Setting up APF on a VPS

Discussion in 'General Discussion' started by micko, Jan 25, 2006.

  1. micko

    micko Guest

    Hi

    I am looking out for a good firewall for use on linux centos virtuozzo. I have tested APF works
    good except it blocks all outgoing mail and wget and any scripts updates that may use wget.

    I have tried kiss firewall, this gives some main ip error.

    Looking for something along the lines of APF or a way that I can have APF working normally.
     
  2. fenster

    fenster Tera Poster

    Messages:
    429
    I do suppose that APF will allow outgoing mail and wget if properly configured. You could miss something in configuration. Please also check that you have enough 'numiptent' in /proc/user_beancounters.

    I also believe that it's easier, faster, and better to type in your ten or fifteen iptables rules manually--that's true for any Linux system, not only for Virtuozzo one.
     
  3. madsere

    madsere Tera Poster

    Messages:
    352
    I've tried installing apf on a Virtuozzo hw node and it just simply don't work. Even though the egress rules are left disabled no ougoing activity seems available with it.

    All necessary iptables modules are in place, no errors produced and afaik numiptent is only an issue for VE's.

    apf is an extremely popular firewall. I think it would be a wise business decision to find out how to make it work on Virtuozzo.
     
  4. micko

    micko Guest

    The numiptent is set accordingly. Not sure what the problem is but I have been told that it may be with APF. I agree I like APF and use it on dedicated based systems however it is a pain on Virtuozzo. I have tested older versions of APF and the issue still occurs it is installed on CentOS 3.4.

    Any techs have it setup normally?


    I will highlight a few of the main settings I currently use:

    IFACE_IN="venet0"
    IFACE_OUT="venet0"

    SET_MONOKERN="1"

    IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306"

    IG_UDP_CPORTS="21,53,465,873"

    IG_ICMP_TYPES="3,5,11,0,30,8"

    EGF="0"


    Firewall loads and runs except for the problems identified above.
    (Jan 26 00:37:05 server apf(7233): firewall initalized)

    When reloading/restarting you do receive these errors but it does not affect apf

    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
     
  5. fenster

    fenster Tera Poster

    Messages:
    429
    I've just downloaded APF distribution and had no problems with installing it on a VPS based on fedora-core-2. I described all required actions in this article: http://faq.swsoft.com/article_130_875_en.html

    Let me know if anything does not work for you, and I'll update the article with additional instructions.


    (making this thread sticky)
     
  6. madsere

    madsere Tera Poster

    Messages:
    352
    I tried your faq and installed APF on the hardware node and it is still the same, once APF is started you can no longer ssh out from the hardware node. I assume there will be other problems but this is the obvious one.

    (obviously with egress filtering disabled)
    # Egress filtering [0 = Disabled / 1 = Enabled]
    EGF="0"

    Did you try this at all or do you assume APF is only for VE's?

    Why install APF in each VE - isn't it both easier and better performance to just install it once in the hwnode?
     
  7. fenster

    fenster Tera Poster

    Messages:
    429
    It isn't. Correct me if I'm wrong but APF does not try to change FORWARD chain, only INPUT and OUTPUT ones. But all packets to VPSs will go via FORWARD chain. In other words, even if you set 'iptables -P INPUT DROP; iptables -F' on the hardware node, you will have no access to the HW, but your VPSs will be accessible.

    You should block everything except ssh on your hardware node, and use FORWARD chain to set rules for all VPSs. I'm not sure if APF is able to do that.
     
  8. madsere

    madsere Tera Poster

    Messages:
    352
    Hm, very interesting!

    So let's say I want to just have a simple rule blocking all access except ssh to the hardware node as you said, and then putting in FORWARD rules to the VE's -- can you offer an example of what the forward rule would look like?
     
  9. fenster

    fenster Tera Poster

    Messages:
    429
    For example, let's block access to smtp port:

    # iptables -A FORWARD -d 192.168.0.0/24 --dport smtp -j DROP

    where 192.168.0.0/24 is a subnet of your VPSs. But I still think it's generally better to give VPSs a right to decide which rules to use.
     
  10. madsere

    madsere Tera Poster

    Messages:
    352
    Sorry my question perhaps wasn't clear.

    What I'm asking is how is the hwnode best protected - how can I block all access except SSH to the hardware node while leaving the VE's in charge of their own individual firewall needs?
     
  11. fenster

    fenster Tera Poster

    Messages:
    429
    Even if one of your VPSs is hacked because it did not have a firewall configured, your hardware node will not suffer from it. That's local VPS issue, and the VPS can be easily reinstalled.

    In fact, that should be your decision. If you offer fully managed VPSs, you may want to block everything in FORWARD chain. If your VPSs are unmanaged, it's their owner's responsibility to configure a firewall on his virtual server.
     
  12. madsere

    madsere Tera Poster

    Messages:
    352
    //Even if one of your VPSs is hacked because it did not have a firewall configured, your hardware node will not suffer from it. That's local VPS issue, and the VPS can be easily reinstalled.//

    Yes I understand that. I want to protect the hwnode itself against being hacked into. I'm sure you'\re aware that once a hacker got into THAT he would have free access to all the VE's - THAT is my problem.

    //In fact, that should be your decision. If you offer fully managed VPSs, you may want to block everything in FORWARD chain. If your VPSs are unmanaged, it's their owner's responsibility to configure a firewall on his virtual server.//

    Again, misunderstandings galore. Yes I offer fully managed VE's (VPS as you say). So would it be a good idea to install APF on the hw node? What else needs to be done to make it apply to the VE's as well?
     
