[Copyrights Reserved] Tony Wang http://www.shdol.

com/ 

Linux + Xen + Webmin: a cheaper way to go VPS

Author: Tony Wang 04/2007

the webmaster of these websites

1. Smart Home Decorations Online http://www.shdol.com/

2. Everything Chinese http://www.panda-greatwall.com/

As many websites have outgrown the shared-hosting stage, webmasters want to seek
more advanced hosting services. As dedicated servers are very expensive (the cost
ranges from $80 - $200 USD per month), virtual private servers (VPS's) are a more
economical way to meet their needs for advanced hosting services.

What is VPS? Here is its definition from Google:

In computing, Virtual private servers are a means of splitting a single physical server into
multiple virtual servers. Virtual private servers are sometimes called virtual dedicated
servers. The practice of partitioning a single server so that it appeared as multiple
servers was common practice in the days of mainframe computers, but has seen a
resurgence lately with the development of software such as User-mode Linux and Xen.

As you can see from the above definition, VPS functions just like dedicated server at a
much lower cost. You can also say VPS is like shared hosting, because a single physical
server (real machine) is split into several VPS's.

Linux

Again, based on the definition found on Google, Linux is a free open-source operating
system based on Unix. Linux was originally created by Linus Torvalds with the
assistance of developers from around the globe. At present, Linux has quite a few
different distributions such as Fedora Core/Red Hat, Debian, CentOS and so on. Most of
these distributions are free license, which is an important reason why it is cheaper to use
Linux compared to Windows. PHP, as a script language for dynamic web pages, has an
enormous support community and extensions. MySQL is open source and a freely
available yet full featured relational database. Running PHP and MySQL on Linux is very
cost-effecient, which gains its popularity nowadays.

This tutorial assumes your VPS is pre-installed with Linux OS by your service provider,
so I will not dover how to install Linux on your server. You always can google what you
want to know. ;)

Xen

The introduction to Xen below was adapted from a Xen Wikipedia article:

1 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

Xen is a free virtual machine monitor for IA-32, x86-64, IA-64 and PowerPC
architectures. It is software that runs on a host operating system and allows one to run
several guest operating systems on top of the host on the same computer hardware at
the same time. Modified versions of Linux and NetBSD can be used as hosts. Several
modified Unix-like systems may be employed as guest systems; since Xen version 3.0
unmodified versions of Windows and other systems can also be used as guests on
certain hardware.

Xen originated as a research project at the University of Cambridge, led by Ian Pratt,
senior lecturer at Cambridge and founder of XenSource, Inc. This company now
supports the development of the open source project and also sells enterprise versions
of the software. The first public release of Xen was made available in 2003.

Suppose you have a server that has a Linux Operating System and you would like
several people to share as if everyone had a physical server machine. In this situation,
you need virtualization of the hardwares on your real physical server so that everyone
hosted can manage "theirs". With Xen, you can have multiple operating system and
services running simultaneously. This is how Xen works to make VPS possible.

In addition to Xen, Virtuozzo Power Panel (VZPP) and VMware also can virtualize
servers. Because of the good support for commercial use, VZPP and VMware are more
widely used. However, the license of Xen is GPL, which means free for use. So why pay
for virtualization when there is free software available out there?

Before we talk about Webmin, we would like you to set up some basic stuffs in your
Linux (Fedora Core 6 in this example):

1. Install some necessary softwares through YUM that are needed later on:

Log in your remote server through SSH (Putty Client), run these yum lines:

• yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc
gcc-c++
• yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00)

To enable quota, execute the following commands:

touch /aquota.user /aquota.group

chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

2. Install MySQL (5.0) Database:

2 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

In your Putty Client, type:

yum install mysql mysql-devel mysql-server

Then create the system startup links for MySQL (so that MySQL starts automatically
whenever the system boots) and start the MySQL server:

In Putty, type:

chkconfig --levels 235 mysqld on

/etc/init.d/mysqld start

Restart your MySQL database server:

/etc/init.d/mysqld restart

To set the password for root user, otherwise anybody can access your MySQL database
server:

mysqladmin -u root password yourrootsqlpassword

mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Alternatively, you can wait to install MySQL database until you have Webmin installed.
We will cover this in Webmin section.

3. Install Apache + PHP5:

Still in your Putty Client window, type:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-
xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

find the DirectoryIndex line, and change it to:

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

After that, press Esc key on your keyboard, and type ":wq" (without quote) in your Putty.

Now configure your system to start Apache at when rebooting:

chkconfig --levels 235 httpd on

3 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

Start Apache:

/etc/init.d/httpd start

Up to this point, your web server is set up and ready to run PHP + MySQL applications.
However, you need something like Webmin to facilitate your operation in future.

Webmin

Webmin is a web-based interface for system administration for Unix-like system (Linux).
With Webmin, you can set up system user accounts, Apache web server, BIND DNS
server, FTP Server, SSH server, etc. Webmin simplies system administration for
Unix/Linux administrators, otherwise you would have to type command lines to configure
Unix/Linux, which is obviously not user-friendly. You also can access your Linux server
through SSH/Telnet. Putty, an open source SSH client, can be used to access your
remote Linux server from your local computer. Putty can be downloaded here.

Webmin was created by Jamie Cameron in 1997 and it has evolved

significantly in the past 10 years. Many more modules for managing different
servers and services have been added to Webmin. The user interface has

4 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

totally changed at least twice. And more operating systems are supported; the original
was only for Solaris and Linux.

If you ever used Cpanel/DirectAdmin control panel, you will find Webmin not so
straightforward as its counterparts. However, Webmin is the lightest among these three
applications.

Webmin - Installation:

Before you start installation, you want to surf this website

http://www.webmin.com/download.html for the latest version. At the time of writing this
article, the newest version of Webmin is 1.330 . Below is the procedures for downloading
and installing Webmin:

1. Log in your remote VPS (or Dedicated server) through SSH as root.

2. Type in Putty: mkdir Webmin

3. Type: wget http://prdownloads.sourceforge.net/webadmin/webmin-1.330.tar.gz , which

will take some time to finish.

4. Type: tar xvzf webmin-1.330.tar.gz

5.Type: cd webmin-1.330

6. Type: ./setup.sh /var/webmin

Generally, you will be asked below questions and you can accept the default presented
or change as you like:

• Webmin configuration directory

• The location at which Webmin will store logs
• Path to Perl
• Your server OS (Webmin does a good job of auto-detecting and will ask)
• The port that Webmin will run on (defaults to 10000)
• The user name and password to login to Webmin
• Your server's hostname -- again, Webmin tries to detect this
• Use SSL -- should only prompt if Perl's SSL libraries are installed (this author has
not run Webmin under SSL)
• Whether you want Webmin to start with system boot (highly recommended)

As soon as Webmin is installed on your server box, you can access it by

http://hostname.com:10000/ and enter your admin username and password that were
just set. Once you are logged in, you will see the Webmin welcome scrreen and
application control icons. You can try clicking every icon to see what they are.

5 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

If you did not install MySQL and/orApache web server, you can install them very easily
by going to Webmin --> Servers. Click the MySQL database or Apache webserver icon,
you will be prompted with a message like this:

The *** server /path/to/the/server could not be found on your system. Maybe it is
not installed, or your *** module configuration is incorrect.

The*** package can be automatically installed by Webmin. Click here to have it

downloaded and installed using YUM. (note: the *** can be any service name; in this
case, it can be Apache or MySQL)

All you need to do is click the link ' Click here ' to have the particular server installed by
YUM. It is just that simple! After installing the particular server, you can configure the
freshly installed servers by clicking the Server module icon again. This time you should
be able to go to the server configuration page, instead of being told that the server is not
installed yet. For Apache and MySQL database server, there isn't much needs to be
configured as long as the installation is successful. However, when we configure some
other Webmin modules (e.g. Postfix mail server, virtual server, tc), we will need to come
back to do some configuration in Apache/MySQL. But don't worry about them now, let's
keep moving.

Sendmail vs. Postfix

Sendmail and postfix are both message transfer agents (MTAs). An MTA is a program
responsible for receiving, routing and delivering e-mails. MTAs receive e-mail messages
and recipient addresses from local users and remote hosts; perform alias creation and
forwarding functions; and deliver messages to their destinations. The most obvious
difference between these two MTAs is architecture in their design. Postfix uses a
modular approach and is composed of multiple independent executables. Sendmail has
a more monolithic design utilizing a single always running daemon. Sendmail and postfix
each have large installed bases and perform well for businesses of many sizes. They
are direct replacements for each other. Some will claim that one or the other is more
secure, faster or easier to administer. There is a wealth of good information available
online to enable you to dig deeper into these claims.

