Full Version: APF on VPS - install tips?
When you install APF on a VPS, what do you specify for the interface since there is no eth0 or etch0:0 ?
Oops - never mind. Appears IF="venet0" will work 
Now I get another error though:
Unable to load iptables module (ip_tables), aborting.
I wonder why iptables isn't installed on these RHE VPS's???
Now I get another error though:
Unable to load iptables module (ip_tables), aborting.
I wonder why iptables isn't installed on these RHE VPS's???
it is installed, it seems to be a larger issue, I have been working on it for about a week now...
Eeek. I've also not made any progress on it - I'm afraid it's over my head. Hopefully you or one of the other guru's here will be able to figure out how to get APF working on the VPS and will share a how-to here. It's a bit uncomfortable to not have a firewall.
I think ev1 should jazz us up with a hardware firewall 
.
.
But if there were one hardware firewall per server full of VPS, would we all fight over the rules
Just to follow up, currently I get the following:
With monokern="0" in the conf.apf
With monokern="1" in the conf.apf
With monokern="0" in the conf.apf
CODE
$ service apf start
Unable to load iptables module (ip_tables), aborting.
Unable to load iptables module (ip_tables), aborting.
With monokern="1" in the conf.apf
CODE
$ service apf start
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
Setting MONOKERN=1 and disabling the advanced BLK options should be saffice. Any startup errors related to iptables are chain specific and not fatal unless APF indicates such on startup. The chains which fail to load are simply advanced stateful inspection chains, they are not required for normal operation.
Hello, guys!
I'm one of the Virtuozzo developers. Currently we are working on providing additional iptables modules to VPS - this patch will be available soon.
Jeff, if you have complex or remote from default APF configuration, could you provide it to us in order to avoid possible troubles?
About APF:
1) monokern="1" is right value because Virtuozzo don't permit modules loading inside VPS.
2) iptables: Memory allocation problem - this errors due to VPS limits - check /proc/user_beancounters, iptent limit
3) iptables: No chain/target/match by that name - we are working in order to remove all such errors
I'm one of the Virtuozzo developers. Currently we are working on providing additional iptables modules to VPS - this patch will be available soon.
Jeff, if you have complex or remote from default APF configuration, could you provide it to us in order to avoid possible troubles?
About APF:
1) monokern="1" is right value because Virtuozzo don't permit modules loading inside VPS.
2) iptables: Memory allocation problem - this errors due to VPS limits - check /proc/user_beancounters, iptent limit
3) iptables: No chain/target/match by that name - we are working in order to remove all such errors
Thanks very much to both of you for the reply.
Can you go into more details on this?
If I try to start a default configuration of APF, I get all the memory errors above, and /proc/user_beancounters reveals:
Is this a limit that EV1 might have set too low, or is it an inherent limitation of a VPS that needs to be worked around?
QUOTE
2) iptables: Memory allocation problem - this errors due to VPS limits - check /proc/user_beancounters, iptent limit
Can you go into more details on this?
If I try to start a default configuration of APF, I get all the memory errors above, and /proc/user_beancounters reveals:
CODE
resource held maxheld barrier limit failcnt
numiptent 128 128 128 128 156
numiptent 128 128 128 128 156
Is this a limit that EV1 might have set too low, or is it an inherent limitation of a VPS that needs to be worked around?
Below modules are required for normal APF operation; be it they are compiled or modular format:
ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
iptable_mangle
ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
iptable_mangle
This list I already seen, but during my investigations I revealed that at least ipt_TOS is required too. Besides that, I think it will be usefull to check some complicated APF configuration - may be it is supposed to use any other usefull modules, which need to be loaded too.
About numiptent limit - this is EV1 limit setting. Through my investigations default APF configuration requires 176 iptables entries:
numiptent 176 176 1280 1280 0
About numiptent limit - this is EV1 limit setting. Through my investigations default APF configuration requires 176 iptables entries:
numiptent 176 176 1280 1280 0
What is the reason for (EV1) limiting the number of iptable entries a VPS user can have to such a small number? Does a higher number of iptable entries for a given VPS have a major impact on overall server performance?
ipt_TOS is a used module but not required for APF to operate properly. You can feel free to contact me directly should you have or require any specific help with regards to APF.
