Home > Articles > firewall for vps

firewall for vps

December 25th, 2008 Leave a comment Go to comments

You can protect your HyperVM node (Master or slave) by adding the ConfigServer Security and Firewall.

Here’s howto:

wget http://www.configserver.com/free/csf.tgz
tar -zxvf csf.tgz
cd csf
ls
./install.sh

Once it has been installed, you’ll need to configure it correctly before use, or you’ll have some really weird problems.

Ok, so the configuration file is /etc/csf/csf.conf, edit with your favourite editor:

Leave ETH_DEVICE blank, CSF will work this out on it’s own.

Modify the following lines as follows: (These can be customized as per your own requirements, the 777*, 888* and 5558 ports are required for HyperVM to work)

# Allow incoming TCP ports
TCP_IN = “25,53,110,953,993,995,22,7776,7777,7778,7779,8886,8887,8888,8889,5558″
# Allow outgoing TCP ports
TCP_OUT = “25,53,80,110,113,443,953,7776,7777,7778,7779,8886,8887,8888,8889,5558″

If you want to be able to ping your HyperVM node, set:

# Allow incoming PING
ICMP_IN = “1″

Save and exit /etc/csf/csf.conf

If you’re using openvz in your node, you’ll have to add the following into /etc/csf/csfpre.sh

iptables -A INPUT -i venet0 -j ACCEPT
iptables -A OUTPUT -o venet0 -j ACCEPT
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

Note 1: The /etc/csf/csfpre.sh will probably not exist, you’ll have to create it. csfpre.sh will be executed each time before csf starts.

Note 2: I’ve added (cd /usr/local/lxlabs/hypervm/httpdocs/ ; lphp.exe ../bin/misc/openvz-iptables-traffic.php) to the top of my csfpre.sh due to the traffic calculations, yet I think something else is wrong… I’ll update this once I figured it out.

You are now ready to begin testing… run from the command line:

service csf start

Once you are happy with the configuration and everything works as you wish, disable the testing mode:

# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you’re sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
TESTING = “0″

Productionize with:

service csf restart

You are done.

Additionally you can disable disable process tracking and user process tracking by setting (in the csf.conf):

PT_USERTIME = “0″
PT_LIMIT = “0″
PT_USERPROC = “0″

Source : lxwiki

Categories: Articles Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.