As many websites have outgrown the shared-hosting stage, webmasters want to seek more advanced hosting services. As dedicated servers are very expensive (the cost ranges from $80 - $200 USD per month), virtual private servers (VPS's) are a more economical way to meet their needs for advanced hosting services.
What is VPS? Here is its definition from Google:
In computing, Virtual private servers are a means of splitting a single physical server into multiple virtual servers. Virtual private servers are sometimes called virtual dedicated servers. The practice of partitioning a single server so that it appeared as multiple servers was common practice in the days of mainframe computers, but has seen a resurgence lately with the development of software such as User-mode Linux and Xen.
As you can see from the above definition, VPS functions just like dedicated server at a much lower cost. You can also say VPS is like shared hosting, because a single physical server (real machine) is split into several VPS's.
Linux
Again, based on the definition found on Google, Linux is a free open-source operating system based on Unix. Linux was originally created by Linus Torvalds with the assistance of developers from around the globe. At present, Linux has quite a few different distributions such as Fedora Core/Red Hat, Debian, CentOS and so on. Most of these distributions are free license, which is an important reason why it is cheaper to use Linux compared to Windows. PHP, as a script language for dynamic web pages, has an enormous support community and extensions. MySQL is open source and a freely available yet full featured relational database. Running PHP and MySQL on Linux is very cost-effecient, which gains its popularity nowadays.
This tutorial assumes your VPS is pre-installed with Linux OS by your service provider, so I will not dover how to install Linux on your server. You always can google what you want to know. ;)
Xen
The introduction to Xen below was adapted from a Xen Wikipedia article:
Xen is a free virtual machine monitor for IA-32, x86-64, IA-64 and PowerPC architectures. It is software that runs on a host operating system and allows one to run several guest operating systems on top of the host on the same computer hardware at the same time. Modified versions of Linux and NetBSD can be used as hosts. Several modified Unix-like systems may be employed as guest systems; since Xen version 3.0 unmodified versions of Windows and other systems can also be used as guests on certain hardware.
Xen originated as a research project at the University of Cambridge, led by Ian Pratt, senior lecturer at Cambridge and founder of XenSource, Inc. This company now supports the development of the open source project and also sells enterprise versions of the software. The first public release of Xen was made available in 2003.
Suppose you have a server that has a Linux Operating System and you would like several people to share as if everyone had a physical server machine. In this situation, you need virtualization of the hardwares on your real physical server so that everyone hosted can manage "theirs". With Xen, you can have multiple operating system and services running simultaneously. This is how Xen works to make VPS possible.
In addition to Xen, Virtuozzo Power Panel (VZPP) and VMware also can virtualize servers. Because of the good support for commercial use, VZPP and VMware are more widely used. However, the license of Xen is GPL, which means free for use. So why pay for virtualization when there is free software available out there?
Before we talk about Webmin, we would like you to set up some basic stuffs in your Linux (Fedora Core 6 in this example):
1. Install some necessary softwares through YUM that are needed later on:
Log in your remote server through SSH (Putty Client), run these yum lines:
- yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++
- yum install quota
Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00)
To enable quota, execute the following commands:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
2. Install MySQL (5.0) Database:
In your Putty Client, type:
yum install mysql mysql-devel mysql-server
Then create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
In Putty, type:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Restart your MySQL database server:
/etc/init.d/mysqld restart
To set the password for root user, otherwise anybody can access your MySQL database server:
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
Alternatively, you can wait to install MySQL database until you have Webmin installed. We will cover this in Webmin section.
3. Install Apache + PHP5:
Still in your Putty Client window, type:
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
Then edit /etc/httpd/conf/httpd.conf:
vi /etc/httpd/conf/httpd.conf
find the DirectoryIndex line, and change it to:
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl
After that, press Esc key on your keyboard, and type ":wq" (without quote) in your Putty.
Now configure your system to start Apache at when rebooting:
chkconfig --levels 235 httpd on
Start Apache:
/etc/init.d/httpd start
Up to this point, your web server is set up and ready to run PHP + MySQL applications. However, you need something like Webmin to facilitate your operation in future.
