?

Log in

No account? Create an account
 
 
09 April 2015 @ 02:09 pm
Is there a clean way to setup firewall on linux?  
I'm playing with Linux VPS (CentOS) and want to make my VPS private (it should only respond to requests from several whitelisted IP addresses and silently ignore everything else).

That linux VPS is going to only host ElasticSearch server and I want to hide ElasticSearch from public.

It looks like configuring Advanced Policy Firewall (APF) is the right tool for that.

My first temptation was to replace couple of thousand lines of default configuration in /etc/sysconfig/iptables with just few lines, like that:
----- /etc/sysconfig/iptables -----
-A INPUT -s 111.111.111.111 -j ACCEPT
-A INPUT -s 222.222.222.222 -j ACCEPT
-A INPUT -j DROP
------------------------------------
where 111.111.111.111 and 222.222.222.222 are my whitelisted IP addesses.

But support from my linux box provider ("A Small Orange") told me that we should not modify iptables directly.

What would happen if I modify iptables file directly?

If not - how else can I delete all the junk from iptables?
 
 
 
Clean and soberanspa on April 9th, 2015 06:15 pm (UTC)
Найми кого-нибудь. А так iptables в принципе не трудное дело. Но один раз ошибешься и заблокируешь себя от сервера. =)
Dennis Gorelikdennisgorelik on April 9th, 2015 06:33 pm (UTC)
> Но один раз ошибешься и заблокируешь себя от сервера. =)

I am already dangerous enough to know about this:
-------
Option: DEVEL_MODE
Description: This tells APF to run in a development mode which in short means
that the firewall will shut itself off every 5 minutes from a cronjob. When
you install any version of APF, upgrade or new install, this feature is by
default enabled to make sure the user does not lock themself out of the
system with configuration errors. Once you are satisfied that you have the
firewall configured and operating as intended then you must disable it.
-------
:-)

But seriously, is it better to hire someone (I remember about you) or learn about configuring that stuff in-house?

If we are going to run that server, we should probably know how to maintain that server ourselves, right?
How would hiring external expertise fit into that model?

In addition to that, "A small orange" also provides some support.
Unfortunately, after they claimed to configure firewall correctly, our server is still available to not whitelisted IPs.
Clean and soberanspa on April 9th, 2015 06:36 pm (UTC)
Depends what you are looking for in that. It does not take much effort to find a good sample of iptables config online and tune it to your liking. Then, adding stuff when needed.

Edited at 2015-04-09 06:36 pm (UTC)
Clean and soberanspa on April 9th, 2015 06:37 pm (UTC)
BTW, good hosting operators these days give you an external firewall, independent of the server itself.
Dennis Gorelikdennisgorelik on April 9th, 2015 06:40 pm (UTC)
Does external firewall really worth it?

When I had external firewall at Rackspace several years ago - it only contributed to the problems.

I live with software firewall on my Windows production server and it works great.
(no subject) - anspa on April 9th, 2015 08:07 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 9th, 2015 08:19 pm (UTC) (Expand)
(no subject) - anspa on April 9th, 2015 08:26 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 12:34 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 12:41 am (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 01:03 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 01:52 am (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 06:21 am (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 06:56 pm (UTC) (Expand)
Clean and soberanspa on April 9th, 2015 06:16 pm (UTC)
iptables надо запускать из командной строки чтоб он перечитал файл с конфигом этим твоим исправленным.
Dennis Gorelikdennisgorelik on April 9th, 2015 06:38 pm (UTC)
Do I need to run iptables from command line only once and then it would keep working after every reboot?

So it's ok to modify iptables directly?
Clean and soberanspa on April 9th, 2015 06:40 pm (UTC)
I used to have /etc/init.d/iptables script that could be used to stop and start iptables -that's when it re-reads the config. It was also linked to /etc/rc folders to start firewall when server starts. Is that what you have in your CentOS? I don't know.
Deemon: samuraideemon on April 9th, 2015 09:01 pm (UTC)
this is why rh-derived distros suck and you should switch to debian

seriously, though http://unix.stackexchange.com/questions/144622/etc-sysconfig-iptables-manual-customization-of-this-file-is-not-recommende
Dennis Gorelikdennisgorelik on April 10th, 2015 12:49 am (UTC)
> this is why rh-derived distros suck and you should switch to debian

I cannot believe that it took me (linux rookie) so little time to get involved into linux distro wars.
:-)

But seriously, I am open to switching to whatever distro would serve me the best.
For example, ASmallOrange has Ubuntu template for their VPS.
Would it be better?

Am I guessing right that RedHat/CentOs are designed to support stuff like cPanel?
I do NOT need cPanel.

I only need ElasticSearch.
Deemondeemon on April 10th, 2015 01:20 am (UTC)
obv i was kidding, centos is ok too for many people. Distros differ mainly in package management and startup/config handling, apps like CPanel or Elasticsearch work everywhere

My usual recommendation is DigitalOcean https://www.digitalocean.com/?refcode=d273c2b283fb (my ref link lol) - same cost but SSD in all plans, makes a huge difference.

Use latest Debian image obv

happy elasticsearching!
Dennis Gorelikdennisgorelik on April 10th, 2015 06:30 am (UTC)
1) DigitalOcean does not have data center in Dallas.
It looks like my Windows hosting and ASmallOrange (linux hosting) use the same SoftLayer datacenter in Dallas, so ping between them is less than 1ms.

2) Would SSD be important if everything is cached in RAM anyway?
(no subject) - deemon on April 10th, 2015 05:54 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 06:21 pm (UTC) (Expand)
Clean and soberanspa on April 10th, 2015 01:56 am (UTC)
BTW, I use Debian many years as well and that's my distro of choice. But of course there are plenty of CentOS followers which would line all pros points for it. =) cPanel is supported everywhere not just under CentOS. Same as Webmin or plenty of others free or commercial packages.
Dennis Gorelikdennisgorelik on April 10th, 2015 06:15 am (UTC)
So how do I pick between CentOS and Debian?

My provider provides other OSes, but recommends CentOS and does not provide support services for other distros.
(no subject) - anspa on April 10th, 2015 07:09 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 10:47 pm (UTC) (Expand)
(no subject) - anspa on April 10th, 2015 10:55 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 10th, 2015 11:02 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 03:52 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 03:58 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 04:10 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 04:23 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 05:24 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 05:51 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 06:15 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 06:30 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:17 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:25 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:36 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:49 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 02:57 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 08:35 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 11:10 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 02:23 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:45 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:19 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:49 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:05 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 04:22 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:44 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 05:07 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 06:27 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:56 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:30 pm (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 05:59 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 06:24 pm (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:59 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 04:14 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 11:12 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 02:30 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 02:39 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:07 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:14 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:23 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:28 am (UTC) (Expand)
(no subject) - dennisgorelik on April 12th, 2015 03:37 am (UTC) (Expand)
(no subject) - anspa on April 12th, 2015 03:55 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 06:19 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 06:36 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:12 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:17 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 07:25 am (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 07:40 am (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 03:02 pm (UTC) (Expand)
(no subject) - dennisgorelik on April 11th, 2015 09:36 pm (UTC) (Expand)
(no subject) - anspa on April 11th, 2015 11:14 pm (UTC) (Expand)
_windwalker__windwalker_ on April 9th, 2015 09:10 pm (UTC)
я бы воспользовался iptables, для того что бы потренироваться на кошках - vagrant.

iptables - простые и понятные как грабли.
Clean and soberanspa on April 10th, 2015 12:43 am (UTC)
iptables простые до тех пор пока хочется чего-то дальше блоков по IP - к примеру форварда и менеджмента пакетов.
Dennis Gorelikdennisgorelik on April 10th, 2015 12:51 am (UTC)
1) Напрямую редактировать iptables файл?

2) Чем мне может помочь vagrant?
convertorcon_vertor on April 10th, 2015 02:49 am (UTC)
видимо имелось в виду поэкспериментировать на виртуальной машине,
а не сразу на продакшине)

у меня тоже в вагранте штук 8 виртуалок для разных экспериментов
Dennis Gorelikdennisgorelik on April 10th, 2015 06:06 am (UTC)
Спасибо, познакомился с тем, что это такое Vagrant.
Теоретически.

Соблазнительно попробовать, но будет ли стоить овчинка выделки, если этот linux box будет использоваться исключительно для ElasticSearch?
Нам нужно будет только однажды его настроить.
И, возможно, позже организовать ElasticSearch cluster.

Вся наша разработка самого Web приложения останется на Windows платформе всё равно.
_windwalker__windwalker_ on April 10th, 2015 07:52 am (UTC)
Если рассмптривать выгоду со стороны что продукционный сервак не ляжет от кривой настройки файрволла - то стоит. Плюс можно поэкспериментировать с правилами iptables.

На счёт apf не скажу, но на cent os 6.5 его точно не стояло.

Относительно интересный подход к редактированию монолитных файлов я видел в chef - создаётся некоторое количество файлов правил, которые потом в порядке возрастания имён объединяются в один, который скармливается процедуре загрузки конфигурации iptables.

Большой файл не редактируется - а маленькие - легко.

По поводу apf не скажу - не пробовал.
convertorcon_vertor on April 11th, 2015 03:02 am (UTC)
да еще можно настроить это с помощью Chef или Puppet
на худой конец Ansible.

а на чем у вас сайт крутиться, что он с виндоуз непереносим?)
(no subject) - dennisgorelik on April 11th, 2015 03:52 am (UTC) (Expand)
Dennis Gorelikdennisgorelik on April 10th, 2015 06:01 am (UTC)
Я только сейчас понял, что iptables - не является частью APF.
Можно как-нибудь сделать так, чтобы APF не перекрывал мою конфигурацию в iptables?
Например, безопасно ли это удалить APF, чтобы ни у кого не было соблазнов его запустить?
Dennis Gorelikdennisgorelik on April 10th, 2015 06:16 am (UTC)
Are you recommending another configuration firewall?

But why not just directly edit iptables?
I only need few lines of config code.
fatofffatoff on April 10th, 2015 02:43 pm (UTC)
This is what I do sometimes on Linux when I doubt if manual changes would be correct. By trying and seeing what change was applied I try to detect the good way. Of course if the tool is wrong then it is a waste of time but at least I can see if that works or not.