Sponsored Links

panopticon · #1 09-16-2004, 05:20 PM

I'm trying to install and run the APF firewall from http://www.rfxnetworks.com/apf.php

This runs flawlessly on my other Redhat standalone servers, but will not run on my new VPS.

If I run it with MONOKERN="0" set in conf.apf as it normal for a standard RHEL 3 kernel, when I try and start APF I get:

Code:

# service apf start
Unable to load iptables module (ip_tables), aborting.

When I try and run it with MONOKERN="1" I get:

Code:

# service apf start
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem

The answer I got from Virtuzzo support was:

Quote:

have no experience with APF firewall, but as I see it wants to insmod some modules into the kernel -- in such case it would be impossible to use it with Virtuozzo. It's impossible to change kernel or load any kernel module in a VPS.

That's the main and the only serious limitation for Virtuozzo VPSes -- you cannot replace or alter the kernel.

Thanks,

Is there a way to get APF to run on a Virtuzzo VPS?

If not, can anyone recommend a similar firewall package that will run on a Virtuzzo VPS?

migman · #2 09-16-2004, 05:25 PM

yes... because cant start the iptables...
I thing the proplem will solve if u stop the checking of the VPS.

The host kernel must have IPtables support (the module)
Then you will be able to run it...
but not as good as normal..

migman · #3 09-16-2004, 05:33 PM

sorry stop the APF to check if is up the iptables... or to do the start ... and just run.. and all will be fine ...

eth00 · #4 09-16-2004, 05:39 PM

Not sure how the VPS work but if nothing else you could compile your own kernel with iptables support which will solve the problem.

migman · #5 09-16-2004, 05:41 PM

the VPS with virtuozzo have the main host kernel... this is the proplem

panopticon · #6 09-16-2004, 06:11 PM

As migman says, on a Virtuozzo VPS you can't boot into your own kernel. Thanks very much migma for the advice - will see if I can implement it.

Steven · #7 09-16-2004, 07:36 PM

Did you turn off LKM's in the apf config?

panopticon · #8 09-18-2004, 10:37 PM

Quote:

Originally posted by thelinuxguy
Did you turn off LKM's in the apf config?

The only option I see regarding LKM's in the conf.apf file is:

Quote:

# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="1"

With that set to Monokern=1 (LKM's off) I get

$ service apf start
Starting APF:Development mode enabled!; firewall will flush every 5 minutes.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
[ OK ][quote]

(With monokern=0 I get only

$service apf start
Starting APF:Development mode enabled!; firewall will flush every 5 minutes.
Unable to load iptables module (ip_tables), aborting.

Steven · #9 09-18-2004, 10:45 PM

Well i cant give you advise with it monokern=1 becuas ei would need to see a strace as to why its not loading. but with monokern=0 it is not even trying to load it.

pztup · #10 09-19-2004, 01:44 AM

I tired to get APF to work with Virtuzzo too but i got the same error so defenderhosting made this script for me. You might have to change it to reflect open ports that you need open.

Place in /etc/init.d/
with file name firewall

# make sure it comes on at boot
chkconfig firewall on

# start or restart
service firewall start
service firewall restart

# stop
service firewall stop

# list rules
service firewall status

Code:

#!/bin/bash

#
# firewall      This shell script takes care of setting up a firewall for a virtuosso based VPS
#               (no stateful rules/connection tracking or logging. 
#               Borrows heavily from a script by Dmitry Konstantinov of sw-soft 
#
#
# chkconfig: 2345 18 92
# description: setup firewall configuration

IPTABLES="/sbin/iptables"
SERVER_IPS=`/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d \  -f 1 | grep -v 127.0.0.1`

FWIN="${IPTABLES} -A INPUT"
FWOUT="${IPTABLES} -A OUTPUT"
OK="-j ACCEPT"
NO="-j DROP"


# Flush tables and change default policy to DROP
function initialize() {
        local TABLE="${1}"
        ${IPTABLES} -F ${TABLE}
        ${IPTABLES} -P ${TABLE} DROP
}

# Flush tables and change default policy to ACCEPT
function stop() {
        local TABLE="${1}"
        ${IPTABLES} -F ${TABLE}
        ${IPTABLES} -P ${TABLE} ACCEPT
}

# Verify call switch
case "$1" in
start|restart)

        initialize INPUT
        initialize OUTPUT
        initialize FORWARD
        
         # INPUT
         # 1) loopback
         ${FWIN} -i lo ${OK}
         ${FWIN} -d 127.0.0.0/8 ${NO}
         
         # 2) We allow incoming SSH connections and answers to
         # our own SSH connections:
         for OURIP in ${SERVER_IPS}; do
            ${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}
            ${FWIN} -p tcp --sport 22 -d ${OURIP} --dport 1024: "!" --syn ${OK}
         done
         
         # 3) We allow incoming DNS queries as well as answers to our
         # DNS queries.
         for OURIP in ${SERVER_IPS}; do
            ${FWIN} -p tcp -d ${OURIP} --dport 53 ${OK}
            ${FWIN} -p udp -d ${OURIP} --dport 53 ${OK}
            ${FWIN} -p tcp --sport 53 -d ${OURIP} --dport 1024: "!" --syn ${OK}
            ${FWIN} -p udp --sport 53 -d ${OURIP} --dport 1024: ${OK}
         done
         
