2

I've got VPS running on an Open VZ virtualisation instance. Unfortunately I'm having a lot of trouble getting a firewall up and running. I've tried my usual UFW and shorewall, but neither of them would start up.

The company that runs the vps suggested I use csf here but that again wouldn't start up. I then tried modifying IPTables directly, but now that wont start up either. Reading through similar, it looks like its open VZ that's giving me the headache, but is there anyway I can get a firewall up and running on my current set up?

Cheers

wogsland
  • 199
  • 1
  • 4
  • 12
richzilla
  • 205
  • 1
  • 3
  • 13
  • Ufw, and others are using iptables. What is the error message that you get when adding a new rule with `iptables`? If it's something like "no INPUT chain" then your provider did not enable all the iptable capabilities for containers. Also you want to check if your on VENET or VETH. – Aleksandr Levchuk Oct 01 '11 at 16:04

2 Answers2

2

You may need to enable some additional iptables modules for your VPS. You will need to ask your host to add the following iptables modules (for a typical firewall) support to your VPS,

ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp

I am not sure, whether they are going to enable all this :)

SparX
  • 1,924
  • 12
  • 10
  • +1 sparx. The conntrack issue is well documented with openvz. Probably won't have much luck getting that working. The OP is probably not going to succeed with this. – jdw Oct 01 '11 at 01:49
  • @jdw are you talking abou this documentation? http://wiki.openvz.org/Using_NAT_for_container_with_private_IPs#IP_conntracks – Aleksandr Levchuk Oct 01 '11 at 16:09
  • That and others, yes. I haven't run across an OpenVZ host that would support this for me – jdw Oct 01 '11 at 17:15
0

If your hosting provider will not enable the required additional iptables modules here is the solution I have come up with for using ufw on an OpenVZ virtualisation instance (I have only tested this on MediaTemple):

Install ufw:

sudo apt-get install ufw

Turn IPv6 off:

Edit /etc/default/ufw

On line 7 change IPV6=yes to IPV6=no

Edit /etc/ufw/after.rules

Comment out line 27

# don't log noisy broadcast
# -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

Edit /etc/ufw/before.rules

Comment out Line 48, 51, 54, 57, 58

# if LOCAL, RETURN
# -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
# -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
# -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
# -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
# -A ufw-not-local -j DROP

Remember to allow port 22 or whatever you use for SSH, then enable the firewall:

sudo ufw allow 22
sudo ufw enable
zarazan
  • 101
  • 2