  13. fenster

    fenster Tera Poster

    Messages:
    429
    The only set of rules you need on your hardware node is:

    # iptables -A INPUT -s your_workstation_ip --dport ssh -j ACCEPT
    ... (the same for other computers which should be able to access it via ssh)
    ... and finally
    # iptables -P INPUT DROP

    Nobody except you will be able to access the hardware node.

    As for customers' VPSs, you are free to write rules in FORWARD chain or install APF inside VPSs.

    I don't see any reason of installing APF on the hardware node.

    Am I missing something?
     
  14. madsere

    madsere Tera Poster

    Messages:
    352
    Well I assumed as the VE's are logical servers they would "hide" behind the hwnode's APF installation but what do I know.
     
  15. barmaley

    barmaley Mega Poster

    Messages:
    233
    A virtuozzo box acts like a router for
    VEs; beginning from kernel 2.4 (if I'm
    not mistaken) routed packets go
    through the FORWARD chain only.

    what I use on a regular virtuozzo box
    (to filter packets to/from box itself):
    ==
    [root@localhost root]# cat /etc/sysconfig/fw_rules
    #!/bin/bash

    # Vars
    FWCMD="/sbin/iptables"

    OUR_IP="<classified>"
    NETIF="eth0"

    # I'm too lazy...
    FWIN="${FWCMD} -A INPUT"
    FWOUT="${FWCMD} -A OUTPUT"
    FWFWD="${FWCMD} -A FORWARD"
    OK="-j ACCEPT"
    NO="-j DROP"


    ${FWCMD} -F
    ${FWCMD} -X
    ${FWCMD} -Z
    ${FWCMD} -P INPUT DROP
    ${FWCMD} -P OUTPUT DROP
    ${FWCMD} -P FORWARD ACCEPT


    # INPUT
    # loopback
    ${FWIN} -i lo ${OK}
    ${FWIN} -d 127.0.0.0/8 ${NO}

    # syn flood
    ${FWCMD} -N SYNFLOOD
    ${FWIN} -i ${NETIF} -p tcp --syn -j SYNFLOOD
    ${FWCMD} -A SYNFLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
    ${FWCMD} -A SYNFLOOD -j DROP

    # kill NEW connections that aren't SYN
    ${FWIN} -i ${NETIF} -p tcp "!" --syn -m state --state NEW ${NO}

    # allow certain inbound ICMP types (ping, traceroute..)
    ${FWIN} -i ${NETIF} -p icmp --icmp-type destination-unreachable ${OK}
    ${FWIN} -i ${NETIF} -p icmp --icmp-type time-exceeded ${OK}
    ${FWIN} -i ${NETIF} -p icmp --icmp-type echo-reply ${OK}
    ${FWIN} -i ${NETIF} -p icmp --icmp-type echo-request ${OK}

    # incoming ssh connections
    ${FWIN} -i ${NETIF} -p tcp --sport 1024: --dport 22 --syn -m state --state NEW ${OK}

    # incoming answers
    ${FWIN} -i ${NETIF} -m state --state ESTABLISHED ${OK}

    # OUTPUT
    # 1) Loopback packets.
    ${FWOUT} -o lo ${OK}
    ${FWOUT} -s 127.0.0.0/8 ${NO}

    ${FWOUT} -o ${NETIF} ${OK}
    # traceroutes from VEs
    ${FWOUT} -o venet0 -p icmp -s ${OUR_IP} -d "!" ${OUR_IP} ${OK}

    [root@localhost]# cat /etc/sysconfig/iptables-config
    # Additional iptables modules (nat helper)

    IPTABLES_MODULES="ip_tables
    ipt_REJECT
    ipt_tos
    ipt_limit
    ipt_multiport
    iptable_filter
    iptable_mangle
    ipt_TCPMSS
    ipt_tcpmss
    ipt_ttl
    ipt_length
    ipt_REDIRECT
    ipt_TOS
    ip_conntrack
    ip_conntrack_ftp
    ipt_LOG
    ipt_conntrack
    ipt_state
    iptable_nat"

    # Save current firewall rules on stop.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_ON_STOP="no"

    # Save current firewall rules on restart.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_ON_RESTART="no"

    # Save (and restore) rule counter.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_COUNTER="no"

    # Numeric status output
    # Value: yes|no, default: no
    #IPTABLES_STATUS_NUMERIC="no"
    [root@localhost root]# cat /etc/virtuozzo-release
    Virtuozzo release 2.6.2
    [root@localhost root]#
     
  16. virtuoso

    virtuoso Kilo Poster

    Messages:
    46
    What about this error I get when restarting APF?

    [root@datahosting root]# apf -r
    /etc/apf/firewall: line 1: /sbin/lsmod: No such file or directory
     
  17. virtuoso

    virtuoso Kilo Poster

    Messages:
    46
    [root@data root]# telnet localhost 8000
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1: Connection refused
     
  18. madsere

    madsere Tera Poster

    Messages:
    352
    I followed this FAQ and got APF to work, however, first time I rebooted the hwnode it dropped all the modules again and I was back to the same old error in the VE's (missing mangle modules etc).

    I had to go back to the hardware node and "modprobe" all the modules, then restart vz before APF again would work.

    Do I need to add the iptables modules to /etc/modules.conf to make this happen automatically on hwnode reboot or what?

     
  19. fenster

    fenster Tera Poster

    Messages:
    429
    You need to list them in /etc/sysconfig/iptables-config on the hardware node.
     
  20. madsere

    madsere Tera Poster

    Messages:
    352
    As I said, I followed your FAQ including this point, they are already added in this file:

     

Share This Page