We have a custom firewall script designed for the VPS (which does not support stateful rules or kernel logging and stops popular scripts from working).
We are happy to install it for you if you want, otherwise here are the do-it-yourself steps.
1) Download the script to your server. We provide pre-configured variants of the script to just work "out of the box" on your VPS. Choose the appropriate script and run the following command as root.
# no panel ports
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.vps
# cpanel specific ports opened
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.cpanel.vps
# DirectAdmin specific ports opened
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.directadmin.vps
# Plesk specific ports opened
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.psa.vps
This is where the security concious will not take our word for anything and thoroughly read the script first. Go ahead, we'll wait. :)
2) Make it executable
chmod +x /etc/init.d/firewall
3) Configure it to start at boot
/sbin/chkconfig firewall on
4) Start it.
/sbin/service firewall start
or
/etc/init.d/firewall start
5) See the rules
/sbin/service firewall status
It is a standard Red Hat style service script so you can do
/sbin/service firewall start|stop|restart|status
If you edit the script you will see how to add or remove ports opened to your liking and then restart it. Please note the default rule is to DROP packets so do not just flush the iptables rules or you will lock yourself out.
That is all that is needed for a basic firewall with one exception - passive ftp is not enabled. If you want to enable passive ftp, you will see a comment in the script describing the steps. Basically you determine what your local port range is, uncomment a line that opens up high ports out side of that range (and edit if necessary) and then configure your ftp server to use those ports for passive ftp. Then restart both your ftp server and the firewall.
Thanks to Dmitry Konstatinov of sw-soft and the peeps at PVPS. |