anyone running a firewall on a VPS? Options

[jeff-p4]

Since I can't quite get APF / iptablees to work, I thought I would ask - is anyone successfully running a firewall on one of the new VPS packages? If so, which one?

[wstahlhut]

Think I have found the issue, it sees the helper files for iptables are missing for the install, I am trying to locate them, BUT my up2date is now broke also, but is looks like an EV1 issue not a server issue.

You can try KISS, if you do, let us know how it goes...

[jeff-p4]

So is anyone running a firewall on one of the EV1 VPS packages?

If so, which one(s) have been successfully installed?

Many thanks in advance for any replies.

I feel a little vulnerable not being able to get a firewall installed on my new VPS. If others are all in the same boat, I imagine they will be a prime target for crackers in the weeks to come

[wstahlhut]

I think it may be time for EV1 to step up and offer some help, we (users of VPS) are not your normal linux install, so maybe they are go to SWSoft for us and help us work out an answer that will work and reduce the amount of work they will have to do in the long run...

[squirrelking]

Iptables is already installed on the system.. Version v1.2.8..

At the command prompt, type in: iptables -h

Also check out documentation here: http://www.netfilter.org/

I was able to get it up and working on my EV1 vps.. As for the other firewalls out there, I'll try those too..

-Dennis

[wstahlhut]

I have raw IPtables working myself, but, as you know its a bit klunky getting it working and happy...

[jeff-p4]

Likewise, I can get raw IPtables rules to work, but it will be quite difficult to impossible for me (at my skill level as an iptables newbie) to create something as secure as APF using raw rules.

[madlooper]

Has anyone had success in getting APF installed? I've tried 3 different firewalls so far and no luck on any. I read a different post where we may have to open a TT with EV1 and have the memory increased (or something to that nature). Anyone?

[madlooper]

To add to my question.... I have a VPS account with another company and have not had near the problems setting up this VPS. The EV1 VPS's seem to be rather limited, in my opinion. I've tried Kiss, Bastille, and Apf with no success. I've never had this hard of a time setting up a simple firewall. Anyone with a success story?

[fenster]

Hi,

This is really Very Frequently Asked Question Here is a link to another thread with some explanations: http://forum.ev1servers.net/showpost.php?p...33&postcount=36

Here is also a link to a thread with a description of Hardware Node configuration which should be set by the owner of the node: http://forum.ev1servers.net/showpost.php?p...55&postcount=17

[madlooper]

Hi,

This is really Very Frequently Asked Question  Here is a link to another thread with some explanations: http://forum.ev1servers.net/showpost.php?p...33&postcount=36

Here is also a link to a thread with a description of Hardware Node configuration which should be set by the owner of the node: http://forum.ev1servers.net/showpost.php?p...55&postcount=17

Fenster, thanks for the links, but my question is still unresolved. I think your second link is for administering a full VPS server. I still have not seen any success stories in setting up APF firewall on a EV1 VPS. If there are, I would like to know what they did to get it installed. Thx.

[Kelly]

Fenster, thanks for the links, but my question is still unresolved.  I think your second link is for administering a full VPS server.  I still have not seen any success stories in setting up APF firewall on a EV1 VPS.  If there are, I would like to know what they did to get it installed.  Thx.

i could not find a way to get APF to run on the VPS, but this script will work for a firewall on VPS



#!/bin/bash

#
# firewall This shell script takes care of setting up a firewall for a
virtuosso based VPS
# (no stateful rules/connection tracking or logging.
# Borrows heavily from a script by Dmitry Konstantinov of
sw-soft
#
#
# chkconfig: 2345 18 92
# description: setup firewall configuration

IPTABLES="/sbin/iptables"
SERVER_IPS=`/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d -f 1 | grep -v 127.0.0.1`

FWIN="${IPTABLES} -A INPUT"
FWOUT="${IPTABLES} -A OUTPUT"
OK="-j ACCEPT"
NO="-j DROP"


# Flush tables and change default policy to DROP function initialize() {
local TABLE="${1}"
${IPTABLES} -F ${TABLE}
${IPTABLES} -P ${TABLE} DROP
}

# Flush tables and change default policy to ACCEPT function stop() {
local TABLE="${1}"
${IPTABLES} -F ${TABLE}
${IPTABLES} -P ${TABLE} ACCEPT
}

# Verify call switch
case "$1" in
start|restart)

initialize INPUT
initialize OUTPUT
initialize FORWARD

# INPUT
# 1) loopback
${FWIN} -i lo ${OK}
${FWIN} -d 127.0.0.0/8 ${NO}

# 2) We allow incoming SSH connections and answers to
# our own SSH connections:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}
${FWIN} -p tcp --sport 22 -d ${OURIP} --dport 1024: "!" --syn ${OK}
done

# 3) We allow incoming DNS queries as well as answers to our
# DNS queries.
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 53 ${OK}
${FWIN} -p udp -d ${OURIP} --dport 53 ${OK}
${FWIN} -p tcp --sport 53 -d ${OURIP} --dport 1024: "!" --syn ${OK}
${FWIN} -p udp --sport 53 -d ${OURIP} --dport 1024: ${OK}
done

# 4) We allow access to our SMTP server, as well as answers
# to our SMTP connections and, temporarily, identd stuff:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 25 ${OK}
${FWIN} -p tcp --sport 25 -d ${OURIP} --dport 1024: "!" --syn ${OK}
#${FWIN} -p tcp --sport 1024: -d ${OURIP} --dport 113 ${OK}
#${FWIN} -p udp --sport 1024: -d ${OURIP} --dport 113 ${OK}
#${FWIN} -p tcp --sport 113 -d ${OURIP} --dport 1024: "!" --syn ${OK}
#${FWIN} -p udp --sport 113 -d ${OURIP} --dport 1024: ${OK}
done

# 5) We also allow access to our POP/sPOP server.
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 110 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 995 ${OK}
done

# 6) and to IMAP/IMAPs
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 143 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 993 ${OK}
done

# 7) we would like to be able to use lynx
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp --sport 80 -d ${OURIP} --dport 1024: "!" --syn ${OK}
done

# We allow incoming echo replies/requests from everywhere:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p icmp -d ${OURIP} --icmp-type 0 ${OK}
${FWIN} -p icmp -d ${OURIP} --icmp-type 3 ${OK}
${FWIN} -p icmp -d ${OURIP} --icmp-type 8 ${OK}
${FWIN} -p icmp -d ${OURIP} --icmp-type 11 ${OK}
done

# 9) We also would like to allow access to our web server:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 80 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 443 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 8443 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 465 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 993 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 995 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 143 ${OK}
${FWIN} -p udp -d ${OURIP} --dport 143 ${OK}
done

# 10) people are still crazy enough to use ftp
for OURIP in ${SERVER_IPS}; do
for PORT in 20 21; do
${FWIN} -p tcp -d ${OURIP} --dport ${PORT} ${OK}
${FWIN} -p tcp --sport ${PORT} -d ${OURIP} --dport 1024: "!"
--syn ${OK}
${FWIN} -p udp -d ${OURIP} --dport ${PORT} ${OK}
${FWIN} -p udp --sport ${PORT} -d ${OURIP} --dport 1024: ${OK}
done
done

# allow answers on high ports
${FWIN} -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN ${OK}
${FWIN} -p udp -m udp --dport 1024:65535 ${OK}

#######################################
# directadmin needs a few more ports opened
#

# for OURIP in ${SERVER_IPS}; do
# for PORT in 2222; do
# ${FWIN} -p tcp -d ${OURIP} --dport ${PORT} ${OK}
# ${FWIN} -p tcp --sport ${PORT} -d ${OURIP} --dport 1024: "!"
--syn ${OK}
# ${FWIN} -p udp -d ${OURIP} --dport ${PORT} ${OK}
# ${FWIN} -p udp --sport ${PORT} -d ${OURIP} --dport 1024: ${OK}
# done
# done

#
########################################

# Everything else is denied by default - policy is DROP.

# OUTPUT
# 1) Loopback packets.
${FWOUT} -o lo ${OK}
${FWOUT} -s 127.0.0.0/8 ${NO}

# 2) We allow all outgoing traffic:
for OURIP in ${SERVER_IPS}; do
${FWOUT} -s ${OURIP} ${OK}
done

;;

stop)
# turn off the firewall, flush all rules
echo "Flushing rulesets.."

stop INPUT
stop OUTPUT
stop FORWARD

;;

status)
# display the current status - both firewall rules and masquerading
# connections

# list rules. -n avoids DNS lookups
$IPTABLES -nL

;;

*)
echo "Usage: firewall {start|stop|restart|status}"
exit 1
esac

exit 0

[mark101]

Can anyone tell me how to install the above script on my vps server.

[StevensOnln1]

I installed APF on a Virtuzzo VPS (not in EV1) a few days ago. You get a few errors, but it works fine.

[dalem]

Can anyone tell me how to install the above script on my vps server.

1) using your favorite txt editor create /etc/init.d/firewall
and paste the contents above you will need to edit the ports for the control panel you are using (the one above apears to be for Direct Admin )

2) Make it executable

chmod +x /etc/init.d/firewall

3) Configure it to start at boot

/sbin/chkconfig firewall on

4) Start it.

/sbin/service firewall start
or
/etc/init.d/firewall start

5) See the rules

/sbin/service firewall status

[Simon]

I´ve tried to get the script working but it gives me the nest errors after doing /sbin/service firewall start

cut: the delimiter must be a single character
Try `cut --help' for more information.
/etc/init.d/firewall: line 23: local: can only be used in a function
iptables v1.2.8: -P requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.
/etc/init.d/firewall: line 30: local: can only be used in a function
iptables v1.2.8: -P requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.
/etc/init.d/firewall: line 39: initialize: command not found
/etc/init.d/firewall: line 40: initialize: command not found
/etc/init.d/firewall: line 41: initialize: command not found


Anyone else having this problem?

[dalem]

the above has syntax errors becuse of the way VB phrases it

if you need the above firewall PM me with your Control panel and I will give you a link