Order a VPS, Semi- dedicated or Dedicated server in Dallas, London or Australia.
Ask our support team about your hosting requirements.
Host where the staff takes pride in making customers happy
Thanks. You're a life-saver.
A firewall prevents all network access to your server (with certain exceptions that you will specify).
You can configure a firewall on your VPS using the Webmin control panel. The iptables command will actually implement the firewall rules.
Before you decide to set up a firewall, please consider... 1) Misconfiguring
a firewall can prevent you from accessing your own server. 2) The best way to prevent
someone from accessing services on your VPS is to simply not run those services.
3) Firewalls don't protect you from insecure services. So keep your server up to date with
the latest security patches. For example, using apt-get update; apt-get upgrade.
Note: A few people with mulitple IPs have reported this HOWTO does not work for them. So we recommend following this HOWTO on servers with a single IP only.
Discouraged yet? If you still want to proceed setting up a firewall, here goes...
Go to your Webmin control panel. Select Networking | Linux Firewall. Webmin will offer to create default rules for you. Select the "Block all except SSH, IDENT, ping and high ports on interface" option. You don't need to enter anything in the input to the right of the "eth0" combo.
On the resulting page there will be an option "If protocol is TCP and destination port is ssh". Select that option. On the Edit Rule page, go down to the "Destination TCP or UDP port" option. Change the option from equalling "ssh" to equalling "ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000". Add in whatever other ports you need, or remove ports you want to exclude. Hit Save.
Click 'Add Rule'. For Rule Comment set "Allow traceroutes". Action to Take is 'Accept'. Set Network Protocol 'Equals' 'UDP'. Set Destination TCP or UDP port 'Equals' 'Port Range' '33434' to '33523'.
Hit Apply Configuration. Check that 'Activate at Boot' is Yes.
On your VPS you should now be able to run iptables --list and get a list of all your
iptable rules. You can remove all the rules by stopping iptables:
/etc/init.d/iptables stop. You can also stop the iptables service from running
at startup by running chkconfig --del iptables. Or you can remove the iptables rules
by running echo "" > /etc/sysconfig/iptables
When you're done, you will have an /etc/sysconfig/iptables file like this:
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*nat
:PREROUTING ACCEPT [38:1868]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
# Accept traceroutes
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
If you accidentally setup an iptable rule that locks you out of your RimuHosting VPS then you can enable the console-over-ssh feature and stop iptables from there and re-setup your rules.
