iptables problem

[nikohal]

Hi, I try to do this instruction.
http://help.directadmin.com/item.php?id=380

But when I run iptables I get this error. Is this ok???

FATAL: Module ip_tables not found.
FATAL: Module iptable_filter not found.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
/etc/init.d/iptables: line 81: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not permitted
/etc/init.d/iptables: line 93: /proc/sys/net/ipv4/tcp_timestamps: Operation not permitted
/etc/init.d/iptables: line 102: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not permitted
/etc/init.d/iptables: line 105: /proc/sys/net/ipv4/ip_dynaddr: Operation not permitted
/etc/init.d/iptables: line 112: /proc/sys/net/ipv4/ip_local_port_range: Operation not permitted
/etc/init.d/iptables: line 115: /proc/sys/net/ipv4/tcp_fin_timeout: Operation not permitted
/etc/init.d/iptables: line 116: /proc/sys/net/ipv4/tcp_keepalive_time: Operation not permitted
/etc/init.d/iptables: line 117: /proc/sys/net/ipv4/tcp_window_scaling: Operation not permitted
/etc/init.d/iptables: line 118: /proc/sys/net/ipv4/tcp_sack: Operation not permitted
/etc/init.d/iptables: line 119: /proc/sys/net/ipv4/tcp_max_syn_backlog: Operation not permitted
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

Regards, Niko

 

[nobaloney]

iptables only works on versions of Linux. If you're using FreeBSD the firewall configuration is completely different and the linked article won't apply.

If you're running Linux on a VPS server you should check with your provider; some may not implement the firewall the same way.

If you're running a standard Linux distribution on a standard dedicated server reply to the thread and ask for help.

Jeff

 

[nikohal]

iptables only works on versions of Linux. If you're using FreeBSD the firewall configuration is completely different and the linked article won't apply.

If you're running Linux on a VPS server you should check with your provider; some may not implement the firewall the same way.

If you're running a standard Linux distribution on a standard dedicated server reply to the thread and ask for help.

Jeff

Yes I use Centos 6.4 64bit and server is VPS.

Regards,
Niko H.

 

[ben29]

your using openvz vps?

 

[nikohal]

No it is Parallels power

Regards, Niko H.

 

[ben29]

it's like openvz, the same problem
your server provider should load this modules to your server

provide him this this link:
http://kb.parallels.com/en/746

 

[Spook]

I've come up with the same output as nikohal with an OpenVZ container running CentOS 6.

I provided the link to parallels and requested the failing modules installed. Shortly after I was told they're already installed. It seems to be that in an OpenVZ container lsmod and modprobe are not of use.

Despite the errors shown as the iptables replacement (from KB #380) script executes I continued through step 3 and have a better set of iptable rules than before!

Since I want to try and continue and follow zEitEr's work I'm going to keep investigating.

A this point, I've modified iptables-config, adding in the failing module name to IPTABLES_MODULES="" -- seemed like it was worth a shot. Frankly, for all I know the module functionality is already working and I just don't know it!

I've looked at the CSR website and read plenty about it here. Apparently it is supposed to operate without trouble on this OpenVZ..

I'm in no particular hurry though, and don't want to just skip all this potential learning opportunity and great work from the user base here. Years ago (I forgot to follow up) I had great success with master2slave and putting a RegisterFly VPS w/Plesk to better use as a slave nameserver.

Finally, my OpenVZ seems pretty decent but I'm also interested in this line of approach since I'm guessing it's a bit lighter on the machine.

 

[Spook]

iptables (by Technion) - CentOS 6 - OpenVZ VM

Since I have only a few hours working with iptables and am unsure how to determine if a filter module is actually available/working without the modprobe confirmation, is it possible to determine from either of the iptables output below if the ip_tables, iptable_filter, ip_conntrack and ip_conntrack_ftp are actually active and working?