Can anyone from EV1 comment on why numiptent is set so low?
QUOTE
Originally posted by rfxn
Below modules are required for normal APF operation; be it they are compiled or modular format:
ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
iptable_mangle
Below modules are required for normal APF operation; be it they are compiled or modular format:
ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
iptable_mangle
What command should I run to check line-by-line if all these modules are installed?
Also, I install kernel from RPM, will apf work or it doesn't matter?
Thanks
Evgeny
QUOTE
Also, I install kernel from RPM, will apf work or it doesn't matter?
If you could, yes it would. But you can't install a standard (or custom) kernel on a VPS 
Plus the low numiptent setting will keep an advanced firewall from running fully anyway causing the memory errors on a Virtuozzo VPS
I cannot get APF to work on a local computer as I easily did with Bastille. I open ports (22,25,80,443,995) in apf.conf file, but if APF is up - it blocks all internet traffic. I'm in a doubt why you call APF a best firewall...:confused:
As for testing the modules, this returns no errors, nor any messages
/sbin/modprobe ip_tables ipt_state ipt_multiport iptable_filter ipt_limit ipt_LOG ipt_REJECT ip_conntrack ip_conntrack_irc ip_conntrack_ftp iptable_mangle
As for testing the modules, this returns no errors, nor any messages
/sbin/modprobe ip_tables ipt_state ipt_multiport iptable_filter ipt_limit ipt_LOG ipt_REJECT ip_conntrack ip_conntrack_irc ip_conntrack_ftp iptable_mangle
I'm not sure what to suggest as to why APF is not running for you at home. I've had it on a home test machine and a half dozen servers without problem - when I open a port and restart apf, it's open.
Jeff
I changed in apf.conf a few lines after installation
RESV_DNS_DROP="1"
IG_TCP_CPORTS="22,25,80,443,995"
EG_TCP_CPORTS="22,25,80,443,995"
What else did you on your local machine?
Thanks
Evgeny
I changed in apf.conf a few lines after installation
RESV_DNS_DROP="1"
IG_TCP_CPORTS="22,25,80,443,995"
EG_TCP_CPORTS="22,25,80,443,995"
What else did you on your local machine?
Thanks
Evgeny
QUOTE
Originally posted by jeff-p4
Eeek. I've also not made any progress on it - I'm afraid it's over my head. Hopefully you or one of the other guru's here will be able to figure out how to get APF working on the VPS and will share a how-to here. It's a bit uncomfortable to not have a firewall.
Eeek. I've also not made any progress on it - I'm afraid it's over my head. Hopefully you or one of the other guru's here will be able to figure out how to get APF working on the VPS and will share a how-to here. It's a bit uncomfortable to not have a firewall.
I was at the trainning session yesterday and I was talking to one of the Sw-Soft guys. The server's physical root can install and run APF which will then be applied to all VPS . So I would hope that EV1 has something like this in place for its VPS server so that you might not need APF running unless you need more advanced firewall rules.
I could be wrong about this as well as I have yet to play around with the system.
Hal
I wonder how that could work though?
For incoming, wouldn't it have to be pretty much wide open to allow for the unique needs of each individual VPS? How can EV1 know exactly which ports I need open?
Would egress filtering work server-wide??
And for advanced features like brute force detection, would the main server scan the logs of each individual VPS to block IP's which try to brute force an ssh or ftp login? Or would that invade the privacy of the individual VPS customers?
For incoming, wouldn't it have to be pretty much wide open to allow for the unique needs of each individual VPS? How can EV1 know exactly which ports I need open?
Would egress filtering work server-wide??
And for advanced features like brute force detection, would the main server scan the logs of each individual VPS to block IP's which try to brute force an ssh or ftp login? Or would that invade the privacy of the individual VPS customers?
I asked support to increase numiptent from 128 -- they did (thanks very much!), but said 256 was the highest they could set it to without degrading system performance.
Increasing it to 256 allows apf to sort-of run with an out-of-the box stock config which is a big imporvement over not running at all. But I still get a few "iptables: No chain/target/match by that name" errors which is troubling and I am unsure how to track them down yet. I know you say above "The chains which fail to load are simply advanced stateful inspection chains, they are not required for normal operation." but I'm sure there is a reason for those stateful inspection chains to exist (or they would not be in apf to begin with) so if I have a dozen or more failures, I'm guessing that my VPS simply is not as locked down as a dedicated server on which those rules would successfully load.