Webmin
Webmin is a web-based interface for system administration for Unix-like system (Linux). With Webmin, you can set up system user accounts, Apache web server, BIND DNS server, FTP Server, SSH server, etc. Webmin simplies system administration for Unix/Linux administrators, otherwise you would have to type command lines to configure Unix/Linux, which is obviously not user-friendly. You also can access your Linux server through SSH/Telnet. Putty, an open source SSH client, can be used to access your remote Linux server from your local computer. Putty can be downloaded here.
Webmin was created by Jamie Cameron in 1997 and it has evolved significantly in the past 10 years. Many more modules for managing different servers and services have been added to Webmin. The user interface has totally changed at least twice. And more operating systems are supported; the original was only for Solaris and Linux.
If you ever used Cpanel/DirectAdmin control panel, you will find Webmin not so straightforward as its counterparts. However, Webmin is the lightest among these three applications.
Webmin - Installation:
Before you start installation, you want to surf this website http://www.webmin.com/download.html for the latest version. At the time of writing this article, the newest version of Webmin is 1.330 . Below is the procedures for downloading and installing Webmin:
1. Log in your remote VPS (or Dedicated server) through SSH as root.
2. Type in Putty: mkdir Webmin
3. Type: wget http://prdownloads.sourceforge.net/webadmin/webmin-1.330.tar.gz , which will take some time to finish.
4. Type: tar xvzf webmin-1.330.tar.gz
5.Type: cd webmin-1.330
6. Type: ./setup.sh /var/webmin
Generally, you will be asked below questions and you can accept the default presented or change as you like:
- Webmin configuration directory
- The location at which Webmin will store logs
- Path to Perl
- Your server OS (Webmin does a good job of auto-detecting and will ask)
- The port that Webmin will run on (defaults to 10000)
- The user name and password to login to Webmin
- Your server's hostname -- again, Webmin tries to detect this
- Use SSL -- should only prompt if Perl's SSL libraries are installed (this author has not run Webmin under SSL)
- Whether you want Webmin to start with system boot (highly recommended)
As soon as Webmin is installed on your server box, you can access it by http://hostname.com:10000/ and enter your admin username and password that were just set. Once you are logged in, you will see the Webmin welcome scrreen and application control icons. You can try clicking every icon to see what they are.
If you did not install MySQL and/orApache web server, you can install them very easily by going to Webmin --> Servers. Click the MySQL database or Apache webserver icon, you will be prompted with a message like this:
The *** server /path/to/the/server could not be found on your system. Maybe it is not installed, or your *** module configuration is incorrect.
The*** package can be automatically installed by Webmin. Click here to have it downloaded and installed using YUM. (note: the *** can be any service name; in this case, it can be Apache or MySQL)
All you need to do is click the link ' Click here ' to have the particular server installed by YUM. It is just that simple! After installing the particular server, you can configure the freshly installed servers by clicking the Server module icon again. This time you should be able to go to the server configuration page, instead of being told that the server is not installed yet. For Apache and MySQL database server, there isn't much needs to be configured as long as the installation is successful. However, when we configure some other Webmin modules (e.g. Postfix mail server, virtual server, tc), we will need to come back to do some configuration in Apache/MySQL. But don't worry about them now, let's keep moving.
Sendmail vs. Postfix
Sendmail and postfix are both message transfer agents (MTAs). An MTA is a program responsible for receiving, routing and delivering e-mails. MTAs receive e-mail messages and recipient addresses from local users and remote hosts; perform alias creation and forwarding functions; and deliver messages to their destinations. The most obvious difference between these two MTAs is architecture in their design. Postfix uses a modular approach and is composed of multiple independent executables. Sendmail has a more monolithic design utilizing a single always running daemon. Sendmail and postfix each have large installed bases and perform well for businesses of many sizes. They are direct replacements for each other. Some will claim that one or the other is more secure, faster or easier to administer. There is a wealth of good information available online to enable you to dig deeper into these claims.
Although there is Sendmail modules pre-built in webmin, we won't use Sendmail as our mail server but Postfix instead. Why are doing this? There is really no reason for that, just personal preference ;) . In addition to Postfix, we will choose dovecot as our POP3/IMAP server. Next, we will talk about how to install and configure Postfix & Dovecot. You will need to open your Putty SSH/Telnet client again and access to your remote server again.