iptables -L -v -n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  1560 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
   24  1317 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable
    0     0 DROP       all  --  *      *       185.29.9.196         0.0.0.0/0
    6   432 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 4566 1050K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21
   31  1356 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2222
   55  2804 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x17/0x02 limit: avg 1/sec burst 10
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    3   160 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:587
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    2   140 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
  122  7204 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110
    2   100 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:995
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993
    9   432 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    2    96 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:3306
   10   400 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: MSSQL '
   10   400 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6670 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Deepthrt '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6670
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6711 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6711
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6712 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6712
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6713 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6713
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12345 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12345
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12346 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12346
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20034 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20034
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:31337 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: BO '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:31337
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6000 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: XWin '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6000
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33523
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
    0     0 REJECT     2    --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 reject-with icmp-port-unreachable
  129  6448 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
  164  8528 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
   35  6247 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6660:6669
    2    80 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 8 tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0 tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1           tcp dpt:25
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 reject-with icmp-port-unreachable
 4796 1748K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  1560 DROP       all  --  any    any     anywhere             anywhere            state INVALID
   24  1317 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 REJECT     all  --  any    any     anywhere             loopback/8          reject-with icmp-port-unreachable
    0     0 DROP       all  --  any    any     185.29.9.196         anywhere
    6   432 DROP       icmp --  any    any     anywhere             anywhere
 4581 1051K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp-data
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
   31  1356 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:EtherNet/IP-1
   55  2804 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 10
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
    3   160 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:urd
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:submission
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain
    2   140 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
  122  7204 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3
    2   100 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3s
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:auth
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:imap
    1    40 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:imaps
    9   432 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    2    96 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:mysql
   10   400 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:ms-sql-s limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: MSSQL '
   10   400 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:ms-sql-s
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:vocaltec-gold limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Deepthrt '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:vocaltec-gold
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:6711 limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Sub7 '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:6711
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:6712 limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Sub7 '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:6712
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:6713 limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Sub7 '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:6713
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:italk limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Netbus '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:italk
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:12346 limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Netbus '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:12346
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:nburn_id limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: Netbus '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:nburn_id
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:31337 limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: BO '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:31337
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp dpt:x11 limit: avg 3/hour burst 5 LOG level warning prefix `Firewalled packet: XWin '
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:x11
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:traceroute:33523
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable
    0     0 REJECT     igmp --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https reject-with icmp-port-unreachable
  130  6488 LOG        tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 5/min burst 5 LOG level warning prefix `Firewalled packet:'
  165  8568 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
   36  6287 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 5/min burst 5 LOG level warning prefix `Firewalled packet:'
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:6660:ircu-5
    2    80 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:afs3-fileserver
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            owner UID match mail tcp dpt:smtp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            owner UID match root tcp dpt:smtp
    0     0 ACCEPT     tcp  --  any    any     anywhere             localhost.localdomain tcp dpt:smtp
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
 4814 1758K ACCEPT     all  --  any    any     anywhere             anywhere

The other output of the "iptables, by Technion" with the OpenVZ/CentOS 6 are a little different than Niko:

/etc/init.d/iptables restart

/etc/init.d/iptables: line 93: /proc/sys/net/ipv4/tcp_timestamps: Permission denied
/etc/init.d/iptables: line 105: /proc/sys/net/ipv4/ip_dynaddr: Permission denied
/etc/init.d/iptables: line 112: /proc/sys/net/ipv4/ip_local_port_range: Permission denied
/etc/init.d/iptables: line 115: /proc/sys/net/ipv4/tcp_fin_timeout: Permission denied
/etc/init.d/iptables: line 116: /proc/sys/net/ipv4/tcp_keepalive_time: Permission denied
/etc/init.d/iptables: line 117: /proc/sys/net/ipv4/tcp_window_scaling: Permission denied
/etc/init.d/iptables: line 118: /proc/sys/net/ipv4/tcp_sack: Permission denied
/etc/init.d/iptables: line 119: /proc/sys/net/ipv4/tcp_max_syn_backlog: Permission denied

RE: Error while starting iptables thread -- Conclusion: the permission and other errors can be ignored as I basically have done.

At any rate, I welcome any comment and particularly with respect to the OpenVZ and firewall options since clearly there are some differences compared to a stand-alone server in this area.

Regards,
Spook

 

[Richard G]

You might want to consider using CSF/LFD. You can use that as firewall script (which is using iptables).
Although it will warn you that some modules are not present on a VPS, it will stil work but not using the options which the missing modules are needed for.
I've used this on a couple of VPS systems and I'm very pleased with it.

On these forums there are also solutions for which CSF can be used for the bruteforce, a little bit other then the link you have to the help system.
You can create your own script files like this for example:
block_ip.sh

#!/bin/sh

/etc/csf/csf.pl -td $ip 14400 BFM IP Block

exit 0;

And brute_force_notice_ip.sh:

#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

This way bruteforces get blocked for 14400 seconds (temp block) but you can change that value to something else you like.
You only can see temp blocks from the CSF firewall, which has a nice plugin for DA, this is also the way to unblock perm or temp blocked ip's, if necessary. If you don't they will automatically get deblocked after the 14400 seconds (or other value you put in there).
No iptables restart needed, no install like the link in the help system needed, everything real-time.
If I'm not mistaken this should also work fine on vps systems.
The only thing is that you won't see the blocks in the BF page in DA, only in the CSF page, but that should be no problem.

