iptables

[mephisto]

Hi I am trying to implement some iptables, so to add a "firewall" to our VPS Hosting. The rule I am trying to add is

Code:

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

however I just receive the error

iptables: No chain/target/match by that name

The library to use exists in /lib/iptables/libipt_state.so, however modprobe does not to add the module. I have installed module-init-tools with apt, but still no avail as I get presented the error when i try to modprobe the lib file.

FATAL: Could not load /lib/modules/2.6.9-023stab037.3-enterprise/modules.dep: No such file or directory

Any ideas?

[firew@ll]

Hello,

It seems that some of the iptables modules' are not enabled for your VPS Hosting. Please contact the VPS Hosting support team regarding this with the details of your VPS Hosting so that they will enable it from the HW Node on which your VPS Hosting is hosted.

-Firew@ll

[mephisto]

I've had to request this 3 times now; the first time was when I started this thread. 2nd time was after the recent OpenVz f**k up, and now I can't do my iptables again.

If I moved to Virtuozzo would I be able to control what modules are available in iptables?

[DPS Computing]

Quote:

Originally Posted by mephisto

I've had to request this 3 times now; the first time was when I started this thread. 2nd time was after the recent OpenVz f**k up, and now I can't do my iptables again.

If I moved to Virtuozzo would I be able to control what modules are available in iptables?

If you contact support again they could probably clear this up for you.

The first time you requested it did you get a satisfactory solution to your problem?

[mephisto]

Yes they provided a satisfactory solution, what's not so great is that since requesting it to be fixed, it's broken twice. But anyway, it's fixed now.

[Fidget]

iptables and openvz are notoriously difficult and can involve frequent intervention by systems admin because the modules have to be installed and configured to load on the node.

Which firewall are you running as a matter of interest? I run APF on one server and CSF on one here. Getting APF to work with OpenVZ was much like trying to change a wheel without a jack or spanner


For one instance I found that I had problems with Egress filters until I changedIFACE_IN="venet0" & IFACE_OUT="venet0" to IFACE_IN="venet0:0" & IFACE_OUT="venet0:0" yet I know that that syntax can cause problems on some systems.

I like the fact that CSF integrates well with mod_security but it fails on other things like not working with SMTP Block.

[eUKhost.com]

if you ignore the SMTP part then CSF is best option for Dedicated Servers as well as VPS Hosting's

We have done good amount of research on CSF and now we have CSF on all our shared as well as reseller hosting servers. it hardly takes anytime to install CSF from configserver.com

once you install and configure it then you can also remove apf from CSF.

[Fidget]

Quote:

Originally Posted by eukhost.com

once you install and configure it then you can also remove apf from CSF.

Yes, CSF even provides a link to do so after you've installed it!

Its interesting to see your support for CSF, I still see a lot of cpanel hosts recommending APF instead of CSF. I'm becoming tempted to replace APF with it. One thing APF doesn't have is the login failure daemon, and like I said the mod_security integration allowing for automatic blocking triggered by mod_sec and of-course WHM integration.

[Fidget]

Quote:

Originally Posted by eukhost.com

... we have CSF on all our shared as well as reseller hosting servers ...

Can you tell me of a way to hide it from the Plugins section of client WHM accounts?

[Access Denied]

Hello,

There is no such setting to hide Plugins options in WHM.

[Fidget]

Quote:

Originally Posted by Access Denied

Hello,

There is no such setting to hide Plugins options in WHM.

I know this. But I know of some hosts who use CSF but it does not show in the plugins section, so there must be a way. I'd certainly prefer to hide it anyway.

[Access Denied]

Hello,

If you only want to hide CSF in Plugins then place a ticket to support department, they will help you better. But, you can easily configure CSF from WHM.

[Fidget]

I asked if it could be hidden in client WHMs, I'd still want it available in mine if possible otherwise it defeats the object. And I'm willing to discuss it here, please let EUK reply

[Rsync]

Hello,

Yes it's possible to install CSF firewall on VPS Hosting in such a way it will not show you up in Plugins.

[Fidget]

Quote:

Originally Posted by Ramon

Hello,

Yes it's possible to install CSF firewall on VPS Hosting in such a way it will not show you up in Plugins.

Can you tell us how Ramon?

[vzAddict]

Hello,

It's not possible to install CSF by a client on a VPS Hosting as CSF blocks all the incoming and outgoing traffic. We need to manually edit CSF configuration files from the main server. So if you want to install CSF on a VPS Hosting you need to open a ticket at <a href="http://www.eukhost.com/vps-...a>@eukhost.com and we will install it for you.

[Fidget]

Huh?

I've done it several times and have always done it myself. CSF only blocks anything when you start it and by default it installs in a stopped state and even then if you enabled it it is set in Dev mode until you change that.

[eUK-Scott]

Fidget ,

If you would like to hide CSF option in whm then you need to run install.generic.sh for installation.

Installation is quite straightforward:

=========================================
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.generic.sh

If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):

sh disable_apf_bfd.sh

That's it. You can then configure csf and lfd by editing the files directly in
/etc/csf/*

csf is preconfigured to work on a generic Linux server with the standard web
server ports open. It also auto-configures your SSH port if it's non-standard
on installation.

You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS Hosting
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.

[mephisto]

Quote:

Originally Posted by Fidget

Which firewall are you running as a matter of interest?

Umm, I wrote my own

[DPS Computing]

Quote:

Originally Posted by mephisto

Umm, I wrote my own

That must have been some feat!