Results 1 to 6 of 6

Thread: IPTables and SELinux on FC11 OpenVZ

  1. #1
    Join Date
    Jun 2007
    Location
    Seattle, WA
    Posts
    12

    Default IPTables and SELinux on FC11 OpenVZ

    Hi all.

    Out of curiosity. The template that's created for the OpenVZ FC11, does it come with IPTables already installed and SELinux already configured? If not where does the config file stored for IPTables and SELinux so that I can just add the rule directly to the config file? Please help? Many thanks..

  2. #2
    Join Date
    Feb 2006
    Posts
    773

    Default

    SELinux is not available on OpenVZ, and I'm pretty certain it does not run on our XEN platform either.

    iptables is available on both, but will require configuration on your end.

  3. #3
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    SELinux is disabled by default on both our OpenVZ and Xen platforms - per our system administrators, enabling SELinux would require changes to our platform architecture (and, therefore, we have held off on implementing the changes as we have not found a sufficient demand to justify the work involved).

    You are welcome to post regarding your interest in SELinux on Xen to this thread if it's something you would like to see.

    Our system administrators strongly recommend against editing your iptables configuration file directly - consider the following process instead (to ensure you do not end up locked out of your VPS):

    • Add rules into memory using the iptables command
    • If you are locked out by a malformed rule, restart your VPS to revert to your default ruleset
    • Once you are satisfied with the rules (and have tested to ensure that you are not locked out and everything is working as intended) save the rules using the iptables-save command

  4. #4
    Join Date
    Jun 2008
    Posts
    232

    Default

    Quote Originally Posted by DanL@VPSLink View Post
    Our system administrators strongly recommend against editing your iptables configuration file directly - consider the following process instead (to ensure you do not end up locked out of your VPS):

    • Add rules into memory using the iptables command
    • If you are locked out by a malformed rule, restart your VPS to revert to your default ruleset
    • Once you are satisfied with the rules (and have tested to ensure that you are not locked out and everything is working as intended) save the rules using the iptables-save command
    If uptime is important (i.e. rebooting not desirable), you can also create a cron job that simply reverts your iptables rules or clears them completely. When making iptables edits, you enable the cron job to run at a desired interval, (e.g. every 10 minutes). That way if you muck up and lock yourself out, you can get back in in under 10 minutes and your users should be none the wiser. When you're done, you disable the cron job until next time.

  5. #5
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Default

    Quote Originally Posted by westdude View Post
    does it come with IPTables already installed and SELinux already configured?
    iptables installed, yes. SELinux configured, no.

    Quote Originally Posted by westdude View Post
    If not where does the config file stored for IPTables and SELinux so that I can just add the rule directly to the config file?
    To my knowledge, iptables doesn't have a config file stored anywhere, and if the file did exist, would most likely reside in /etc/ somewhere. As the guys already mentioned, SELinux isn't available on VPSlink servers. SELinux is overrated anyway

    If you have an iptables ruleset you'd like to implement on your VPS, just copy it over and execute:
    Code:
    iptables-restore < /path/to/file-name.txt
    Make sure your policies are in the right order and always set your source IP as ACCEPT at the very top of INPUT/OUTPUT tables to avoid lockout. If that fails for some reason, reboot. iptables-restore commands don't survive the dreaded reboot.

  6. #6
    Join Date
    Jun 2007
    Location
    Seattle, WA
    Posts
    12

    Default

    Good input. Thanks everyone.. :-)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •