Firewall in Virtualizor, Setup and Configure: Full and Easy Guide

Virtualizor, a popular control panel for managing VPS servers, incorporates its own firewall based on the robust IPtables. This article, brought to you by Orcacore, will delve into all aspects of the Firewall in Virtualizor. We will cover how to enable, disable, add, and remove ports and IPs, and how to utilize the testing mode effectively. The Firewall in Virtualizor is a critical component for server security.

How does the Firewall work in Virtualizor?

Having a firewall service is essential for every server and service you run. Virtualizor, like any good control panel, supports a built-in firewall that you can enable. Let’s explore the steps to enable and utilize the Firewall in Virtualizor.

Step 1 – How to Enable/Disable the Virtualizor Firewall?

First, log in to the Virtualizor panel by accessing ServerIP:4085 in your web browser. Enter your login credentials to access the panel. On the left-hand side, navigate to the Firewall menu. You will be presented with the following page:

The first six items on this page control the core functionality of the firewall within Virtualizor. A key feature is the Testing Interval. This allows you to set a duration (in minutes) for which Testing Mode will be active. Testing mode is crucial for evaluating the rules you’ve added. If the rules function as expected, you can permanently enable them. If not, all rules will be automatically disabled after the specified testing period, preventing unintended consequences.

After successful testing, you can enable or restart the firewall. The Firewall Status indicator displays the current status of the firewall service.

Step 2 – General Options

The next three options provide general controls. The Factory Reset option allows you to revert all firewall rules to their default settings.

The Firewall Version displays the currently installed IPtables version on the server. You can use View IPtables Rules to examine all currently defined rules. The panel utilizes Ajax to dynamically display the contents of the rules.

Step 3 – How to Add/Remove IP or Port?

The next six options provide the most commonly used functionality: adding and blocking IPs and ports within the firewall.

Block Port restricts access to the specified port. Conversely, Allow Port opens access to a port that you want to make available.

Note: All essential ports are typically added by default. When adding new ports, append them to the existing list, separated by commas (",").

Similar to port management, you can Block an IP Address or Allow an IP Address. This allows you to mitigate threats from malicious IPs or grant access to trusted IPs.

Furthermore, you can allow or block IP addresses in conjunction with a specific port. Block IP address with a Port blocks traffic from a particular IP on a specific port, and Allowing IP Address with a Port enables access from a specific IP on a designated port.

Step 4 – Search for IP in the Firewall

The final option, Search IP, allows you to check if a specific IP address is already present in the firewall’s rules. This helps prevent the creation of duplicate rules.

Conclusion

This tutorial has demonstrated how to use the Firewall in Virtualizor. Enabling, disabling, and adding rules are the core functionalities covered. If you have any questions, please feel free to ask in the comments.

You might also find these Virtualizor tutorials helpful:

Virtualizer Tutorials step by step

Two-Factor Authentication Virtualizor

Add Slave Server in Virtualizor

Alternative Solutions for Firewall Management

While the Virtualizor interface provides a convenient way to manage IPtables, there are alternative approaches that offer greater flexibility, automation, and centralized management. Here are two such alternatives:

1. Using a Configuration Management Tool (Ansible, Puppet, Chef):

Configuration management tools like Ansible, Puppet, and Chef allow you to define the desired state of your firewall rules in a declarative manner. You write code (playbooks in Ansible, manifests in Puppet, recipes in Chef) that describes the rules you want to enforce. The tool then automatically configures the system to match that desired state, handling the complexities of IPtables syntax and ensuring consistency across multiple servers.

Explanation:

This approach offers several advantages:

• Idempotency: Configuration management tools are designed to be idempotent, meaning that running the same configuration multiple times will only make changes if necessary. This ensures that your firewall rules remain consistent over time.
• Automation: You can automate the process of deploying and updating firewall rules across multiple servers, saving time and reducing the risk of errors.
• Version Control: You can store your firewall configurations in version control systems like Git, allowing you to track changes, collaborate with others, and easily revert to previous versions if needed.
• Centralized Management: Configuration management tools provide a centralized platform for managing your infrastructure, including your firewall rules.

Code Example (Ansible):

This example shows how to use Ansible to allow SSH access (port 22) from a specific IP address:

---
- hosts: all
  become: true
  tasks:
    - name: Allow SSH access from a specific IP
      iptables:
        chain: INPUT
        protocol: tcp
        source: 203.0.113.10
        destination_port: 22
        jump: ACCEPT
        comment: Allow SSH from specific IP
      notify: save iptables rules

  handlers:
    - name: save iptables rules
      shell: "iptables-save > /etc/iptables/rules.v4"

This playbook defines a task that uses the iptables module to add a rule to the INPUT chain that allows TCP traffic from the IP address 203.0.113.10 to port 22 (SSH). The notify handler saves the IPtables rules to a file, ensuring they are persistent across reboots.

2. Using a Firewall Abstraction Layer (Firewalld):

Firewalld is a firewall management tool that provides a higher-level abstraction over IPtables. It uses zones and services to simplify the process of configuring firewall rules. Instead of directly manipulating IPtables rules, you define zones (e.g., public, trusted, internal) and assign interfaces to those zones. You then specify which services (e.g., SSH, HTTP, HTTPS) are allowed in each zone.

Explanation:

Firewalld offers the following benefits:

• Simplified Configuration: The zone-based approach simplifies firewall configuration, making it easier to understand and manage.
• Dynamic Firewall: Firewalld supports dynamic firewall rules, allowing you to make changes without interrupting existing connections.
• Integration with NetworkManager: Firewalld integrates with NetworkManager, allowing you to automatically configure firewall rules based on the network connection.
• Support for Rich Rules: Firewalld supports rich rules, which allow you to create more complex firewall rules based on source/destination IP addresses, ports, protocols, and other criteria.

Code Example (Firewalld):

This example shows how to use firewall-cmd to allow HTTP and HTTPS traffic in the public zone:

# Allow HTTP service in the public zone
firewall-cmd --zone=public --add-service=http --permanent

# Allow HTTPS service in the public zone
firewall-cmd --zone=public --add-service=https --permanent

# Reload the firewall to apply the changes
firewall-cmd --reload

These commands use the firewall-cmd utility to add the http and https services to the public zone. The --permanent option ensures that the changes are persistent across reboots. The --reload command applies the changes to the running firewall. These changes can also be scripted and automated, providing another avenue for robust and repeatable firewall configuration.

These alternative solutions offer more sophisticated and scalable ways to manage firewalls compared to directly using the Virtualizor interface. They provide greater flexibility, automation, and centralized management, making them ideal for larger deployments or environments where consistency and control are critical.