Web Hosting Forum | Lunarpages
News: October 6, 2008 - Submit Your Site for the October 2008 Site of the Month!
 
Home Help Search Calendar Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		October 12, 2008, 06:53:05 PM


Login with username, password and session length


Web Hosting Forum | Lunarpages > Lunarpages Web Hosting - Advanced Assistance > Lunarpages - VPS Hosting > iptables modules on VPS
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: iptables modules on VPS  (Read 903 times)
mojo_jojo
Newbie
*
Offline Offline

Posts: 5
« on: February 21, 2008, 10:03:58 PM »
I have seen several other posts regarding issues with getting iptables modules working on a VPS.   I requested that the required modules be enabled (CSF doesn't work without them).  Lunarpages has been working with me on enabling these modules but I still can't use the iptables modules no matter what I try.  I requested the following modules:

ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ipt_conntrack
ip_conntrack
ip_conntrack_ftp
iptable_mangle

but the following will not work on my VPS:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This of course works just fine on any of my dedicated servers.  Any rules I apply on my VPS that use the iptables modules result in the error message "iptables: No chain/target/match by that name".  Of course CSF won't work (nor APF, and yes I set MONOLITHIC=1).  I am hoping that someone would have some pointers and/or suggestions regarding this issue.  I read through the VPS setup guide by testall (great job by the way -> http://www.lunarforums.com/lunarpages_vps_hosting/how_do_i_setup_my_vps_server-t41213.0.html) and he/she seems to have gotten CSF to work so I know it is possible.

I was also wondering if it is because the Virtuozzo service needs to be restarted for iptables changes to take effect (I heard this somewhere).  Any help would be greatly appreciated.

Thanks.
Logged
mojo_jojo
Newbie
*
Offline Offline

Posts: 5
« Reply #1 on: February 22, 2008, 01:29:57 PM »
All fixed now.  Problem was particular to the hardware node and Lunarpages resolved the issue for me.

For anyone who is trying to get APF or CSF working with a VPS, asking support to setup the appropriate iptables modules should work just fine.

Time to go have fun with my VPS...
Logged
perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1058
« Reply #2 on: February 23, 2008, 09:33:52 PM »
Hi mojo_jojo,

I am glad to hear your issue has been solved. Please feel free to ask on this forums any VPS related questions that don't fall under support area. Also, any useful instructions and tricks postings will be greatly appreciated.
Logged
Kind Regards,
Vlad Artamonov
joep
Space Explorer
***
Offline Offline

Posts: 6
« Reply #3 on: March 13, 2008, 05:32:27 PM »
Thanks to mojo_jojo's post, I too informed support that I wanted ipt_ modules. They moved my VPS to a node that supports them and I set up this iptables code
Code:
[root@vps /]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere           
VZ_INPUT   all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere           
VZ_FORWARD  all  --  anywhere             anywhere           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere           
VZ_OUTPUT  all  --  anywhere             anywhere           

Chain LOGACCEPT (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level alert
ACCEPT     all  --  anywhere             anywhere           

Chain LOGDROP (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level warning
DROP       all  --  anywhere             anywhere           

Chain VZ_FORWARD (1 references)
target     prot opt source               destination         

Chain VZ_INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  my.home.ip.address  anywhere            tcp dpt:ssh
LOGDROP    tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:32768:65535
ACCEPT     udp  --  anywhere             anywhere            udp dpts:32768:65535
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8880
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8443
ACCEPT     tcp  --  vps.myhost.com   vps.myhost.com 
ACCEPT     udp  --  vps.myhost.com   vps.myhost.com 
ACCEPT     tcp  --  my.home.ip.address  anywhere            tcp dpt:783
LOGACCEPT  tcp  --  my.home.ip.address  anywhere            tcp dpt:ftp

Chain VZ_OUTPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:8880
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:8443
ACCEPT     tcp  --  vps.myhost.com   vps.myhost.com 
ACCEPT     udp  --  vps.myhost.com   vps.myhost.com 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:783


Unfortunately, I did't see and output in /var/log/messages.

I then changed syslog.conf to this:
Code:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# JP Log them to /var/log/messages
kern.*                                                  -/var/log/firewall.log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              -/var/log/secure

# Log all the mail messages in one place.
mail.*                                          -/usr/local/psa/var/log/maillog


# Log cron stuff
cron.*                                                  -/var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                                -/var/log/boot.log


And I'm still not seeing any messages in /var/log/messages. I have connected using my ftp client, and I see the message from proftpd indicating as such, but none from the firewall. Syslogd creates the firewall.log file too, but no messages. When I changed the target of the ftp line to LOGCROP, I can't connect so I know the firewalling function is working, but I can't get a message from that either. What am I doing wrong?
Logged
perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1058
« Reply #4 on: March 13, 2008, 09:18:14 PM »
Hi Joep,

Virtual servers do not have kernel logger running (klogd) must be because kernel logs are available only in hardware node. That's why your IPtables rules may be not leaving the messages in the logs as well.
Logged
Kind Regards,
Vlad Artamonov
joep
Space Explorer
***
Offline Offline

Posts: 6
« Reply #5 on: March 14, 2008, 12:18:48 PM »
Arrrggghhh, I thought that might be it.

Are their any plans to move to a real virtualization platform like Virtual Box or VMWare so that these kinds of issues go away? It seems that Plesk/Virtuozzo isn't really virtual, it just claims to be. 

Logged
perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1058
« Reply #6 on: March 14, 2008, 02:31:41 PM »

Quote
Are their any plans to move to a real virtualization platform like Virtual Box or VMWare so that these kinds of issues go away? It seems that Plesk/Virtuozzo isn't really virtual, it just claims to be.

Unfortunately, other virtualization technologies are not considered at this moment. Although we may consider them in the future.
Logged
Kind Regards,
Vlad Artamonov
joep
Space Explorer
***
Offline Offline

Posts: 6
« Reply #7 on: March 14, 2008, 04:52:54 PM »
OK, thanks perestrelka, for your responses.

I guess I'll never know if that guy from Brazil who was trying to guess my ssh password is still trying.  Yep
Logged
perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1058
« Reply #8 on: March 15, 2008, 10:43:36 PM »
Quote from: joep on March 14, 2008, 04:52:54 PM
OK, thanks perestrelka, for your responses.

I guess I'll never know if that guy from Brazil who was trying to guess my ssh password is still trying.  Yep

You are welcome. Just install some anti-bruteforce solution and that guy can be trying to guess your passes forever Wink
Logged
Kind Regards,
Vlad Artamonov
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.6 | SMF © 2006-2008, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM