The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables or APF

Discussion in 'General Discussion' started by mehrdad abed, Mar 25, 2006.

  1. mehrdad abed

    mehrdad abed Well-Known Member

    Joined:
    Mar 18, 2006
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    As I saw on "A Beginner's Guide to Securing Your Server", it is recommended to use APF to configure a firewall, i would like to now if it is possible to use IPTABLES to apply such rules instead? May it affect other services to work properly?

    Thanks.
     
  2. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    You can use IPTABLE rules to secure your server. But you should have sound knowledge to write the rules or you may find yourself in trouble unknowingly. I will suggest you to install apf firewall as it is easy to work on and it do use the iptable rules.
     
  3. mehrdad abed

    mehrdad abed Well-Known Member

    Joined:
    Mar 18, 2006
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    No problem, I just wanted to know if it against any other services, here is the rules I prepared (of course I translated all the rules you have suggested) (iptable-rules.sh):

    #!/bin/sh
    IPTABLES="/sbin/iptables"

    #flash iptables
    $IPTABLES --flush
    $IPTABLES -t nat --flush
    $IPTABLES -t mangle --flush

    $IPTABLES --delete-chain
    $IPTABLES -t nat --delete-chain
    $IPTABLES -t mangle --delete-chain

    $IPTABLES --policy INPUT DROP
    $IPTABLES --policy OUTPUT DROP
    $IPTABLES --policy FORWARD DROP

    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT



    #-------------------------------------------------------------------------------------------
    echo inbound ports

    $IPTABLES -A INPUT -p TCP -m multiport --dport 2086,2087,2095,2096,3306,6666,7786,3000,3500 -j ACCEPT
    $IPTABLES -A INPUT -p TCP -m multiport --dport 21,22,25,53,80,110,143,443,465,953,993,995,2082,2083,2084 -j ACCEPT
    $IPTABLES -A INPUT -p UDP -m multiport --dport 53,6277 -j ACCEPT
    for TYPE in 0 3 5 8 11 ; do
    iptables -A INPUT -p icmp --icmp-type $TYPE -j ACCEPT
    done


    #-------------------------------------------------------------------------------------------
    echo outbound ports
    $IPTABLES -A OUTPUT -p TCP -m multiport --dport 21,25,37,53,80,110,113,123,443,43,873,953,2089,2703,3306 -j ACCEPT
    $IPTABLES -A OUTPUT -p UDP -m multiport --dport 20,21,53,873,953,6277 -j ACCEPT
    $IPTABLES -A OUTPUT -p ICMP -j ACCEPT


    #-------------------------------------------------------------------------------------------
    echo established sesions
    $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


    #-------------------------------------------------------------------------------------------
    echo 'trusted ip(s)'
    $IPTABLES -A INPUT -s 111.111.111.111 -j ACCEPT


    #-------------------------------------------------------------------------------------------
    echo 'trusted ssh ip(s)'
    $IPTABLES -A INPUT -s 111.111.111.0/24 -p TCP --dport 22 -j ACCEPT




    it works az i checked, however would you also take a look :)
     
  4. maximus_marcus

    maximus_marcus Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    The apf software that you intend to install use the rules of Iptables to block the Ips and all. If you happen to use apf , then placing ips in the file /etc/apf/deny is sufficient to block the outside ip's on the server.

    Regards,
    Marcus
    The New Phase Of Support
     
  5. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    Correct, APF use the rules of Iptables to block the IPs and just placing them in the deny file will block the IP on the server. Dont forget to restart the APF service after blocking the IP.

    If you are planning to install APF, be careful while configuring it or you may lock yourself outside the server.
     
    #5 madaboutlinux, Mar 27, 2006
    Last edited: Mar 27, 2006
  6. mehrdad abed

    mehrdad abed Well-Known Member

    Joined:
    Mar 18, 2006
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for your advises,

    But I think direct use of iptables is worth rather than adding other extra services like APF. As you said APF uses iptables rules so why do we use APF when it is possible to apply the rules directly in iptables ?
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Sure, you can use IPTables rules without the need of APF, if you are comfortable with Linux OS.

    IPTables and netfilter are the successor to IPChains and IPFWadm in earlier versions of Linux.

    IPTables is a generic table structure that defines rules and commands as part of the netfilter framework that facilitates Network Address Translation (NAT), packet filtering, and packet mangling in the Linux v2.4 and later OSs. NAT is the process of converting an Internet Protocol address (IP address) into another IP address. Packet filtering is the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols. Packet mangling is the ability to alter or modify packets before and/or after routing.

    Hope this helps!
     
  8. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    It's nice to have IT work WITH other services, so you don't have to. We can do everything, via command-line, that cPanel does, but cPanel's an easy way to do things.

    Same thing with APF. It simplifies things and doesn't take that much processing power to run.
     
  9. mehrdad abed

    mehrdad abed Well-Known Member

    Joined:
    Mar 18, 2006
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    I agree, APF may easer to use, but I think, using iptables will improve the server performance rather than installing another 3rd party software. However, as you mentioned It need some knowledge to write the rules.

    Thanks.
     
  10. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    I would recommend using APF to manage the iptable rulesets. The difference in server load is very minimal.

    If APF causes your server to overload then you have more issues than you will solve by using iptables direct.

    Like stated above you can do everything cpanel,APF or any other automation software does via command line but you stand a higher risk of having a typo doing everything manually not to mention the time spent managing the server is at least 10x longer doing it manually
     
  11. yourowndisaster

    yourowndisaster Registered

    Joined:
    Sep 7, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Dosent APF automaticaly block abussing address too? How would i go about implementing that feature into iptables?
     
  12. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
Loading...

Share This Page