| Posted by ichilton, 03-17-2010, 06:38 PM | | Hi,
I was wondering if anyone had any advice on this firewall script?
It's for an SSH gateway and it's running on a VPS which doesn't (and can't) have the nat or conntrack modules.
Is there anything that wouldn't be considered good practise or secure?
Thanks,
Ian
|
| Posted by activelobby4u, 03-18-2010, 01:37 AM | | You could probably go with apf or something. The hosting provider will be able to enable required modules from the node to install and configure apf.
|
| Posted by ichilton, 03-18-2010, 03:16 AM | | Hi,
Thanks for the reply but I really wanted comments on my own script
The host wont enable any modules - it was a right pain to write it without been able to allow ESTABLISHED,RELATED packets in!
Ian
|
| Posted by ClaudiuPopescu, 03-18-2010, 03:42 AM | | Your ssh filtering is a bit strange.
You have an iptables rule even for outgoing ssh connections, why do you need it to be that complex?
If your server will get compromised you can rest assured that no firewall rule will stop the attacker to ssh out of your server.
|
| Posted by ideamine, 03-18-2010, 04:39 AM | | Hi,
It is better to use CSF.
|
| Posted by ichilton, 03-18-2010, 02:21 PM | | The rules for outgoing SSH are allowing it, not blocking it!
Thanks,
Ian
|
| Posted by inspiron, 03-19-2010, 04:18 AM | | I too would suggest csf firewall its easy install, easy Setup, well documented with a Gui.
|
| Posted by jadursupport, 03-20-2010, 08:43 PM | | Yes if you go for CSF its has advance future and also you can as your server provider to enable iptable_modules on your VPS node as its always great to have them as security is concern :
Enabling Iptables modules in VPS
It is easy to enable iptables modules in VPS node. Please follow these steps.
1 . Before enabling the modules to a VPS , make sure that its enabled in the root node of the VPS. You can check it using the command
lsmod | grep -i module_name
2. If its not enabled, then you can enable it using the modprobe command
modprobe iptables_module
3. Stop the container which one you want to enable the module , for example the container is 101, and then run this command
vzctl stop 101
4 . Executing the following command
vzctl set 101 --iptables iptables_module --iptables iptables_module --save
5. Restart the container.
vzctl restart 101
|
|
 Add to Favourites
 Print this Article
|
