Iptables Firewall; CSF, APF, Arnos... Etc.
Jan 5, 2009
Is it me or that anyone else experiencing the VZ master node not properly configured for those front-end firewall programs?
I recently purchased couple Linux VPSs (OpenVZ) from different vendors and both seems not having iptables properly configured. One of them finally got resolved, but took like a week for them to figure out what's wrong with it.
I'm currently still stuck with second VPS not protected.
I have not check into which iptables modules APF or CSF requires, but VPS vendors/resellers should expect their clients would be using those and properly configure their VZ master prior to deployments.
I'm begin to wonder people that purchases VPS slices, are they using any decent firewall front-end or not.
It always seems that ip_conntrack is missing. When exists, everything works.
View 2 Replies
ADVERTISEMENT
Jun 8, 2009
after turning on the iptables firewall i can't receive emails anymore on a dedicated centos 5.3 server with postfix and dovecot.
with iptables firewall turned off everythin works fine.
following is the /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
# -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# ************ tried doing this first ************
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -j ACCEPT --syn
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT --syn
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 -j ACCEPT --syn
# ************ tried doing this too ************
-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 72.233.54.234 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 72.233.54.234 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 72.233.54.234 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 25 -d 72.233.54.234 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
as you can see here i have tried opening ports 110, 25, 143 earlier. still did not work.
View 2 Replies
View Related
Oct 21, 2009
Hello !
I've got problems with my APF firewall. Here is are the errors I get :
[root@ks123456 ~]# apf -r
apf(6493): {glob} flushing & zeroing chain policies
apf(6493): {glob} firewall offline
apf(6530): {glob} activating firewall
Opening /proc/modules: No such file or directory
apf(6570): {glob} unable to load iptables module (ip_tables), aborting.
apf(6530): {glob} firewall initalized
apf(6530): {glob} fast load snapshot saved
The /var/log/apf_log file is full of these errors.
I've been told that it was a compatibility issue with the server's kernel. So I upgraded the kernel to the last version, but the problem still remains and I get the same errors...
Can you advise about what I should do now ?
Thank you !
View 2 Replies
View Related
Jun 6, 2007
Hello,
I have two similar VPS plans with identical software setups.
I installed APF Firewall on VPS A, modified the conf.apf file to
change the interfaces to venet0 and set monokern to 1 and
then opened all the ingress ports required. Started the firewall
with 'service apf start' and everything went fine, and everything
is working fine with no errors.
I did the same on VPS B but when I start apf I get the following
error that reoccurs during the startup sequence:
iptables: No chain/target/match by that name
While the firewall does seem to be running (by checking iptables -L)
I am unable to download files on the VPS, via wget or yum ...
View 4 Replies
View Related
Oct 27, 2006
I have a Virtuozzo VPS running Debian Sarge. I installed apf. My /etc/apf/conf.apf looks like:
IFACE_IN="venet0"
IFACE_OUT="venet0"
SET_MONOKERN="1"
IG_TCP_CPORTS="21,22,53,80,443,25,465,110,995,143,993,137,139,445,10000,3306"
IG_UDP_CPORTS="53"
Am am getting several "iptables: Invalid arguments" message. I traced this to these iptables calls from within /etc/apf/firewall. Each of these iptables calls gives "iptables: Invalid arguments":
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL NONE -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,RST SYN,RST -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags FIN,RST FIN,RST -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,FIN FIN -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,URG URG -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,PSH PSH -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN,URG,PSH -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL ALL -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN -j IN_SANITY
Any thoughts? According to my ISP, I have these iptables modules:
iptable_filter
iptable_mangle
ipt_limit
ipt_multiport
ipt_tos
ipt_TOS
ipt_REJECT
ipt_TCPMSS
ipt_tcpmss
ipt_ttl
ipt_LOG
ipt_length
ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
ipt_conntrack
ipt_state
ipt_helper
iptable_nat
ip_nat_ftp
ip_nat_irc
View 0 Replies
View Related
Apr 4, 2008
When I click Start Firewall
I get this
iptables LKM ip_tables missing so this firewall cannot function unless you enable MONOLITHIC_KERNEL in /etc/csf/csf.conf
Error: aborted, at line 156
View 3 Replies
View Related
Oct 31, 2008
I find it hard to configure IP tables for firewall, can I find already made scripts anywhere?
