LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-24-2015, 10:43 AM   #1
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Rep: Reputation: Disabled
What firewall to use with VPS server that doesn't have stateful firewall matching


Hello all,

I used till now APF as my firewall, but now I need to use cheaper VPS server that doesn't have stateful firewall matching, only full packet filters. As I understand this, I'll be able to open or close certain ports. Am I understanding this correctly?

And, which software should I use?

Can I use APF, or some other firewall software to manage opened ports, and which one would be the easiest for beginner like myself?

There is option of VPS server with stateful firewall matching, but it cost much more money and I'm really on a budget.

Please help me with your advice.
 
Old 09-24-2015, 01:06 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Why could you not install your own firewall on this system?
 
Old 09-25-2015, 08:23 AM   #3
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Original Poster
Rep: Reputation: Disabled
Maybe I didn't explained this.

I can install any software I would like. But, they scale their VPS offers with some options. Cheaper ones don't offer statefull firewall matching. So apf I used so far doesn't work on it, or at least with all options. And any other stateful firewall matching software that looks for that would produce error. Because VPS system don't allow statefull firewall matching.

So I need an alternative that can work without statefull firewall matching.

That's why I come here to ask if someone knows what that alternative would be, that I can use it on my VPS system.
 
Old 09-25-2015, 04:23 PM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Stateful and stateless firewalls are pretty much the same. Biggest difference is the RELATED statement that allows you to jump to another port without it being open all the time and logging would be another big difference.

So use what every you want just omit the NEW,RELATED,ESTABLISHED for the rules.
 
Old 09-26-2015, 08:02 AM   #5
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Original Poster
Rep: Reputation: Disabled
What options I can't use in APF, as I already used it and know a bit how to configure it? It would be the easiest for me to continue using APF, but some things I should turn off, so it could work with my new VPS.
 
Old 09-28-2015, 10:39 AM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
APF is a frontend GUI for IPTABLES Just configure your firewall using iptables.
 
Old 09-29-2015, 08:10 AM   #7
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Original Poster
Rep: Reputation: Disabled
Well, that means I need to learn how to configure iptables, I already learned how to configure APF, at least that it works on stateful enabled firewall. It looks like I'll need to learn new things...

Is there some good tutorial for programing iptables?
 
Old 09-29-2015, 02:00 PM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Iptables Tutorial 1.2.2

While it doesn't cover the new conntrack or ctstate it does cover everything you will need.

If you ever find a better tutorial I'd like to hear about it.
 
Old 09-30-2015, 05:35 AM   #9
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Original Poster
Rep: Reputation: Disabled
Well, this is certainly very big document. I'll need time to study it...
 
Old 09-30-2015, 08:13 AM   #10
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
In a nutshell you need to do the following:

Code:
iptables INPUT -P DROP
iptables OUTPUT -P ALLOW
iptables -i --dport <port#> -j ACCEPT
iptbales -i --dport <port#> -j ACCEPT
<etc....>
Because your knowledge of firewall programming is so limited I hope your knowledge of securing Applications is vast as firewalls are only part of the equation for securing a system that is accessible from the internet.
 
Old 10-01-2015, 05:11 AM   #11
Head_on_a_Stick
Senior Member
 
Registered: Dec 2014
Location: London, England
Distribution: Debian stable (and OpenBSD-current)
Posts: 1,187

Rep: Reputation: 285Reputation: 285Reputation: 285
Quote:
Originally Posted by Alan_SP View Post
Is there some good tutorial for programing iptables?
https://wiki.archlinux.org/index.php...teful_firewall

Depending on your distribution, there is also nftables

It uses a simpler and more understandable ruleset than iptables (IMO) and the Arch & Debian (testing/unstable) packages come with some example configurations (including a stateful set up).
https://wiki.archlinux.org/index.php/Nftables
 
Old 10-01-2015, 05:57 AM   #12
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Original Poster
Rep: Reputation: Disabled
Thanks, I'll check all your suggestions...

Is there some shell program, like APF that can work with server that has no statefull matching?
 
Old 10-11-2015, 05:29 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by Alan_SP View Post
I can install any software I would like. But, they scale their VPS offers with some options. Cheaper ones don't offer statefull firewall matching. So apf I used so far doesn't work on it, or at least with all options. And any other stateful firewall matching software that looks for that would produce error. Because VPS system don't allow statefull firewall matching.
Maybe this wasn't explained properly before but state-full firewalling (aka the Netfilter framework) is an integral part of the Linux kernel. So if your VPS has a kernel that comes with your Linux distribution of choice and if it can load all related modules then there are only a couple of reasons why state-full firewalling would not work:
- your VPS runs on a Virtualization Platform that only allows dom0 (and not your dom1) certain required privileges,
- your provider did modify Something Else but isn't telling you,
- you're trying to Do Stuff without properly investigating the errors you get. (Start by posting those and the VPS specs in full?)

Also please heed warnings as addressed in post #10, thanks.
 
Old 10-12-2015, 04:04 PM   #14
Alan_SP
LQ Newbie
 
Registered: Mar 2012
Posts: 25

Original Poster
Rep: Reputation: Disabled
This is direct link to VPS specs provided on internet: http://www.server4you.com/vps#compare

Check the server Plus X8 under Stateful Firewall Matching, there's red X, so, for some reason, not explained in great detail, that version doesn't have it. Probably because first reason you mention, they don't allow it to run certain things, just to scale their offer and incite more people to buy more expensive servers.
 
Old 10-13-2015, 05:18 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
They're running vServer, 'nuff said...
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with stateful firewall rules malo Linux - Security 2 04-05-2013 06:31 AM
Help with stateful firewall rules malo Linux - Newbie 2 04-05-2013 03:32 AM
Are IPtables a stateful firewall? abefroman Linux - Security 1 08-06-2008 05:56 AM
CiscoVPN - stateful firewall? Nigel_Tufnel Linux - Networking 11 02-14-2007 09:13 PM
Is router plus stateful firewall enough? jxi Linux - Security 3 10-04-2003 09:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration