Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need simple iptable firewall for openvz node with 3 vps
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need simple iptable firewall for openvz node with 3 vps

Hi,

I share my dedi with 2 of my friends thru openvz vps(total 3 openvz vps on the dedi). All the vps are running fine and no issues..

Currently, I dont have a firewall on hostnode. Ssh port is changed and accessed with ssh keys thru putty.

  1. Do I need a firewall on the host node?

  2. Is there any simple to use iptable firewall rules which can be used directly without any(or with little) modifications?

Please guide me in the right direction. Btw, I dont want to use any control panels(not even free ones) as I dont sell vps to public.

Thanks for your time.

Comments

    • Yes, you do need a firewall.
    • Iptables should do the trick, all rules are in a text file you can edit. Plenty of guides available. At the minimal, drop all input (incoming connection) but the ones you need.
    Thanked by 1niceboy
  • Is there any simple to use iptable firewall rules which can be used directly without any(or with little) modifications?

    please point me onto something I can use directly..

  • The application is called "iptables" from Netfilter team. It should come with your Linux distro. What distro are you using?

    Thanked by 1niceboy
  • NyrNyr Community Contributor, Veteran
    edited September 2014

    said: Do I need a firewall on the host node?

    Based on the limited description of your usage, no.

    Caveman122 said: Yes, you do need a firewall.

    Why?

    Thanked by 2niceboy SwordfishBE
  • @niceboy, Shorewall works great for this (firewalling and routing control on the host node) but can be a PITA to setup.

    But, it sounds like you want something simpler to deal with; maybe CSF?

    Thanked by 1niceboy
  • @Caveman122 I use centos 6.5 on the node.. it already have iptables installed. But, I need a simple set of iptable rules like copy pasting thing.

    @geekalot I read on shorewall but could not understand any thing.

    I have installed CSF on the node but all my vps are blocked and cant be reached from outside now.. How to unblock them?

  • CrabCrab Member
    edited September 2014

    sudo apt-get install apf-firewall

    Edit: ops sorry you're using Centos. wget http://www.rfxn.com/downloads/apf-current.tar.gz in that case :)

    Thanked by 1niceboy
  • geekalotgeekalot Member
    edited September 2014

    @niceboy said:
    ...

    geekalot I read on shorewall but could not understand any thing.

    I have installed CSF on the node but all my vps are blocked and cant be reached from outside now.. How to unblock them?

    You will need to know a little about the software before you install it; there are a ton of tutorials online. For CSF, for example, you will have to permit desired traffic in /etc/csf/csf.conf OR /etc/csf/csf.allow OR /etc/csf/csf.dyndns and /etc/csf/csf.ignore.

    I would not recommend you "just wing it" with setting up a firewall; it sounds to me that you should either use a tutorial, or a firewall with a graphical UI/integrated with a control panel (Firestarter, or GUFW+UFW, etc - this would also involve setting up a GUI/desktop on the server, which would add some more bloat, but allow you to leverage the UI to control access).

    EDIT, BTW to uninstall CSF, (as root):

    cd /etc/csf
    sh uninstall.sh
    Thanked by 1niceboy
  • niceboyniceboy Veteran
    edited September 2014

    @Crab Never tried apf.. but thanks for suggestion.

    @geekalot I have familiarity with csf as I used it on a cpanel server..

    I already tried configuring ..

    ETH_DEVICE = "eth0"
    ETH_DEVICE_SKIP = "venet0"
    

    But, when I enable the firewall.. the complete node is getting blocked even though I have configured it to allow ssh,httpd, ftp etc ports.

  • @Nyr said:
    Why?

    It prevents open or exploitable ports/services being exploited? Just a peace of mind really, knowing what port is open.

  • socialssocials Member
    edited September 2014

    @Caveman122 said:
    It prevents open or exploitable ports/services being exploited? Just a peace of mind really, knowing what port is open.

    Uhm. And why do you have exploitable services facing the internet?

    Firewall is only necessary if, for example, you want to restrict HTTP/SSH/whatever access only to certain IPs etc. Other than that, it's totally unneeded. You can't exploit a server through a port if nothing's listening on it.

  • @socials said:
    Firewall is only necessary if, for example, you want to restrict HTTP/SSH/whatever access only to certain IPs etc. Other than that, it's totally unneeded. You can't exploit a server through a port if nothing's listening on it.

    Are you seriously arguing the necessity of a firewall? That's like saying you don't need to lock the front gate to your property because you are sure all the windows are locked and will forever stay that way. It's another layer of security that takes couple minutes to setup. A service that's not exploitable now might be exploitable in the future. User make mistakes, software developer makes mistakes, it's nice to have everything locked down but a few ports you need.

  • I understood that even though it works without a firewall, its better to have one.

    But, any one help me to solve my problem?

  • socialssocials Member
    edited September 2014

    @Caveman122 said:
    Are you seriously arguing the necessity of a firewall? That's like saying you don't need to lock the front gate to your property because you are sure all the windows are locked and will forever stay that way. It's another layer of security that takes couple minutes to setup. A service that's not exploitable now might be exploitable in the future. User make mistakes, software developer makes mistakes, it's nice to have everything locked down but a few ports you need.

    You didn't get at all what I was saying.

    What is the point of locking your front door if you're allowing everyone in anyway (run a webserver and have "allow tcp any any port 80" in your rules)? That's totally unnecessary.

    And if at one point a service becomes exploitable, again, you're not securing anything with a firewall since you're letting everyone in anyway.

    Simple servers on the internet do not need a firewall 90% of the time.

    @Caveman122 said:
    it's nice to have everything locked down but a few ports you need.

    As I said:

    You can't exploit a server through a port if nothing's listening on it.

  • geekalotgeekalot Member
    edited September 2014

    @niceboy said:
    ....
    But, when I enable the firewall.. the complete node is getting blocked even though I have configured it to allow ssh,httpd, ftp etc ports.

    @niceboy, if you have familiarity with CSF the read up on csfpre.sh

    In your scenario, you are likely to need csfpre.sh to setup any custom rules for routing to the VPS's. Just keep in mind that it is often reported that rules in csfpre.sh are broken when CSF/LFD self updates (if you allow it to self update).

    Honestly IMHO, the best firewall on a host node for VM's is Shorewall; but it is not as "sexy" (or as easy to learn) as many others.

  • @socials said:

    I know what you are saying and check your attitude. It's fine if you know exactly what you are running and on what ports. However, I am talking about average users, who might just install something like zpanel and by default it listens to public port. Or misconfigure smtp/dns and have open relay/resolve. We are just going to have to agree to disagree, you leave your server wide open and I will lock mine down.

  • @Caveman122 said:
    I know what you are saying and check your attitude. It's fine if you know exactly what you are running and on what ports. However, I am talking about average users, who might just install something like zpanel and by default it listens to public port. Or misconfigure smtp/dns and have open relay/resolve. We are just going to have to agree to disagree, you leave your server wide open and I will lock mine down.

    "Average" users who don't know shit about server administration shouldn't have servers at all.

    Thanked by 2jar Pwner
  • jarjar Patron Provider, Top Host, Veteran

    If you don't know how to open and close ports, or which ports you need, you do not need a firewall as you will not secure it anyway.

    Thanked by 3Nyr zed Pwner
Sign In or Register to comment.