?

Log in

No account? Create an account
 
 
09 April 2015 @ 02:09 pm
Is there a clean way to setup firewall on linux?  
I'm playing with Linux VPS (CentOS) and want to make my VPS private (it should only respond to requests from several whitelisted IP addresses and silently ignore everything else).

That linux VPS is going to only host ElasticSearch server and I want to hide ElasticSearch from public.

It looks like configuring Advanced Policy Firewall (APF) is the right tool for that.

My first temptation was to replace couple of thousand lines of default configuration in /etc/sysconfig/iptables with just few lines, like that:
----- /etc/sysconfig/iptables -----
-A INPUT -s 111.111.111.111 -j ACCEPT
-A INPUT -s 222.222.222.222 -j ACCEPT
-A INPUT -j DROP
------------------------------------
where 111.111.111.111 and 222.222.222.222 are my whitelisted IP addesses.

But support from my linux box provider ("A Small Orange") told me that we should not modify iptables directly.

What would happen if I modify iptables file directly?

If not - how else can I delete all the junk from iptables?
 
 
 
Clean and soberanspa on April 9th, 2015 06:15 pm (UTC)
Найми кого-нибудь. А так iptables в принципе не трудное дело. Но один раз ошибешься и заблокируешь себя от сервера. =)
Dennis Gorelikdennisgorelik on April 9th, 2015 06:33 pm (UTC)
> Но один раз ошибешься и заблокируешь себя от сервера. =)

I am already dangerous enough to know about this:
-------
Option: DEVEL_MODE
Description: This tells APF to run in a development mode which in short means
that the firewall will shut itself off every 5 minutes from a cronjob. When
you install any version of APF, upgrade or new install, this feature is by
default enabled to make sure the user does not lock themself out of the
system with configuration errors. Once you are satisfied that you have the
firewall configured and operating as intended then you must disable it.
-------
:-)

But seriously, is it better to hire someone (I remember about you) or learn about configuring that stuff in-house?

If we are going to run that server, we should probably know how to maintain that server ourselves, right?
How would hiring external expertise fit into that model?

In addition to that, "A small orange" also provides some support.
Unfortunately, after they claimed to configure firewall correctly, our server is still available to not whitelisted IPs.
(no subject) - anspa on April 9th, 2015 06:36 pm (UTC) (Expand)
(no subject) - anspa on April 9th, 2015 06:37 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 9th, 2015 06:40 pm (UTC) (Expand)
(no subject) - anspa on April 9th, 2015 08:07 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 9th, 2015 08:19 pm (UTC) (Expand)
(no subject) - anspa on April 9th, 2015 08:26 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 12:34 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 12:41 am (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 01:03 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 01:52 am (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 06:21 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 06:56 pm (UTC) (Expand)
Clean and soberanspa on April 9th, 2015 06:16 pm (UTC)
iptables надо запускать из командной строки чтоб он перечитал файл с конфигом этим твоим исправленным.
Dennis Gorelikdennisgorelik on April 9th, 2015 06:38 pm (UTC)
Do I need to run iptables from command line only once and then it would keep working after every reboot?

So it's ok to modify iptables directly?
Clean and soberanspa on April 9th, 2015 06:40 pm (UTC)
I used to have /etc/init.d/iptables script that could be used to stop and start iptables -that's when it re-reads the config. It was also linked to /etc/rc folders to start firewall when server starts. Is that what you have in your CentOS? I don't know.
Deemon: samuraideemon on April 9th, 2015 09:01 pm (UTC)
this is why rh-derived distros suck and you should switch to debian

seriously, though http://unix.stackexchange.com/questions/144622/etc-sysconfig-iptables-manual-customization-of-this-file-is-not-recommende
Dennis Gorelikdennisgorelik on April 10th, 2015 12:49 am (UTC)
> this is why rh-derived distros suck and you should switch to debian

I cannot believe that it took me (linux rookie) so little time to get involved into linux distro wars.
:-)

But seriously, I am open to switching to whatever distro would serve me the best.
For example, ASmallOrange has Ubuntu template for their VPS.
Would it be better?

Am I guessing right that RedHat/CentOs are designed to support stuff like cPanel?
I do NOT need cPanel.

I only need ElasticSearch.
(no subject) - deemon on April 10th, 2015 01:20 am (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 06:30 am (UTC) (Expand)
(no subject) - deemon on April 10th, 2015 05:54 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 06:21 pm (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 01:56 am (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 06:15 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 07:09 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 10:47 pm (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 10:55 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 11:02 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 03:52 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 03:58 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 04:10 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 04:23 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 05:24 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 05:51 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 06:15 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 06:30 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:17 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:25 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:36 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:49 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 02:57 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 08:35 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 11:10 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 02:23 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:45 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:19 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:49 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:05 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 04:22 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:44 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 05:07 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 06:27 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:56 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:30 pm (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 05:59 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 06:24 pm (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:59 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:14 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 11:12 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 02:30 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:39 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:07 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:14 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:23 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:28 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:37 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:55 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 06:19 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 06:36 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:12 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:17 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:25 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:40 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 03:02 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 09:36 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 11:14 pm (UTC) (Expand)
_windwalker__windwalker_ on April 9th, 2015 09:10 pm (UTC)
я бы воспользовался iptables, для того что бы потренироваться на кошках - vagrant.

iptables - простые и понятные как грабли.
Clean and soberanspa on April 10th, 2015 12:43 am (UTC)
iptables простые до тех пор пока хочется чего-то дальше блоков по IP - к примеру форварда и менеджмента пакетов.
Dennis Gorelikdennisgorelik on April 10th, 2015 12:51 am (UTC)
1) Напрямую редактировать iptables файл?

2) Чем мне может помочь vagrant?
convertorcon_vertor on April 10th, 2015 02:49 am (UTC)
видимо имелось в виду поэкспериментировать на виртуальной машине,
а не сразу на продакшине)

у меня тоже в вагранте штук 8 виртуалок для разных экспериментов
(no subject) - dennisgorelik on April 10th, 2015 06:06 am (UTC) (Expand)
(no subject) - _windwalker_ on April 10th, 2015 07:52 am (UTC) (Expand)
(no subject) - con_vertor on April 11th, 2015 03:02 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 03:52 am (UTC) (Expand)
Dennis Gorelikdennisgorelik on April 10th, 2015 06:01 am (UTC)
Я только сейчас понял, что iptables - не является частью APF.
Можно как-нибудь сделать так, чтобы APF не перекрывал мою конфигурацию в iptables?
Например, безопасно ли это удалить APF, чтобы ни у кого не было соблазнов его запустить?
Dennis Gorelikdennisgorelik on April 10th, 2015 06:16 am (UTC)
Are you recommending another configuration firewall?

But why not just directly edit iptables?
I only need few lines of config code.
fatofffatoff on April 10th, 2015 02:43 pm (UTC)
This is what I do sometimes on Linux when I doubt if manual changes would be correct. By trying and seeing what change was applied I try to detect the good way. Of course if the tool is wrong then it is a waste of time but at least I can see if that works or not.