Install Postfix:
Run the following command line to install postfix, dovecot and peripheral applications:
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot
To restore your mail accounts information, you need to set up corresponding database for postfix. run the following command line in your Putty window to create a database called 'mail':
mysqladmin -u root -p create mail
Then, go to MySQL shell by typing mysql -u root -p in Putty.
On the MySQL shell, we create the user mail_admin with the password admin@ (replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE privileges on the mail database. This user will be used by Postfix and dovecot to connect to the mail database:
Execute the following SQL script in MySQL shell:
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'admin@';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'admin@';
FLUSH PRIVILEGES;
Keep staying on the MySQL shell, we will create the database table that both Postfix and Dovecot use. Run the commands below:
USE mail;
CREATE TABLE domains
(
domain varchar(50) NOT NULL,
PRIMARY KEY (domain)
)TYPE=MyISAM;CREATE TABLE forwardings
(
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source)
)TYPE=MyISAM;CREATE TABLE users
(
email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
quota INT(10) DEFAULT '10485760',
PRIMARY KEY (email)
) TYPE=MyISAM;CREATE TABLE transport
(
domain varchar(128) NOT NULL default '',
transport varchar(128) NOT NULL default '',
UNIQUE KEY domain (domain)
) TYPE=MyISAM;quit;
Configure Postfix:
So far, the Postfix has been installed successfully. However, we need to tell Postfix where it can find all the information in the database. Therefore we have to create six text files, in which I will tell Postfix to connect to MySQL on the IP address 127.0.0.1 instead of localhost. This is because Postfix is running in a chroot jail and does not have access to the MySQL socket which it
would try to connect if I told Postfix to use localhost. If I use 127.0.0.1 Postfix uses TCP networking to connect to MySQL which is no problem even in a chroot jail (the alternative would be to move the MySQL socket into the chroot jail which causes some other problems).
Now let's create our six text files.
vi /etc/postfix/mysql-virtual_domains.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT domain AS virtual FROM domains WHERE domain='%s'hosts = 127.0.0.1vi /etc/postfix/mysql-virtual_forwardings.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT destination FROM forwardings WHERE source='%s'hosts = 127.0.0.1vi /etc/postfix/mysql-virtual_mailboxes.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'hosts = 127.0.0.1vi /etc/postfix/mysql-virtual_email2email.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT email FROM users WHERE email='%s'hosts = 127.0.0.1vi /etc/postfix/mysql-virtual_transports.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT transport FROM transport WHERE domain='%s'hosts = 127.0.0.1vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT quota FROM users WHERE email='%s'hosts = 127.0.0.1chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf
Now we create a user and group called vmail with the home directory /home/vmail. This is
where all mail boxes will be stored.
groupadd -g 5000 vmailuseradd -g vmail -u 5000 vmail -d /home/vmail –m
chmod 700 /home/vmail
Next we do some Postfix configuration. Make sure that you replace server1.test.com with a valid FQDN, otherwise your Postfix might not work properly!
Those configuration(postconf –e) are added(at the end of) in /etc/postfix/main.cf
postconf -e 'myhostname = server1.test.com'
postconf -e 'mydestination = server1.test.com , localhost, localhost.localdomain'
postconf -e 'mynetworks = 127.0.0.0/8'postconf -e 'virtual_alias_domains ='
postconf -e ' virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf'
postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf'
postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf'
postconf -e 'virtual_mailbox_base = /home/vmail'
postconf -e 'virtual_uid_maps = static:5000'
postconf -e 'virtual_gid_maps = static:5000'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert'
postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key'
postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf'
postconf -e 'virtual_create_maildirsize = yes'
postconf -e 'virtual_mailbox_extended = yes'
postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf'
postconf -e 'virtual_mailbox_limit_override = yes'
postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over quota." '
postconf -e 'virtual_overquota_bounce = yes'
postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'
postconf -e 'inet_interfaces = all'
Configure TLS [STARTTLS]
Afterwards we create the SSL certificate that is needed for TLS:
cd /etc/postfix
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
<-- Enter your Country Name (e.g., "DE"). <-- Enter your State or Province Name. <-- Enter your City. <-- Enter your Organization Name (e.g., the name of your company). <-- Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, your name or your server's hostname) []:server1.test.com
<-- Enter your Email Address. Then change the permissions of the smtpd.key: chmod o= /etc/postfix/smtpd.key
Test Postfix:
To see if Postfix is ready for SMTP-AUTH and TLS, run
[root@server1 postfix]# telnet 127.0.0.1 25
Then the screen will show:
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 server1.test.com ESMTP Postfix
Type the commandline below:
ehlo localhost
If the configuration was successfully, it should show:
250-server1.test.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
ctrl+]
Type 'quit' to exit the testing.
Send mail to a user (after creating domain & user account):
root@server1 postfix]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 server1.test.com ESMTP Postfix
HELO hostname
Mail From:test@demo.com
250 2.1.0 Ok
Rcpt To:user@demo.com
250 2.1.5 Ok
DATA
354 End data with .
Subject: test mail
user account test
.
250 2.0.0 Ok: queued as AABA5D81BA
That's pretty much about Postfix configuration. If you encounter any problem, you can google it. Good luck!
We will move on to ProFTPd Server. With ProFTPd server, you can connect your virtual server with any FTP client (e.g. CuteFTP Pro) and upload your website files/directories.
To install ProFTPd server, type the following command in your Putty window after you log in the server as root:
yum install proftpd
To make ProFTPd server start automatically when you reboot server, type the following command in Putty:
chkconfig --levels 235 proftpd on
/etc/init.d/proftpd start
Alternatively, you can click the 'ProFTPd' server icon in Webmin if you don't want to install by command lines and you will be asked to install it by Webmin, which is more straightforward and easier.
BIND DNS Server:
BIND (Berkeley Internet Name Domain, previously: Berkeley Internet Name Daemon) is the most commonly used DNS server on the Internet, especially on Linux/Unix system. If you want to know more about BIND DNS, I suggest you go here http://www.swelltech.com/support/webminguide-1.0/ch08.html to read more about it. The BIND DNS server installation is very easy, just click the 'BIND DNS' icon in your Webmin and you will be given a guide to install it.
Once you create a virtual server in your virtualmin, masterzone with the same name as your domain will be created automatically in your BIND DNS server. If you want to customize and use your own nameservers (i.e. ns1.yourdomain.com and ns2.yourdomain.com), you will need to click the automatically created masterzone and add 'A' address records, 'NS' name server records, 'C' CName records and 'MX' Mail Server records.
'A' Address Records
Create an 'A' record (this sets the IP address for a domain). E.g. Enter a 'Name' of "yourdomain.com." (include the trailing period, without the quotes). Set your IP Address.
'NS' Name Server Records
Create an 'NS' record this will be the Name Server for the domain. E.g. Enter a "Zone Name" of "yourdomain.com." (include the trailing period, without the quote). Set the "Name Server", for example to "ns1.yourdomain.com." Add another record for ns2.yourdomain.com. You will need to define ns1.yourdomain.com and ns2.yourdomain.com (via CNAME or 'A' Address records).
'C' CName Records
Create a Name Alias ('CN' record). This creates a "Name" that resolves to a different domain. For example enter a "Name" of "www". Or "www.yourdomain.com.". Enter a "Real Name" like "yourdomain.com."
'MX' Mail Server Records
First, create a mail.yourdomain.com 'A' Address. Then create a Mail Server ('MX') record. Use a "Name" of "yourdomain.com.". Set the 'Mail Server' field to mail.yourdomain.com. Set a priority. 1 will do. If you have multiple mail servers, the mail server lowest priority that is available is used).
Note: Webmin may refuse to set up "yourdomain.com.". If so, try using "mail.yourdomain.com.".
Go back to the Zone list. Hit Apply Changes.
Congratulations, your VPS is set up and good for use now. If you want to secure and optimize it, I suggest you read this thread on Webhostingtalk.com http://www.webhostingtalk.com/showthread.php?t=468168
Here's a quick abstrct for securing your VPS, if you don't time reading that long thread:
Securing Your Server: Is Your Port Showing?
Want to harden the security on your server? The first thing you should do is shut down any public services that you don't need.
To see the ports on which you are accepting connections (sshd, http, ftp, etc) , run "netstat -l
" (-l for ports that are listening).
You should be interested in both what ports are open, and on what addresses is your server listening. e.g. listening on the localhost address is usually pretty harmless. But you'd want to make sure that anything listening on a public (or *) IP address is supposed to be publicly accessible
If you see a port number that you don't recognise, run lsof | grep theportnumber
. This will tell you the process listening on this port.
The xinetd daemon controls a number of services (like FTP, pop3, et al.). If you don't want them running a) shutdown xinetd or b) configure that service by editing the appropriate file in /etc/xinet.d/ and setting "disable = yes".
Tip: To quickly find enabled services, run: grep -i disable /etc/xinetd.d/* | grep -i no
NMap
Want to perform a security scan on your server?
Download and install nmap from Insecure.org. e.g. rpm -Uvfh "http://download.insecure.org/nmap/dist/nmap-3.28-1.i386.rpm"
Then run it against your server: nmap yourservername.com
. It will scan the most commonly used port numbers on your server and alert you to open ports. Like this:
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
Securing Your Server: Setting up a Linux Firewall Using IPTables and Webmin
A firewall prevents all network access to your server (with certain exceptions that you will specify).
You can configure a firewall on your VPS using the Webmin control panel. The iptables command will actually implement the firewall rules.
Before you decide to set up a firewall, please consider... 1) Misconfiguring a firewall can prevent you from accessing your own server. 2) The best way to prevent someone from accessing services on your VPS is to simply not run those services. 3) Firewalls don't protect you from insecure services. So keep your server up to date with the latest security patches. For example, using apt-get update; apt-get upgrade
.
Note: A few people with mulitple IPs have reported this HOWTO does not work for them. So we recommend following this HOWTO on servers with a single IP only.
Discouraged yet? If you still want to proceed setting up a firewall, here goes...
Go to your Webmin control panel. Select Networking | Linux Firewall. Webmin will offer to create default rules for you. Select the "Block all except SSH, IDENT, ping and high ports on interface" option. You don't need to enter anything in the input to the right of the "eth0" combo.
On the resulting page there will be an option "If protocol is TCP and destination port is ssh". Select that option. On the Edit Rule page, go down to the "Destination TCP or UDP port" option. Change the option from equalling "ssh" to equalling "ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000". Add in whatever other ports you need, or remove ports you want to exclude. Hit Save.
Click 'Add Rule'. For Rule Comment set "Allow traceroutes". Action to Take is 'Accept'. Set Network Protocol 'Equals' 'UDP'. Set Destination TCP or UDP port 'Equals' 'Port Range' '33434' to '33523'.
Hit Apply Configuration. Check that 'Activate at Boot' is Yes.
On your VPS you should now be able to run iptables --list
and get a list of all your iptable rules. You can remove all the rules by stopping iptables: /etc/init.d/iptables stop
. You can also stop the iptables service from running at startup by running chkconfig --del iptables
. Or you can remove the iptables rules by running echo "" > /etc/sysconfig/iptables
When you're done, you will have an /etc/sysconfig/iptables file like this:
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*nat
:PREROUTING ACCEPT [38:1868]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
# Accept traceroutes
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
Be careful with configuring Linux Firewall, as misconfigured firewall can block any traffic and prevent you from accessing it. In case you are blocked by Linux firewall, you can ask your system administrator to reset the firewall for you. Once, I misconfigured the firewall, which stopped my name servers working. Actually, the prtocol for nameserver is UDP not TCP and nameservers use the default port 53. To prevent malicious connection to your SSH server, I suggest you change the default port 22 to some unused port number like 4545 or anything you please.
Disclaimer:
This tutorial is aimed to help you get an idea about how to set up a VPS and is not 100% accurate. I take no responsibility for any misconfiguration, loss or damage of your server. I wish you best of luck!!!