Also I can't use a very large deny_hosts.rules file since this goes above the 256 allowed numiptent value. So whlie much improved with the limit at 256 vs. 128, it appears this is still an inherent limitation of the Virtuozzo platform. It's not a deal breaker though.
Edit: Unfortunately, there seems to be some functional oddness still in the way APF is loading on the VPS. First time it locked me out until devmode shut it down. Second time (apf stop and then apf start) it loaded successfully, though with a couple hand fulls of rule failures, but with numiptent at 198 of the 256 allowed by purging my deny_hosts.rules file totally.) Third time though it again locked me out, so it appears either I'm a dunce (though I've never had any problem with APF on a dedicated server) or the errors are causing some issues still. It takes a long long time to load, and only sometimes finishes without hanging the ssh session
Increasing it to 256 allows apf to sort-of run with an out-of-the box stock config which is a big imporvement over not running at all. But I still get a few "iptables: No chain/target/match by that name" errors which is troubling and I am unsure how to track them down yet. I know you say above "The chains which fail to load are simply advanced stateful inspection chains, they are not required for normal operation." but I'm sure there is a reason for those stateful inspection chains to exist (or they would not be in apf to begin with) so if I have a dozen or more failures, I'm guessing that my VPS simply is not as locked down as a dedicated server on which those rules would successfully load.
Also I can't use a very large deny_hosts.rules file since this goes above the 256 allowed numiptent value. So whlie much improved with the limit at 256 vs. 128, it appears this is still an inherent limitation of the Virtuozzo platform. It's not a deal breaker though.
Edit: Unfortunately, there seems to be some functional oddness still in the way APF is loading on the VPS. First time it locked me out until devmode shut it down. Second time (apf stop and then apf start) it loaded successfully, though with a couple hand fulls of rule failures, but with numiptent at 198 of the 256 allowed by purging my deny_hosts.rules file totally.) Third time though it again locked me out, so it appears either I'm a dunce (though I've never had any problem with APF on a dedicated server) or the errors are causing some issues still. It takes a long long time to load, and only sometimes finishes without hanging the ssh session
QUOTE
Originally posted by jeff-p4
I wonder how that could work though?
For incoming, wouldn't it have to be pretty much wide open to allow for the unique needs of each individual VPS? How can EV1 know exactly which ports I need open?
I wonder how that could work though?
For incoming, wouldn't it have to be pretty much wide open to allow for the unique needs of each individual VPS? How can EV1 know exactly which ports I need open?
As a system admin, I wouldn't leave a server with root access without a firewall up for it. Because the server needs APF running with and BFD, etc as well. Also, I would take the approach that the VPS client isn't always thinking of the server's security (just like the people at amusement parks aren't thinking of their safety when they jump into the ride area while the ride is running to get their hat), and therefore I have to make sure their accounts are properly firewalled. So if a VPS needs a port opened for a particular reason, they can open a ticket and request it. That also gives us feedback on who is doing what on the server.
QUOTE
And for advanced features like brute force detection, would the main server scan the logs of each individual VPS to block IP's which try to brute force an ssh or ftp login? Or would that invade the privacy of the individual VPS customers?
That is an interesting question. Again, think of it this way. If someone is trying to hack into one VPS, wouldn't the admin want to prevent that person from trying to hack into all the VPSes? The hacker will probably try other IPs in the same subnet.
So I would try to have each client run a version of BFD that would manipulate the physical server's apf deny host rules. That way the BFD running counts against the VPS resources (which it should). If that didn't work, I would have the root run an instance of BFD for each VPS.
I also don't see any privacy issues since its not an problem for shared web hosting and running BFD in that envioronment.
Hal
Hi,
Well, now that we have the VPS servers, I am also having fun trying to get APF to work at the root level. The incoming (ingress) firewall seems to work after I enable the mono kernel (I also get the iptables: No chain/target/match by that name error) but the outgoing (egress) firewall doesn't work and blocks the SSH traffic even though its marked as an open port. Hopefully one of us will figure this out. I'll see now if the VPS IPs for the server are automatically added to the APF firewall.
Hal
Well, now that we have the VPS servers, I am also having fun trying to get APF to work at the root level. The incoming (ingress) firewall seems to work after I enable the mono kernel (I also get the iptables: No chain/target/match by that name error) but the outgoing (egress) firewall doesn't work and blocks the SSH traffic even though its marked as an open port. Hopefully one of us will figure this out.
I'll see now if the VPS IPs for the server are automatically added to the APF firewall.
Hal
Resolved
QUOTE
Originally posted by RBohm
Resolved
Resolved
How did you resolve it? I'm still unable to get APF to run on a Virtuozzo VPS account, while I have no problems with it on a dedicated server.
Could you possibly post a detailed how-to?
Sorry, I should have left my question there... I meant I have resolved my question. I cannot, as of yet, run it in a VE, but have it installed on system root... there are some errors, but it does run, with limited functionality, much as your last post on it.
QUOTE
Originally posted by hbouma
As a system admin, I wouldn't leave a server with root access without a firewall up for it. Because the server needs APF running with and BFD, etc as well. Also, I would take the approach that the VPS client isn't always thinking of the server's security (just like the people at amusement parks aren't thinking of their safety when they jump into the ride area while the ride is running to get their hat), and therefore I have to make sure their accounts are properly firewalled. So if a VPS needs a port opened for a particular reason, they can open a ticket and request it. That also gives us feedback on who is doing what on the server.
As a system admin, I wouldn't leave a server with root access without a firewall up for it. Because the server needs APF running with and BFD, etc as well. Also, I would take the approach that the VPS client isn't always thinking of the server's security (just like the people at amusement parks aren't thinking of their safety when they jump into the ride area while the ride is running to get their hat), and therefore I have to make sure their accounts are properly firewalled. So if a VPS needs a port opened for a particular reason, they can open a ticket and request it. That also gives us feedback on who is doing what on the server.
Agreed, Hal -- Given this and the APF issues on the root VPS operating system would we all not be better off getting a SnapGear put into our boxes in the interim?
QUOTE
Originally posted by Quarkster
Agreed, Hal -- Given this and the APF issues on the root VPS operating system would we all not be better off getting a SnapGear put into our boxes in the interim?
Agreed, Hal -- Given this and the APF issues on the root VPS operating system would we all not be better off getting a SnapGear put into our boxes in the interim?
That would be effective, however as Jeff pointed out, you wouldn't be able to use the APF addons (anti-dos or bfd) which would be nice to have on a per VPS basis.
I have not had much luck even with APF on the root level because it seems to firewall everything but SSH off even if you have other ports open. (i.e. even with port 80 open, I can't use wget or telnet to another web server).
So with APF not working, I have been trying out the firewall features included with VZCM (you can set it on the hardware node and each VPS) to see if that might provide a working solution. But I haven't been able to connect to the server though even with SSH enabled.
There is a thread on WHT about firewalls on Virtuozzo that has a script for setting up a firewall for a VPS:
VPS Firewall Script
Hal
anyone know how much those snapgear cards run?
After reading this ; it is not working true. I'm only able to run raw firewall with everthing blocked and open port 80 443 25 22 etc. Plus i'm able to block :
Drop all incoming fragments
Drop all incoming malformed XMAS packets
Drop all incoming malformed NULL packets
Drop all private spoofing address and syn flood
Anybody got anything more than this?
Drop all incoming fragments
Drop all incoming malformed XMAS packets
Drop all incoming malformed NULL packets
Drop all private spoofing address and syn flood
Anybody got anything more than this?
I have used apf on a regular server though I am not all that smart about this stuff.
If I understand correct if I set monokern to "1" it should work on the VPS server? Do I comment out the ETH0?
If I understand correct if I set monokern to "1" it should work on the VPS server? Do I comment out the ETH0?
Not exactly.
1) set monokern to 1,
2) ask your provider (the owner of the hardware node) to allow usage of additional iptables modules for your VPS (the list of required modules was posted by Evgeny upper in this thread). Starting from Virtuozzo 2.6.1, it can be done without any problems.
1) set monokern to 1,
2) ask your provider (the owner of the hardware node) to allow usage of additional iptables modules for your VPS (the list of required modules was posted by Evgeny upper in this thread). Starting from Virtuozzo 2.6.1, it can be done without any problems.
