Anyone know a way to create firewall rules on my VPS (CentOS)? I notice I cannot load the iptables kernel module (insmod and lsmod are linked to /bin/true).

You should be able to load the default iptables from /etc/sysconfig. It may not appear on the vps version. If you user webmin..go to networking, firewall and have it create the default setup (think it's an option). Be careful though..you may lock yourself out. Once you have the default loaded, just do /etc/rc.d/intit.d/iptables start (or start it from webmin).

Here is the default file from my local Centos box:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Be careful though..you may lock yourself out.

You sure can!

One handy hint is to create a script to remove all rules and schedule it with an "at" just before you apply the real rules.

If you do get locked out the "at" will kick in after say 10 minutes and remove all the rules.

If you don't get kicked out you just cancel the "at" command and delete the disable script.

YMMV but it's always worked for me.

Since the ruleset is evaluated in order, I recommend you add your home/work computer's IP to the top of the list in the INPUT table with ACCEPT policy, just in case something is wrong with the rules, at least you can get in from that IP and fix it.

iptables -I INPUT 1 -s your.ip.numbe.r --dport 22 -j ACCEPT

(Make rule # 1 to be : accept any connection from your IP number to port 22, which is ssh , so change it if you have ssh listening in another port)

My 2 cents.

David

Excellent idea. I have had to get Rick and the guys to flush the tables a couple of times (I hate to admit).


You sure can!

One handy hint is to create a script to remove all rules and schedule it with an "at" just before you apply the real rules.

If you do get locked out the "at" will kick in after say 10 minutes and remove all the rules.

If you don't get kicked out you just cancel the "at" command and delete the disable script.

YMMV but it's always worked for me.

That'all work too. The ip's in my example that had no ports listed let everything in.
I did not put the real one's in but home/work was listed..another good point!!

I did get the wild idea to monitor /var/log/secure and add the bad ip's to iptables but someone on another thread suggested to use denyhost. That works very well! In fact, if you use denyhost in conjunction with a fairly simple iptables you should have it covered.


Since the ruleset is evaluated in order, I recommend you add your home/work computer's IP to the top of the list in the INPUT table with ACCEPT policy, just in case something is wrong with the rules, at least you can get in from that IP and fix it.

iptables -I INPUT 1 -s your.ip.numbe.r --dport 22 -j ACCEPT

(Make rule # 1 to be : accept any connection from your IP number to port 22, which is ssh , so change it if you have ssh listening in another port)

My 2 cents.

David