PDA

View Full Version : IPtables / Bastille


jlaughy
28th September 2005, 19:04
Hi,

normally I work with IPTables and want to use the buildin option (Bastille) of ISPConfig. When I try to start Bastille (/etc/rc.d/init.d/Basti...) it it's looking for IPChains (which is not on the machine)

Searched the sources if I could change this manual - without any result.

Any suggestions?

WKR, JL

BTW I use : Fedora Core 4

falko
28th September 2005, 20:02
Bastille is looking for ipchains and iptables - so it should work for you. Do you get error messages when trying to start Bastille?

jlaughy
28th September 2005, 23:01
Hi Falko,

I got a message like can't find /sbin/ipchains

Did a new install and it's working now!

WKR, JL

----

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain PAROLE (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:10000
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

benbalbo
9th November 2005, 04:12
I'm looking for some help on iptables issues I'm encountering with my VPS. It seems to work fine for most things, but when the firewall is on, it the server can't resolve domain names.

Having looked at the previous post's output, I'm missing the RELATED,ESTABLISHED part. Here's my iptables -L -n output (iptables -L hangs!):

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 127.0.0.0/8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0

Chain PAROLE (12 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:943
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:43
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

When I try to add this rule, I get:

iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name

I've scoured the web for information on why this is, and whilst others have this problem, I've come up with no solutions.

I'd be very glad of any help from you guys, as this is the only bit that isn't working, and is holding us back from going live.

Cheers!
Ben

benbalbo
9th November 2005, 06:58
After much researching, I found the my VPS didn't have all the iptables modules loaded into the kernel. I asked my supplier to enable a few extra modules and it still doesn't quite work.

I've switched to using APF, which uses an allow all and block selected items approach, rather than bastille's bloack all and allow a few. This means ESTABLISHED isn't required, I manuall block certain ports above 1023, so all others are free for request replies.

I know I could reconfigure bastille to do this, but APF already does it, so why spend the time :-)

Only drawback now is that the firewall is not configurable through ISP Config, but that's not such a problem. One problem is that starting it in ISP Config will break things, so I might remove the option from the interface.

Anyway - hope this helps someone else...

falko
9th November 2005, 09:26
One problem is that starting it in ISP Config will break things, so I might remove the option from the interface.

You can disable the firewall under Management -> Server -> Services. :)

benbalbo
15th November 2005, 07:36
You can disable the firewall under Management -> Server -> Services. :)

That's true - but if another administrator comes in and enables it again, then that would cause problems. Admitedly they should be trained, and the firewall issue should be documented in internal policies so this mistake doesn't happen, but I don't trust people to read documentation, or remember what someone told them. Taking the option out makes it certain that it won't be re-enabled :-)

That said - I can't find an easy way to remove it. Seems the list of services is based on the field names in the services table, and I don't want to delete it from the table. I might just leave it afterall :-)

falko
15th November 2005, 09:44
You can edit the file /root/ispconfig/scripts/shell/firewall.php and change the following part:

if($dienst["dienst_firewall_status"] != "off"){
$mod->system->daemon_init("bastille-firewall", "restart");
} else {
if(is_file("/var/lock/subsys/bastille-firewall")) $mod->system->daemon_init("bastille-firewall", "stop");
}