         # 4) We allow access to our SMTP server, as well as answers
         # to our SMTP connections and, temporarily, identd stuff:
         for OURIP in ${SERVER_IPS}; do
            ${FWIN} -p tcp -d ${OURIP} --dport 25 ${OK}
            ${FWIN} -p tcp --sport 25 -d ${OURIP} --dport 1024: "!" --syn ${OK}
            ${FWIN} -p tcp --sport 1024: -d ${OURIP} --dport 113 ${OK}
            #${FWIN} -p udp --sport 1024: -d ${OURIP} --dport 113 ${OK}
            ${FWIN} -p tcp --sport 113 -d ${OURIP} --dport 1024: "!" --syn ${OK}
            #${FWIN} -p udp --sport 113 -d ${OURIP} --dport 1024: ${OK}
         done
         
         # 5) We also allow access to our POP/sPOP server.
         for OURIP in ${SERVER_IPS}; do
           ${FWIN} -p tcp -d ${OURIP} --dport 110 ${OK}
           ${FWIN} -p tcp -d ${OURIP} --dport 995 ${OK}
         done
         
         # 6) and to IMAP/IMAPs
         for OURIP in ${SERVER_IPS}; do
            ${FWIN} -p tcp -d ${OURIP} --dport 143 ${OK}
            ${FWIN} -p tcp -d ${OURIP} --dport 993 ${OK}
         done
         
         # 7) we would like to be able to use lynx ;)
         for OURIP in ${SERVER_IPS}; do
         ${FWIN} -p tcp --sport 80 -d ${OURIP} --dport 1024: "!" --syn ${OK}
         done
         
         # 8) We allow incoming echo replies/requests from everywhere:
         for OURIP in ${SERVER_IPS}; do
            ${FWIN} -p icmp -d ${OURIP} --icmp-type 0 ${OK}
            ${FWIN} -p icmp -d ${OURIP} --icmp-type 3 ${OK}
            ${FWIN} -p icmp -d ${OURIP} --icmp-type 8 ${OK}
            ${FWIN} -p icmp -d ${OURIP} --icmp-type 11 ${OK}
         done
         
         # 9) We also would like to allow access to our web server:
         for OURIP in ${SERVER_IPS}; do
            ${FWIN} -p tcp -d ${OURIP} --dport 80 ${OK}
            ${FWIN} -p tcp -d ${OURIP} --dport 443 ${OK}
         done

         # 10) people are still crazy enough to use ftp
         for OURIP in ${SERVER_IPS}; do
           for PORT in 20 21; do
             ${FWIN} -p tcp -d ${OURIP} --dport ${PORT} ${OK}
             ${FWIN} -p tcp --sport  ${PORT} -d ${OURIP} --dport 1024: "!" --syn ${OK}
             ${FWIN} -p udp -d ${OURIP} --dport ${PORT} ${OK}
             ${FWIN} -p udp --sport ${PORT} -d ${OURIP} --dport 1024: ${OK}
           done
         done
         
         # allow answers on high ports
         ${FWIN} -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN ${OK}
         ${FWIN} -p udp -m udp --dport 1024:65535 ${OK}

	#######################################
	# directadmin needs a few more ports opened
	#

         for OURIP in ${SERVER_IPS}; do
           for PORT in 2222; do
             ${FWIN} -p tcp -d ${OURIP} --dport ${PORT} ${OK}
             ${FWIN} -p tcp --sport  ${PORT} -d ${OURIP} --dport 1024: "!" --syn ${OK}
             ${FWIN} -p udp -d ${OURIP} --dport ${PORT} ${OK}
             ${FWIN} -p udp --sport ${PORT} -d ${OURIP} --dport 1024: ${OK}
           done
         done

	#
	########################################
 
         # Everything else is denied by default - policy is DROP.
         
         # OUTPUT
         # 1) Loopback packets.
         ${FWOUT} -o lo ${OK}
         ${FWOUT} -s 127.0.0.0/8 ${NO}
         
         # 2) We allow all outgoing traffic:
         for OURIP in ${SERVER_IPS}; do
            ${FWOUT} -s ${OURIP} ${OK} 
         done
        
        ;;

stop)
        # turn off the firewall, flush all rules
        echo "Flushing rulesets.."

        stop INPUT
        stop OUTPUT
        stop FORWARD

        ;;

status)
        # display the current status - both firewall rules and masquerading
        # connections

        # list rules. -n avoids DNS lookups
        $IPTABLES -nL 

        ;;

*)
        echo "Usage: firewall {start|stop|restart|status}"
        exit 1
esac

exit 0

panopticon · #11 09-19-2004, 05:23 PM

Many thanks pztup - your help is very much appreciated

Thank you!

defenderhost · #12 10-04-2004, 01:35 PM

Just an FYI to defender hosting and powervps customers, we update our tools constantly, so we have a newer version that this that supports passive ftp - if you need it, please email support.

charles

thunderace · #13 10-04-2004, 05:00 PM

The kernel Virtuozzo currently uses cannot currently support this

defenderhost · #14 10-04-2004, 05:12 PM

The virtuosso kernel does not support what?

thunderace · #15 10-04-2004, 07:56 PM

APF .. modprobe & parport support etc

Sponsored Links

Advertise Here