HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Problem on Bastille firewall with CentOS 6.0 and ispconfig 3.0.3.3 (http://www.howtoforge.com/forums/showthread.php?t=54557)

themark 17th October 2011 16:07

Problem on Bastille firewall with CentOS 6.0 and ispconfig 3.0.3.3
 
Hi there,

today we have a strange problem with bastille firewall onto CentOs 6.0 with ispconfig 3.0.3.3

Firewall look not working, and if we try to change some setting on the firewall setting page from the ispconfig control panel we receive the following errors:

"""""""""
/sbin/bastille-ipchains: line 228: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 230: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 232: /sbin/ipchains: No such file or directory
[...many more...]
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
finished.
"""""""""

We have followed your perfect server installation, but we think that ipchains it's pretty old...so it's normal that on the CentOs 6.0 isn't installed...

Someone has some hint on how we can solve?
Thank you.

till 17th October 2011 19:18

The firwall tries to use ipchains as fallback only if iptables is not installed on your server. Please post the output of:

which iptables

themark 18th October 2011 10:04

Quote:

Originally Posted by till (Post 265524)
The firwall tries to use ipchains as fallback only if iptables is not installed on your server. Please post the output of:

which iptables

on this server iptables is installed:

[~]# rpm -qa |grep iptables
iptables-1.4.7-3.el6.x86_64
iptables-devel-1.4.7-3.el6.x86_64
iptables-ipv6-1.4.7-3.el6.x86_64

[~]# which iptables
/sbin/iptables

till 18th October 2011 10:11

Ok, that good. Please post the output of:

iptables -L

and where exactly did you see the errors that you posted above?

themark 18th October 2011 10:29

Quote:

Originally Posted by till (Post 265555)
Ok, that good. Please post the output of:

iptables -L

and where exactly did you see the errors that you posted above?

I love comunicate good news :)

The output is:

"""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""""""""""""" """
[~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PUB_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain PUB_OUT (0 references)
target prot opt source destination
REJECT icmp -- anywhere anywhere icmp destination-unreachable reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere icmp time-exceeded reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
"""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""""""""""""" """

The errors that we have reported before, was just after a modify of some firwall rules, for example:

- login into the control panel admin;
- add a port on the firewall;
- save;
- run manually the script /usr/local/ispconfig/server/server.sh;
- the output of the script it's what we have reported before;

Thank you

themark 19th October 2011 12:57

ok solved.

The problem was that the startup script of bastille made a check of the kernel installed (with uname...etcetc).

Control that the kernel is newer than 2.3...but the awk syntax used it's ok onlt for all kernel from 2.3 to 2.9

If you have (like me) a kernel newer than 2.9 (like the brand new 3.0 kernel...) the startup script not start netfilter....

Change on /etc/rc.d/init.d/bastille-firewall on row (85 or 86...)
the if statement.

[FROM] if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
[TO] if [ -n "$(uname -r | awk -F. ' $1 == 3 {print}')" ]; then

next i had to save the configuration on sysconfig/iptables (on centos) with the command:

/sbin/service iptables save

just before the last case statement on this same script..

Hope it usefull..:)


All times are GMT +2. The time now is 19:21.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.