 

[Spook]

Richard,
thank you for the information. It's easy to get heading down an old path without realizing it on the forums.. (dead skin, stagnant scripts, etc)

The current info you've offered is much appreciated.

I will surly at some point experiment and/or use CSF / LFD. At this point my two DA VM are clean slates and I am taking this opportunity to learn and experiment all the core DA features, abilities and options - basic iptables management and whatever else comes along. It's easy enough to just wipe and reinstall if 'worst case' situation arises, for the time being.

I more or less picked OS based on general recommendations and provider OS familiarity. My objectives for a few months is to be able to learn enough to include my own knowledge into such more logical, rational decisions.

My last hosting experience was by learning all I could after the fact. I learned a lot but that's kind of a precarious approach.

 

[nobaloney]

At this point my two DA VM are clean slates and I am taking this opportunity to learn and experiment all the core DA features, abilities and options - basic iptables management and whatever else comes along. It's easy enough to just wipe and reinstall if 'worst case' situation arises, for the time being.

OpenVZ may not be the best platform for this kind of study,as it uses the same Kernel (supplied by the OpenVZ host) which may not allow all the modules you need for iptables.

Have you looked at any Xen or KVM based VP instances?

Jeff

 

[Spook]

Hi Jeff,
Yes, I also have a KVM with CentOS and DA. Even with such little experience I can tell there is much difference between the OpenVZ and KVM.

A few years ago I was reading up on Xen and planned to actually do something with it on a machine I had.

Realistically I would do good to keep a local machine at home with linux on it to learn the OS better.
These VPS do fill that gap pretty good though, with the added bonus of learning remote server considerations. There are some super bargains in VPS so it's kind of nice not staying awake thinking about the next server rent bills as this is the learning phase. Hehe.

All in all, at my level of learning I think there is enough common ground between stand-alone dedicated and the OpenVZ (and even more with the KVM) to benefit from.

If nothing else I will also better be able to consider the viability of an OpenVZ or KVM against dedicated for the future with any luck.

 

[nobaloney]

We're currently investigating using KVM-based high-power VPS instances (I think the proper term is VMs) instead of strictly dedicated servers, as it makes it easier to separate the system from the underlying hadware, and to move it in case of problems. I don't know what the outcome will be, but it's an interesting study.

Jeff

 

[Spook]

The two VM I have are matching in basic virtual specs from the same provider so I can kind of derive some basic user experience (how they compare serving LAMP services) comparisons and admin level comparisons.

Although the hardware hosting each VM allegedly is matching (multi cpu xeon, gobs of ram, mechanical HDD) I guess the unknown VM x ?? per hardware node is a requirement for your study. I'm not ready for that expense. ..Maybe on my own local hardware but I'm pretty out dated in owned equipment by today's standards.

I have to take this much slower than you. hehe. The list of acronyms alone I need to be fluent in is somewhat a challenge!

Xen attracted me years ago when the i7 made it's debut. I built two server grade machines based on the best at the time. Somewhere around 4k a machine total. Life got in the way and the Xen project took a spot on the shelf as did the servers.

Now 6-7 years later now, I feel somewhat like a newborn. lol

 

[nobaloney]

I know what you mean. My biggest confusion point right now is how to dedicate processor cores so they're not oversold. On the solution I'm trying (Proxmox) it appears I can oversell processor cores, and i don't want to be able to do that.

As an aside, the i7 is still a powerful chip and years ago I did populate some servers with them, but they were never designed for server use. They're designed for single-processor machines and won't work in a multi-processor motherboard. And their cache system isn't designed for the needs of a true server environment.

I've got an i7 (Toshiba) laptop, but our current line of webhosting servers include multi-processor (2 4-core and 2 6-core Xeon) systems, 24 - 48 GB of memory, and at least 1 - 2 TB of RAID storage. Seems right for VP system hosts as long as I'm careful to not oversell.

If we decide to carry this converation further I'll break out the poss into a new Off-Topic thread, as this thread has gone way off-track .

Jeff

 

[Spook]

Hi Jeff,

I think we can end now.. I don't want to get thinking too far from my current focus. In closing though, the machines I was referring to weren't built to be VM or web servers, just used some server grade parts - mainboard although considered server class by asus was an excellent workstation board assembled into Lian Li towers with a bunch of SAS drives.

Basically made these for game machines for my wife and I.. plus transcoding and ripping for the HTPC & media server in the house.

Xen looked like an interesting thing to experiment with at the time and the CPU seemed to be workable and there is tons of HDD storage and RAM so looked like a plan. hehe.