Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Melikhov2017-09-09 21:05:15
linux
Alexander Melikhov, 2017-09-09 21:05:15

How to setup iptables on vds with openvz virtualization?

There is a vds from firstvds.ru, unfortunately, with openvz virtualization, not kvm. This vps seems to be missing the conntrack module, judging by this link and the fact that the command

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
gives an error iptables: No chain/target/match by that name.. Ok, I tried to do without this rule. Wrote the following rules for iptables
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP

Everything seems to be fine. Only ports 22, 80 and 443 are open outside. The rest are closed. But the problem is that outgoing connections are also blocked. Because the usual ping to Yandex or any other request to an external site does not work. The FORWARD and OUTPUT chains are empty. If you remove the last rule -A INPUT -j DROP, then outgoing requests come and go, but all ports outside become open.
As I understand it, this is due to the lack
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
. Is there any way to do without this rule? Or do you still need to move to a VDS with kvm virtualization?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
K
krosh, 2017-09-10
@amelihovv

First, what distribution are we talking about? Perhaps you have firewalld instead of iptables, that's why it doesn't work. When asking questions of this type, you need to show what you have in all tables and chains:
Secondly, it is logical that something does not work in OpenVZ containers, because the capabilities of the host kernel are used, but the module you need is not loaded there, and you do not have rights to it. If you don't like it, then you need to switch either to another hoster or to KVM.
Just check next time like this:
Thirdly, judging by the link to the hoster's forum, you will not succeed - such a policy.
Therefore, you will have to filter according to the principle "everything that is not prohibited is allowed":

iptables -A INPUT -p tcp -m tcp -s X.X.X.X --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP

You can understand that you can block like this:
either nmap from another host.
Put in the rules only blocking for specific services and don't worry about the rest.

Report
T
Twelfth Doctor, 2017-09-09
@verdex

Most likely, you need to move to a VDS with KVM virtualization. And if you want normal support (without the ISPManager panel), then move from FirstVDS to an adequate provider.

Report
A
A1estro, 2017-09-09
@A1estro

Try state:
Z.Y. better instead of -A INPUT -j DROP do -P INPUT DROP

Similar questions
E
eight_bit2019-10-21 11:41:25
Laptop freezes on reboot after installing additional SSD, how to diagnose? 1Reply
D
Denis Balandin2019-12-04 10:18:49
How do I replace the "Add to Cart" button for a specific brand? 2Reply
B
Biocoder2015-04-04 20:01:12
Which NVR server to choose for Linux? 2Reply
N
Nikolay Baranenko2019-09-03 15:12:52
Why find: paths must precede expression? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question