Tutorial on installing APF firewall (IP tables based) in Linux.
When it comes to security, there is no such thing without firewall. when you buy a new dedicated or vps server, atleast make sure you install a firewall to protect your server from various intrusion attacks. Within minutes you can set up your firewall up and running. APF firewall is one of the popular and easy to setup IP tables based firewall for Linux servers. It also has additional features like prevention from DoS attacks
Just follow the steps to setup and configure the firewall.
CAUTION: Be careful on setting up the firewall on what ports to open and what not. If you arent sure, you may lock yourself out
> wget
http://www.rfxnetworks.com/downloads/apf-current.tar.gz
> tar -zxf apf-0.9.3.tar.gz
Now run the install shell script. Make sure you have iptables installed before you install apf firewall.
> cd apf-0.9.3
> ./install.sh
After installation, you have to manually configure your firewall settings on what ports to open and what to block. You can edit the configuration file located in
/etc/apf/conf.apf
Installed paths
Configuration File: /etc/apf/conf.apf
Binary: /usr/local/sbin/apf
Start/Stop: /etc/init/d/apf (start|stop|restart)
Log: /var/log/apf_log
Antidos conf file: /etc/apf/ad/config.antidos
You can also use commands in the command line
apf -s (start)
apf -r (to restart)
apf -f (to stop)
Firewall Configuration
Now open
/etc/apf/conf.apf configuration file to manually make settings.
> nano /etc/apf/conf.apf
Step 1:
Locate EGF="0" and change to EGF="1"
Locate and set USE_AD="1"
Step 2:
Locate DEVEL_MODE and its value must be DEVEL_MODE="1"
(Once you make sure that firewall is working fine, you can set this value to "0" later)
Step 3:
Here is the most important part on setting up ports. Make sure you dont lock yourself out by misquoting the port number. If you are using cpanel make sure you open 2082 and 2087 as otherwise you will not be able to login into cpanel.
For Cpanel:
Make sure you locate the following lines and change the values there.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2077, 2078,2082,
2083,2086,2087,2095,2096,3306,6666"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873,2077,2078"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443 ,465,873,2089,3306"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,465,873"
# Common ICMP (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
For Plesk:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,9 93,995,8443"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="37,53,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465 ,873,5224"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53,873"
Step 5:
Finally set DEVEL_MODE='0'
APF Firewall for VPS Servers:
If you are running apf firewall in VPS, there is a possibility that you will get "eth0: Device not found". Instead you have to make settings in the configuration file.
Find the following lines and change the values like below.
IFACE_IN = "venet0"
IFACE_OUT = "venet0"
DEVEL_MODE="1"
SET_MONOKERN="1"
<port settings as above>
SET_MONOKERN="1"
(The above line is important to have "1" if you are in VPS server as otherwise you will get unable to load ip tables module")
Removing APF firewall
First stop the apf
/etc/init.d/apf stop
Then, flush ip tables and remove all existing apf files even in cron job
iptables -F
rm -Rf /etc/apf
rm -Rf /usr/local/sbin/apf
rm -Rf /etc/rc.d/init.d/apf
rm -Rf /var/log/apf_log
rm -Rf /var/log/apfados_log
/sbin/chkconfig --level 345 apf off
Now remove this cron job
nano /etc/cron.daily/fw
Find and Remove this line:
/etc/rc.d/init.d/apf restart >> /dev/null 2>&1
Disclaimer: Usage of this tutorial is at your own risk. We cannot be responsible for any loss or damage incured as a result of this article.