Although there is Sendmail modules pre-built in webmin, we won't use Sendmail as our
mail server but Postfix instead. Why are doing this? There is really no reason for that,
just personal preference ;) . In addition to Postfix, we will choose dovecot as our
POP3/IMAP server. Next, we will talk about how to install and configure Postfix &
Dovecot. You will need to open your Putty SSH/Telnet client again and access to your
remote server again.

Install Postfix:

Run the following command line to install postfix, dovecot and peripheral applications:

6 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-

plain postfix dovecot

To restore your mail accounts information, you need to set up corresponding database
for postfix. run the following command line in your Putty window to create a database
called 'mail':

mysqladmin -u root -p create mail

Then, go to MySQL shell by typing mysql -u root -p in Putty.

On the MySQL shell, we create the user mail_admin with the password admin@
(replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE
privileges on the mail database. This user will be used by Postfix and dovecot to connect
to the mail database:

Execute the following SQL script in MySQL shell:

GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO

'mail_admin'@'localhost' IDENTIFIED BY 'admin@';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO
'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'admin@';

FLUSH PRIVILEGES;
Keep staying on the MySQL shell, we will create the database table that both Postfix and
Dovecot use. Run the commands below:

USE mail;

CREATE TABLE domains

(
domain varchar(50) NOT NULL,
PRIMARY KEY (domain)
)TYPE=MyISAM;

CREATE TABLE forwardings

(
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source)
)TYPE=MyISAM;

CREATE TABLE users

(
email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
quota INT(10) DEFAULT '10485760',
7 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

PRIMARY KEY (email)

) TYPE=MyISAM;

CREATE TABLE transport

(
domain varchar(128) NOT NULL default '',
transport varchar(128) NOT NULL default '',
UNIQUE KEY domain (domain)
) TYPE=MyISAM;

quit;

Configure Postfix:

So far, the Postfix has been installed successfully. However, we need to tell Postfix
where it can find all the information in the database. Therefore we have to create six text
files, in which I will tell Postfix to connect to MySQL on the IP address 127.0.0.1 instead
of localhost. This is because Postfix is running in a chroot jail and does not have access
to the MySQL socket which it
would try to connect if I told Postfix to use localhost. If I use 127.0.0.1 Postfix uses TCP
networking to connect to MySQL which is no problem even in a chroot jail (the
alternative would be to move the MySQL socket into the chroot jail which causes some
other problems).

Now let's create our six text files.

vi /etc/postfix/mysql-virtual_domains.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT domain AS
virtual FROM domains WHERE domain='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_forwardings.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT destination
FROM forwardings WHERE source='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailboxes.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT
CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
FROM users WHERE email='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_email2email.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT email FROM
users WHERE email='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_transports.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT transport FROM
transport WHERE domain='%s'hosts = 127.0.0.1

8 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT quota FROM
users WHERE email='%s'hosts = 127.0.0.1

chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf

Now we create a user and group called vmail with the home directory /home/vmail. This
is
where all mail boxes will be stored.

groupadd -g 5000 vmailuseradd -g vmail -u 5000 vmail -d /home/vmail –m

chmod 700 /home/vmail

Next we do some Postfix configuration. Make sure that you replace

server1.test.com with a valid FQDN, otherwise your Postfix might not work
properly!
Those configuration(postconf –e) are added(at the end of) in /etc/postfix/main.cf

postconf -e 'myhostname = server1.test.com'

postconf -e 'mydestination = server1.test.com , localhost, localhost.localdomain'
postconf -e 'mynetworks = 127.0.0.0/8'postconf -e 'virtual_alias_domains ='
postconf -e ' virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf'
postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-
virtual_domains.cf'
postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf'
postconf -e 'virtual_mailbox_base = /home/vmail'
postconf -e 'virtual_uid_maps = static:5000'
postconf -e 'virtual_gid_maps = static:5000'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination'postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert'
postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key'
postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf'
postconf -e 'virtual_create_maildirsize = yes'
postconf -e 'virtual_mailbox_extended = yes'
postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-
virtual_mailbox_limit_maps.cf'
postconf -e 'virtual_mailbox_limit_override = yes'
postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over
quota." '
postconf -e 'virtual_overquota_bounce = yes'

9 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination

$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps
$sender_canonical_maps $recipient_canonical_maps $relocated_maps
$transport_maps $mynetworks $virtual_mailbox_limit_maps'

postconf -e 'inet_interfaces = all'

Configure TLS [STARTTLS]

Afterwards we create the SSL certificate that is needed for TLS:

cd /etc/postfix
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout
smtpd.key -keyform PEM -days 365 -x509

<-- Enter your Country Name (e.g., "DE"). <-- Enter your State or Province Name. <--
Enter your City. <-- Enter your Organization Name (e.g., the name of your company). <--
Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, your
name or your server's hostname) []:server1.test.com
<-- Enter your Email Address. Then change the permissions of the smtpd.key: chmod o=
/etc/postfix/smtpd.key

Test Postfix:

To see if Postfix is ready for SMTP-AUTH and TLS, run

[root@server1 postfix]# telnet 127.0.0.1 25

Then the screen will show:

Connected to localhost (127.0.0.1).

Escape character is '^]'.
220 server1.test.com ESMTP Postfix

Type the commandline below:

ehlo localhost

If the configuration was successfully, it should show:

250-server1.test.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
10 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
ctrl+]

Type 'quit' to exit the testing.

Send mail to a user (after creating domain & user account):

root@server1 postfix]# telnet 127.0.0.1 25

Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 server1.test.com ESMTP Postfix
HELO hostname
Mail From:[email protected]
250 2.1.0 Ok
Rcpt To:[email protected]
250 2.1.5 Ok
DATA
354 End data with .
Subject: test mail
user account test
.
250 2.0.0 Ok: queued as AABA5D81BA

That's pretty much about Postfix configuration. If you encounter any problem, you can
google it. Good luck!

We will move on to ProFTPd Server. With ProFTPd server, you can connect your virtual
server with any FTP client (e.g. CuteFTP Pro) and upload your website files/directories.

To install ProFTPd server, type the following command in your Putty window after you
log in the server as root:

yum install proftpd

To make ProFTPd server start automatically when you reboot server, type the following
command in Putty:

chkconfig --levels 235 proftpd on

/etc/init.d/proftpd start

Alternatively, you can click the 'ProFTPd' server icon in Webmin if you don't want to
install by command lines and you will be asked to install it by Webmin, which is more
straightforward and easier.
11 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

BIND DNS Server:

BIND (Berkeley Internet Name Domain, previously: Berkeley Internet Name Daemon) is
the most commonly used DNS server on the Internet, especially on Linux/Unix system. If
you want to know more about BIND DNS, I suggest you go here
http://www.swelltech.com/support/webminguide-1.0/ch08.html to read more about it. The
BIND DNS server installation is very easy, just click the 'BIND DNS' icon in your Webmin
and you will be given a guide to install it.

Once you create a virtual server in your virtualmin, masterzone with the same name as
your domain will be created automatically in your BIND DNS server. If you want to
customize and use your own nameservers (i.e. ns1.yourdomain.com and
ns2.yourdomain.com), you will need to click the automatically created masterzone and
add 'A' address records, 'NS' name server records, 'C' CName records and 'MX' Mail
Server records.

'A' Address Records

Create an 'A' record (this sets the IP address for a domain). E.g. Enter a 'Name' of
"yourdomain.com." (include the trailing period, without the quotes). Set your IP Address.

'NS' Name Server Records

Create an 'NS' record this will be the Name Server for the domain. E.g. Enter a "Zone
Name" of "yourdomain.com." (include the trailing period, without the quote). Set the
"Name Server", for example to "ns1.yourdomain.com." Add another record for
ns2.yourdomain.com. You will need to define ns1.yourdomain.com and
ns2.yourdomain.com (via CNAME or 'A' Address records).

'C' CName Records

Create a Name Alias ('CN' record). This creates a "Name" that resolves to a different
domain. For example enter a "Name" of "www". Or "www.yourdomain.com.". Enter a
"Real Name" like "yourdomain.com."

'MX' Mail Server Records

First, create a mail.yourdomain.com 'A' Address. Then create a Mail Server ('MX') record.
Use a "Name" of "yourdomain.com.". Set the 'Mail Server' field to mail.yourdomain.com.
Set a priority. 1 will do. If you have multiple mail servers, the mail server lowest priority
that is available is used).

Note: Webmin may refuse to set up "yourdomain.com.". If so, try using

"mail.yourdomain.com.".

Go back to the Zone list. Hit Apply Changes.

12 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

Congratulations, your VPS is set up and good for use now. If you want to secure and
optimize it, I suggest you read this thread on Webhostingtalk.com
http://www.webhostingtalk.com/showthread.php?t=468168

Here's a quick abstrct for securing your VPS, if you don't time reading that long
thread:

Securing Your Server: Is Your Port Showing?

