LinuxHelps.com

A blog for Linux Lovers.

Posted by sibu on March 10, 2009

Install APF firewall into the VPS

The installation of APF requires some additional steps to be taken on the hardware node.

1. First of all, you should define which iptables modules are available for VEs.

Edit /etc/sysconfig/iptables-config file on a Virtuozzo hardware node:

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Edit /etc/sysconfig/vz file on a Virtuozzo hardware node:

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Please note - iptables modules list in IPTABLES and IPTABLES_MODULES parameters in /etc/sysconfig/vz and /etc/sysconfig/iptables-config files should be placed in one single line, no linebreaks is allowed in this parameter.

Restart Virtuozzo. All VEs will be restarted.


# service vz restart

2. Increase ‘numiptent’ parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~200 rules. Lets set it to 400 in the example below for VE #101:


# vzctl set 101 –numiptent 400 –save

3. Install APF inside the VE. Edit /etc/apf/conf.apf inside VE, set the following parameters:
IFACE_IN=”venet0″
IFACE_OUT=”venet0″
SET_MONOKERN=”1″

4. Start APF inside the VE:
# /etc/init.d/apf start

Add A Comment