Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
09-24-2015, 10:43 AM
|
#1
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Rep:
|
What firewall to use with VPS server that doesn't have stateful firewall matching
Hello all,
I used till now APF as my firewall, but now I need to use cheaper VPS server that doesn't have stateful firewall matching, only full packet filters. As I understand this, I'll be able to open or close certain ports. Am I understanding this correctly?
And, which software should I use?
Can I use APF, or some other firewall software to manage opened ports, and which one would be the easiest for beginner like myself?
There is option of VPS server with stateful firewall matching, but it cost much more money and I'm really on a budget.
Please help me with your advice.
|
|
|
09-24-2015, 01:06 PM
|
#2
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
Why could you not install your own firewall on this system?
|
|
|
09-25-2015, 08:23 AM
|
#3
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Original Poster
Rep:
|
Maybe I didn't explained this.
I can install any software I would like. But, they scale their VPS offers with some options. Cheaper ones don't offer statefull firewall matching. So apf I used so far doesn't work on it, or at least with all options. And any other stateful firewall matching software that looks for that would produce error. Because VPS system don't allow statefull firewall matching.
So I need an alternative that can work without statefull firewall matching.
That's why I come here to ask if someone knows what that alternative would be, that I can use it on my VPS system.
|
|
|
09-25-2015, 04:23 PM
|
#4
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
Stateful and stateless firewalls are pretty much the same. Biggest difference is the RELATED statement that allows you to jump to another port without it being open all the time and logging would be another big difference.
So use what every you want just omit the NEW,RELATED,ESTABLISHED for the rules.
|
|
|
09-26-2015, 08:02 AM
|
#5
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Original Poster
Rep:
|
What options I can't use in APF, as I already used it and know a bit how to configure it? It would be the easiest for me to continue using APF, but some things I should turn off, so it could work with my new VPS.
|
|
|
09-28-2015, 10:39 AM
|
#6
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
APF is a frontend GUI for IPTABLES Just configure your firewall using iptables.
|
|
|
09-29-2015, 08:10 AM
|
#7
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Original Poster
Rep:
|
Well, that means I need to learn how to configure iptables, I already learned how to configure APF, at least that it works on stateful enabled firewall. It looks like I'll need to learn new things...
Is there some good tutorial for programing iptables?
|
|
|
09-29-2015, 02:00 PM
|
#8
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
Iptables Tutorial 1.2.2
While it doesn't cover the new conntrack or ctstate it does cover everything you will need.
If you ever find a better tutorial I'd like to hear about it.
|
|
|
09-30-2015, 05:35 AM
|
#9
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Original Poster
Rep:
|
Well, this is certainly very big document. I'll need time to study it...
|
|
|
09-30-2015, 08:13 AM
|
#10
|
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
|
In a nutshell you need to do the following:
Code:
iptables INPUT -P DROP
iptables OUTPUT -P ALLOW
iptables -i --dport <port#> -j ACCEPT
iptbales -i --dport <port#> -j ACCEPT
<etc....>
Because your knowledge of firewall programming is so limited I hope your knowledge of securing Applications is vast as firewalls are only part of the equation for securing a system that is accessible from the internet.
|
|
|
10-01-2015, 05:11 AM
|
#11
|
Senior Member
Registered: Dec 2014
Location: London, England
Distribution: Debian stable (and OpenBSD-current)
Posts: 1,187
|
Quote:
Originally Posted by Alan_SP
Is there some good tutorial for programing iptables?
|
https://wiki.archlinux.org/index.php...teful_firewall
Depending on your distribution, there is also nftables
It uses a simpler and more understandable ruleset than iptables (IMO) and the Arch & Debian (testing/unstable) packages come with some example configurations (including a stateful set up).
https://wiki.archlinux.org/index.php/Nftables
|
|
|
10-01-2015, 05:57 AM
|
#12
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Original Poster
Rep:
|
Thanks, I'll check all your suggestions...
Is there some shell program, like APF that can work with server that has no statefull matching?
|
|
|
10-11-2015, 05:29 AM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by Alan_SP
I can install any software I would like. But, they scale their VPS offers with some options. Cheaper ones don't offer statefull firewall matching. So apf I used so far doesn't work on it, or at least with all options. And any other stateful firewall matching software that looks for that would produce error. Because VPS system don't allow statefull firewall matching.
|
Maybe this wasn't explained properly before but state-full firewalling (aka the Netfilter framework) is an integral part of the Linux kernel. So if your VPS has a kernel that comes with your Linux distribution of choice and if it can load all related modules then there are only a couple of reasons why state-full firewalling would not work:
- your VPS runs on a Virtualization Platform that only allows dom0 (and not your dom1) certain required privileges,
- your provider did modify Something Else but isn't telling you,
- you're trying to Do Stuff without properly investigating the errors you get. (Start by posting those and the VPS specs in full?)
Also please heed warnings as addressed in post #10, thanks.
|
|
|
10-12-2015, 04:04 PM
|
#14
|
LQ Newbie
Registered: Mar 2012
Posts: 25
Original Poster
Rep:
|
This is direct link to VPS specs provided on internet: http://www.server4you.com/vps#compare
Check the server Plus X8 under Stateful Firewall Matching, there's red X, so, for some reason, not explained in great detail, that version doesn't have it. Probably because first reason you mention, they don't allow it to run certain things, just to scale their offer and incite more people to buy more expensive servers.
|
|
|
10-13-2015, 05:18 PM
|
#15
|
Moderator
Registered: May 2001
Posts: 29,415
|
They're running vServer, 'nuff said...
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 08:26 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|