And yes, the interface should be set to venet0 or venet0:0, not sure exactly what does APF want.
QUOTE (fenster)
Not exactly.
1) set monokern to 1,
2) ask your provider (the owner of the hardware node) to allow usage of additional iptables modules for your VPS (the list of required modules was posted by Evgeny upper in this thread). Starting from Virtuozzo 2.6.1, it can be done without any problems.
1) set monokern to 1,
2) ask your provider (the owner of the hardware node) to allow usage of additional iptables modules for your VPS (the list of required modules was posted by Evgeny upper in this thread). Starting from Virtuozzo 2.6.1, it can be done without any problems.
Shouldn't EV1 set this by default then, without us opening a TT? I'm sure everyone is running a firewall, right?
Why APF? Everyone can configure iptables manually, that's not difficult at all. Basic iptables functionality is provided by default, and simple accept/reject rules can be built without the help of ipt_state module (and others).
But if you want to use APF (which in fact is nothing more that yet another iptables frontend), ask the provider for additional modules.
But if you want to use APF (which in fact is nothing more that yet another iptables frontend), ask the provider for additional modules.
But this doesn't make sense. Given the contribution RFXN has made to this communtiy, why would our VPS's not be able to install APF? I'm sure there's a significant number of EV1 customers that use APF. Again, I don't have any issues installing APF with my other VPS provider. I'm still hoping this is not an issue with the limitations of my VPS, please correct if I'm wrong.
RFXN, maybe we need an AFP Lite (for VPS's). 
Did you just try to ask hardware node administrator to enable the following modules:
ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_conntrack
globally on the node and for your VPS? (and probably APF needs some more modules -- they should be added to the list also)
It should be your very first action.
ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_conntrack
globally on the node and for your VPS? (and probably APF needs some more modules -- they should be added to the list also)
It should be your very first action.
QUOTE (fenster)
Did you just try to ask hardware node administrator to enable the following modules:
ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_conntrack
globally on the node and for your VPS? (and probably APF needs some more modules -- they should be added to the list also)
It should be your very first action.
ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_conntrack
globally on the node and for your VPS? (and probably APF needs some more modules -- they should be added to the list also)
It should be your very first action.
Thx fenster, I'll submit a TT and let you know if this resolves it. I still don't see why I should have to do this though, I don't have a problem with other providers. I hope this is the answer, it seems other people here have the same problem.
So you get anywhere on this submitting a trouble ticket....
I am getting sick of getting PAGES of brute force attack emails from BFD and seeing it in vain trying to get APF to do something about it...
I love the VPS for all but the security issues it presents.
I am getting sick of getting PAGES of brute force attack emails from BFD and seeing it in vain trying to get APF to do something about it...
I love the VPS for all but the security issues it presents.
ProCooling,
You know, its not difficult to get BFD to not use APF. You just need to change the line in conf.bfd that does the "apf -d" command to one that does an iptables drop command instead. Then you just have to flush the iptables every now (like in a weekly cron job) and then to keep it from filling up your iptent table entries.
I hope this helps!
Hal
You know, its not difficult to get BFD to not use APF. You just need to change the line in conf.bfd that does the "apf -d" command to one that does an iptables drop command instead. Then you just have to flush the iptables every now (like in a weekly cron job) and then to keep it from filling up your iptent table entries.
I hope this helps!
Hal
hehe I am a IPtables fool, I have no idea how to work with them. I guess I will hunt around for info on IPtables drop commands and such.
Why would I need to flush the tables?
Why would I need to flush the tables?
QUOTE
Why would I need to flush the tables?
Because as I said:
QUOTE
Then you just have to flush the iptables every now (like in a weekly cron job) and then to keep it from filling up your iptent table entries.
iptent table entries is what holds the iptables drop rules. You only get so many on a VPS and once its full, you can't add any more drop commands which means you wouldn't be able to block any more IPs from attackers.
Hal
good deal.
Thanks, I am reaserching this now
Thanks, I am reaserching this now
This would be an acceptable drop command: "iptables -A INPUT -s 192.168.56.210/32 -j DROP" correct?
For the moment for that memory allocation the solution to
USE_DS="0"
I do not like it, but work.
USE_DS="0"
I do not like it, but work.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.