Want to harden the security on your server? The first thing you should do is shut down
any public services that you don't need.

To see the ports on which you are accepting connections (sshd, http, ftp, etc) , run
"netstat -l" (-l for ports that are listening).

You should be interested in both what ports are open, and on what addresses is your
server listening. e.g. listening on the localhost address is usually pretty harmless. But
you'd want to make sure that anything listening on a public (or *) IP address is supposed
to be publicly accessible

If you see a port number that you don't recognise, run lsof | grep theportnumber. This will
tell you the process listening on this port.

The xinetd daemon controls a number of services (like FTP, pop3, et al.). If you don't
want them running a) shutdown xinetd or b) configure that service by editing the
appropriate file in /etc/xinet.d/ and setting "disable = yes".

Tip: To quickly find enabled services, run: grep -i disable /etc/xinetd.d/* | grep -i no

NMap

Want to perform a security scan on your server?

Download and install nmap from Insecure.org. e.g. rpm -Uvfh

"http://download.insecure.org/nmap/dist/nmap-3.28-1.i386.rpm" Then run it against your
server: nmap yourservername.com. It will scan the most commonly used port numbers
on your server and alert you to open ports. Like this:

Port State Service

21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http

Securing Your Server: Setting up a Linux Firewall Using IPTables and Webmin

13 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

A firewall prevents all network access to your server (with certain exceptions that you will
specify).

You can configure a firewall on your VPS using the Webmin control panel. The iptables
command will actually implement the firewall rules.

Before you decide to set up a firewall, please consider... 1) Misconfiguring a firewall can
prevent you from accessing your own server. 2) The best way to prevent someone from
accessing services on your VPS is to simply not run those services. 3) Firewalls don't
protect you from insecure services. So keep your server up to date with the latest
security patches. For example, using apt-get update; apt-get upgrade.

Note: A few people with mulitple IPs have reported this HOWTO does not work for them.
So we recommend following this HOWTO on servers with a single IP only.

Discouraged yet? If you still want to proceed setting up a firewall, here goes...

Go to your Webmin control panel. Select Networking | Linux Firewall. Webmin will offer
to create default rules for you. Select the "Block all except SSH, IDENT, ping and high
ports on interface" option. You don't need to enter anything in the input to the right of the
"eth0" combo.

On the resulting page there will be an option "If protocol is TCP and destination port is
ssh". Select that option. On the Edit Rule page, go down to the "Destination TCP or UDP
port" option. Change the option from equalling "ssh" to equalling
"ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000". Add in whatever other ports you
need, or remove ports you want to exclude. Hit Save.

Click 'Add Rule'. For Rule Comment set "Allow traceroutes". Action to Take is 'Accept'.
Set Network Protocol 'Equals' 'UDP'. Set Destination TCP or UDP port 'Equals' 'Port
Range' '33434' to '33523'.

Hit Apply Configuration. Check that 'Activate at Boot' is Yes.

On your VPS you should now be able to run iptables --list and get a list of all your iptable
rules. You can remove all the rules by stopping iptables: /etc/init.d/iptables stop. You can
also stop the iptables service from running at startup by running chkconfig --del iptables.
Or you can remove the iptables rules by running echo "" > /etc/sysconfig/iptables

When you're done, you will have an /etc/sysconfig/iptables file like this:

# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003

*nat
:PREROUTING ACCEPT [38:1868]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
14 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports
ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
15 

 
 [Copyrights Reserved] Tony Wang http://www.shdol.com/ 

-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP

# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
# Accept traceroutes
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
COMMIT
# Completed on Sat Sep 27 02:06:00 2003

Be careful with configuring Linux Firewall, as misconfigured firewall can block any traffic
and prevent you from accessing it. In case you are blocked by Linux firewall, you can
ask your system administrator to reset the firewall for you. Once, I misconfigured the
firewall, which stopped my name servers working. Actually, the prtocol for nameserver is
UDP not TCP and nameservers use the default port 53. To prevent malicious connection
to your SSH server, I suggest you change the default port 22 to some unused port
number like 4545 or anything you please.

Disclaimer:

This tutorial is aimed to help you get an idea about how to set up a VPS and is not 100%
accurate. I take no responsibility for any misconfiguration, loss or damage of your server.
I wish you best of luck!!!

16