0

A client of mine purchased a GoDaddy "dedicated" server, which is bad enough on it's own. But they are providing a malfunctioning product, and refuse to fix it.

When CentOS 7 is running under a Virtuozzo or OpenVZ virtual container, without netfilter full, iptables refuses to boot up. Journalctl -xe states iptables: Applying firewall rules: iptables-restore: line 14 failed Which if you dig further indicates that the ebtables module is not running, stating The kernel doesn't support the ebtables 'nat' table.

So in short, iptables doesn't work, cannot be made operable, and the hosting environment cannot be changed to support it.

My question is, are there any alternative non iptables based firewall software that can be used as a replacement?
Right now the ports cannot be blocked, and services cannot be restricted to an ip whitelist for safety. It's wide open.

Ref: https://www.centos.org/forums/viewtopic.php?f=51&t=54469&start=20
See also(godaddy "vds"): GoDaddy virtual dedicated servers

Barry
  • 101
  • 4
  • 1
    This doesn't make sense. Is it a dedicated server or not? Where did OpenVZ come into the picture? – Michael Hampton Jun 10 '19 at 03:37
  • Tell me about it. GoDaddy LIES to it's customers, their dedicated servers are INFACT virtual. I have video evidence recording it. – Barry Jun 10 '19 at 03:46
  • Well you're screwed. Only Godaddy can fix that (on the HN) and I bet they won't be willing to do so. – Michael Hampton Jun 10 '19 at 14:38
  • I appreciate the confirmation. I debated running everything under docker, but that too, is restricted (overlay2 driver for filesystem). Only thing I can think of is some kind of all-port proxy software to manage requests on the entire interface -- but I can't think of such a software. Maybe have to write it myself. This is why you don't host with B-rate quality companies. – Barry Jun 10 '19 at 23:30
  • FYI for any onlookers in future. I decided to make use of Cloudflare Access + Argo Tunnel. After changing all the services to run on the [lo] loopback interface (127.0.0.1), they are inaccessible publicly. But via cloudflared, they work fine and are protected. Even SSH! FTP will be the only attack vector, other than O/S zero-day attacks. – Barry Jun 10 '19 at 23:40

0 Answers0