rules ?
thank you.
Hello
IΓ’β¬β’m really new in linux and vps server
and under ddos attack
Can i know what are the most important rules ?
I already added mod_evasive for virtuozzo vps but don-t seems to be ok coz my httpd conf change after the first 10 second of the attack.
How can i find the complete tutorial to add thisfirewall rules ?
thank you.
Sorry for the late post, hopefully I’m not opening a can of worms…
Am I missing something, or should the following be part of the script (@ the bottom)? (first time using iptables)
service iptables save
service iptables restart
Hello,
When I add a IP to reject the connection, it does not work. And website is working for few minutes when I restart the VPS service. Again it does not load page or very slow. Is this something to do with the default firewall on virtuazzo?
Hi,
Thanks so much for sharing!
Would your script work with Debian Etch Virtuozzo VPS?
Thanks so much again,