View 1 Replies
View Related
Feb 13, 2015
I temporarily enabled and activated Plesk firewall module (which I wish I didn't the first time) and for some reason it seems to have overwritten the default iptables configuration that was set, leaving my ftp unable to be logged into. I tried to disable the firewall module and reboot the server. It didn't work.
I also noticed that it somehow seem to have changed my hostname to my previous server hostname as well
Is there any way to completely revert back to original iptables settings before enabling the Firewall module?
View 4 Replies
View Related
Apr 9, 2014
I'm in the process of installing PPA on infrastructure running Parallels Cloud Server. Each container has 2 interfaces, one public facing and a private interface for inter-server communication.
No problems installing PPA 11.5 (specifying IP's on commandline) or adding service nodes however, the firewall rules the documentation speaks of are nowhere to be seen? i.e.:
Important: After the installation, PPA creates the special firewall chain PPA-SN-Rules-INPUT used for communication with service nodes. Do not change it, otherwise, you will not be able to add service nodes to PPA.Click to expand...
Has this been dropped from PPA 11.5 ? (I recall seeing the firewall settings in 11.1) There is also no sign of the ppa.firewall tool that is also mentioned.
The only rule I see inserted is for Postgres on the management node, and 2 for pleskd on all of the nodes (open to world!).
View 2 Replies
View Related
Jan 5, 2008
I execute the following commands, in the following order:
iptables --flush
iptables --zero
iptables -A INPUT -s 218.65.12.161 -j DROP
will that last command successfully ban that IP until reboot?
If not, what needs to be done? I can't access my site if I don't flush + zero iptables first but I need to be able to ban with iptables.
View 2 Replies
View Related
Dec 17, 2008
Do you recommend a software firewall when behind a hardware firewall?
All of our servers are behind Cisco ASA 5505 firewalls which we rent from Liquidweb. All are being managed correctly and setup to there optimal levels. With hardware firewalls firmly in place, do you still recommend a software firewall such as APF or IPTables (we're talking linux); in our opinion we see it as an extra administration overhead. If this is however untrue, we will change out thinking.
View 3 Replies
View Related
Jun 13, 2008
I've found a dedicated server at a great price and plan to stick with it, my first ( already have 2 vps accounts ). I don't have the money for a hardware firewall. However, I do have a chance to renew a Kerio WinRoute Firewall license from way back.
Does anyone think this would be better than the default windows 2003 firewall?
View 1 Replies
View Related
Aug 4, 2006
I am experiencing a strange problem with iptables: after in activate them, they are gone in a few minutes. For example, I drop traffic from an ip and after few seconds, all rules are flushed without touching anything!
View 2 Replies
View Related
Jan 20, 2008
I need to block about 5000 IPs .. Is it possible to add this amount of IPs to iptables?
I mean ... Will this slow down the machine response?
View 7 Replies
View Related
May 24, 2007
What do you prefer or what do you think is better, iptables or apf for a firewall?
View 9 Replies
View Related
Apr 13, 2009
i install csf on centos,
my server is working but the network is unreachable,
i try to run "service iptables stop",
and the server is unreachable now,
i check from whm,it shows csf is working,
but i ssh the server and type "service iptables status",
it shows "firewall is stopped",
is it correct?
is not,how can i fix the issue?
View 11 Replies
View Related
Apr 10, 2009
Is there a way for me to whitelist myself or something?
I get up everyday and have to call LSN because my server has blocked me for some reason...
View 10 Replies
View Related
Feb 4, 2007
If I keep getting spam from a certain IP, can I add that IP to Iptables? Will it stop me receiving spam from that IP? I'm not quite sure how it all works.
Or what is the most effective method to stop spam?
View 14 Replies
View Related
Sep 21, 2007
I've got two VPS's and both have the same ruleset for outbound EG_TCP
Code:
EGF="1"
EG_TCP_CPORTS="21,25,37,43,53,80,110,113,123,443,873,2089,3306"
EG_UDP_CPORTS="53,465,873,6277"
Whenever I turn EGF to 1 my VPS locks me out of everything, I need togo into hyperVM to turn it off and restart my firewall.
What would cause this?
It's Fedora Core 5 on OpenVZ i've googled and cannot seem to find a reason why it would do that. Could be something in the host node kernel that may need adjusting?
View 2 Replies
View Related
May 15, 2007
I am working with iptables and am trying to figure out the best ruleset for cpanel servers.
I have a few custom ports for a few services, but other than that, does anyone have a recommended ruleset for the typical cpanel cluster?
