Firewall
  • CopettiCopetti
    Tips for extra security firewall Intovps VPS.

    Here's a hint:

    iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
    iptables -A INPUT -m state --state INVALID -j DROP

    Rodrigo Copetti
    Sysadmin - Ubuntu is life!!!!
  • TomoiagaTomoiaga
    Indeed these should help. Note that /proc files can't be changed in OpenVZ but everything should be fine on Xen. Hope we will start offering Xen as soon as possible.
  • CopettiCopetti
    Want to tell me that these rules need not be enabled in Iptables, because there is no way to change the OpenVZ?
  • waveriderwaverider
    Just the echo to /proc part is not working in an OpenVZ VPS.
    iptables works fine.

  • CopettiCopetti
    And what could be added in Iptables to have more security at the firewall. To replace the example of / proc above.
  • sergiosergio
    As iptables rules, I accept also the destination-unreachable and time-exceeded ICMP packets.
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT
    They should grant to my system(s) a better network error management.

    Do you agree or am I wrong?

    Regards,
    Sergio
  • TomoiagaTomoiaga
    Yes, it's better to receive those icmp messages.
  • CopettiCopetti
    Show me an example of complete firewall rules for VPS.
  • TomoiagaTomoiaga
    Well, an example would also be an empty firewall since issues are not caused by a non existing firewall or multiple firewall rules. Usually problems appear because of outdated or buggy websites installed or simple passwords. You may be able to use fail2ban to prevent brute force attacks on ssh or use csf+lfd which already has plenty of rules that will satisfy everyone.
  • JakeJake
    I'm trying to get my iptable rules to run at startup.

    I was about to configure the: /etc/network/interfaces file however I noticed it states any changes will be lost and that I should edit the: /etc/network/interfaces.tail or .head file instead.

    I edited: /etc/network/interfaces.head earlier but then I couldn't connect to my VPS, tried to reset the firewall, which didn't fix the problem so I rebuilt the VPS (hadn't really changed much on it so it wasn't a big deal).

    I added "pre-up iptables-restore < /etc/iptables.up.rules". The iptables.up.rules works fine when I run it through "iptables-restore < /etc/iptables.up.rules" just in case anyone thought that might have something to do with it.

    Any advice as to what I do from here to get it to load my rules from startup?

    Thanks.
  • SeerKanSeerKan
    It would be helpful if you would mention the OS you are using.
    If you lock yourself out you don't need to reinstall, you can contact us and we will help you ( mentioned every changes you made on the vps so we can debug faster).
  • JakeJake
    Oh my mistake I'm running Ubuntu 10.04 LTS.
  • JakeJake
    Not sure if this is the right way of doing it, however I managed to get it to at startup by editing:

    "/etc/rc.local"

    I added:

    "iptables-restore < /etc/iptables.up.rules"

    Which appears to make it run at boot.
  • SeerKanSeerKan
    @Jake
    That is fine.
Add a Comment