View 5 Replies
View Related
Sep 12, 2007
how can i clear iptables?
i enter many ip in it that most of them is worng and i must clear it
View 2 Replies
View Related
Oct 29, 2007
Do you find iptables enough or do you use a hardware firewall for linux? I haven't used anything less than hardware firewalls for years but I gather than most simply rely on iptables. Is that a smart choice?
View 6 Replies
View Related
Mar 25, 2007
I got blocked by my server. Hivelocity helped me to gain access by my server.
I was told that to avoid being blocked again I should type
iptables -A INPUT 202.155.151.185 -j ACCEPT
What I ended up was
iptables -A INPUT 202.155.151.185 -j ACCEPT
Bad argument `202.155.151.185'
Try `iptables -h' or 'iptables --
View 5 Replies
View Related
Sep 27, 2007
i have code :
1. IF=`/sbin/route | grep -i 'default' | awk '{print$8}'`
2. IP=`/sbin/ifconfig $IF | grep "inet addr" | awk -F":" '{print$2}' | awk '{print $1}'`
3. IPT="/usr/sbin/iptables"
4. NET="any/0"
5. DNS="xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"
6. SERV_TCP="22 80 443 "
7. SERV_UDP="53 123"
8. HI_PORTS="1024:65535"
........
i dont know line of 5's sense .I am must changed warrant is what?
View 5 Replies
View Related
Oct 6, 2007
Code:
# iptables -D INPUT -s 25.55.55.55 -j DROP
iptables v1.3.8: Couldn't load target `standard':/usr/local/lib/iptables/libipt_standard.so: cannot open shared object file: No such file or directory
What is going on? The libipt_standard.so file is located in /lib/iptables, but not /usr/local/lib/iptables. I tried moving all of the libipt files into the /usr/local/lib/iptables directory, but I got segmentation errors.
View 1 Replies
View Related
Nov 7, 2006
I have installed APF on box and set ports for in and out and enabled it.. of course, iptables is running from booting..
[root@localhost /]# runlevel
N 3
[root@localhost /]# chkconfig --list | grep iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost /]# chkconfig --list | grep apf
apf 0:off 1:off 2:off 3:on 4:on 5:on 6:off
but when I check it like this
[root@localhost ~]# service iptables status
Firewall is stopped.
[root@localhost ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: ^[[A [ OK ]
[root@localhost ~]# service iptables status
Firewall is stopped.
it said iptables is stop...even I start manually...
I am not sure APF is running correctly because of iptables..
View 10 Replies
View Related
Sep 10, 2006
# apf -r
Unable to load iptables module (ip_tables), aborting.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# uname -a
Linux servername 2.6.17.9 #1 SMP Sun Aug 27 17:08:11 ICT 2006 i686 athlon i386 GNU/Linux
is there any reason that I cannot use iptables? If I edit monokern option in apf to 1, I cannot use ftp in passive mode
View 14 Replies
View Related
Feb 7, 2008
I have CSF installed on one of our server.
CSF dont ban the IP and if manually it is done I get following error.
----------------
csf -d 195.88.65.47
Adding 195.88.65.47 to csf.deny and iptables DROP...
iptables: Index of insertion too big
DROP all opt -- in !lo out * 195.88.65.47 -> 0.0.0.0/0
Error: iptables command [/sbin/iptables -v -I INPUT 2 -i ! lo -s 195.88.65.47 -j DROP] failed, at line 864
-------------------
Also iptables is not running on server.
If status is checked it says its stopped.
I have many sites on my server I dont want to get any downtime.
Please let us know how can we fix this issue as soon as possible.
I have tried reinstall CSF but still the issue remains same.
View 3 Replies
View Related
Sep 16, 2007
I keep trying to flush my iptables on my linux server but every time i try to do so my server seems to freeze (i lose access and have to reboot it for it to come back online), how can I go about deleting those ips manually rather than executing the flushing command? what options do I have?
View 4 Replies
View Related
Jun 4, 2007
root@xxxx[~]# service iptables status
Firewall is stopped.
root@xxxx[~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
root@xxxx[~]# service iptables status
Firewall is stopped.
why not iptables don't start ?
View 4 Replies
View Related
Apr 23, 2009
i create a template for xen ( hypervm ) from jailtime site. now i install iptables , but iptables do not work and when i enter " service iptables restart" , iptables do not start. ( i check it from "service iptables status" )
View 4 Replies
View Related
