HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   ISPConfig 2: Firewall function not working (http://www.howtoforge.com/forums/showthread.php?t=56327)

gragus 26th February 2012 07:24

ISPConfig 2: Firewall function not working
 
Hi,

I'd like to prevent users from using POP3/IMAP other than via SSL. To do that I am attempting to use the firewall to close non-SSL POP3/IMAP ports.

I am having trouble getting the firewall function to work properly.

System: ISPConfig 2.2.40 running on Ubuntu 10.04.4 LTS configured as described in the Perfect Server Manual.

I activated all services under Management > Server > Services, including Firewall which was initially OFF. On the Firewall tab I set the following configuration:
Code:

Name        Port    Type      Active
  FTP        21      tcp      no
  SSH        22      tcp      yes
  SMTP        25      tcp      yes
  DNS        53      tcp      no
  DNS        53      udp      no 
  WWW        80      tcp      yes
  ISPConfig  81      tcp      yes
  POP3        110      tcp      no
  IMAP2      143      tcp      no
  SSL (www)  443      tcp      yes
  Webmin      10000    tcp      no
  IMAPS      993      tcp      no

However, when performing a port scan I am seeing 53, 110, 143 open.
I have not seen any error messages.
I am avoiding configuring a firewall separately because I do not want to interfere with ISPConfig.
Does anyone have any hints?

Is there another way to ensure that users can only use SSL to connect to email services?

Thanks!

falko 27th February 2012 17:20

What's the output of
Code:

iptables -L
?

gragus 28th February 2012 00:36

Hi Falko,

# iptables -L
Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Furthermore, this seems not right:

# /etc/init.d/bastille-firewall restart
Code:

/sbin/bastille-ipchains: line 232: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 234: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 236: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 238: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 240: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 242: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 251: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 252: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 258: /sbin/ipchains: No such file or directory
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces.../sbin/bastille-ipchains: line 283: /sbin/ipchains: No such file or directory
 done.
/sbin/bastille-ipchains: line 297: /sbin/ipchains: No such file or directory
Setting up chains for public/internal interface traffic.../sbin/bastille-ipchains: line 340: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 342: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 345: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 347: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 351: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 353: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 356: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 358: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
 done.
Setting up general rules.../sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 445: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 446: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 473: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
 done.
Setting up outbound rules.../sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 584: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 590: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 591: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
 done.

I am not sure how a correct setup needs to look like, but here are a few queries that I expect you would want to run:

# find / | grep ipchains
Code:

/usr/share/Bastille/bastille-ipchains
/sbin/bastille-ipchains

Looking at the /sbin/bastille-ipchains file, it seems the errors are caused by an incorrect definition of the symbol '${IPCHAINS}'. The error lines seem to be using that symbol. E.g., line 232:
Code:

${IPCHAINS} -P forward DENY
It appears to be defined in line 42:
Code:

IPCHAINS=/sbin/ipchains
Any clues?

Thanks.

falko 28th February 2012 17:38

What's your kernel version? Is it 3.x? You can find it in the output of
Code:

uname -a

gragus 28th February 2012 20:21

# uname -a

Code:

Linux ncc-1701-d 3.0.18-linode43 #1 SMP Mon Jan 30 11:44:09 EST 2012 i686 GNU/Linux

falko 29th February 2012 12:52

http://www.howtoforge.com/forums/sho...70&postcount=3

gragus 1st March 2012 20:36

This worked, thank you very much.
A post scan now shows only the expected open ports.
However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern?
Code:

FATAL: Module ip_tables not found.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ipt_LOG not found.
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.

Now that I resolved this security concern, would you please have any pointers about the chroot setup question or should I better post that question on a different forum?

Thanks heaps!

falko 3rd March 2012 10:56

Quote:

Originally Posted by gragus (Post 274693)
This worked, thank you very much.
A post scan now shows only the expected open ports.
However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern?

What's the output of
Code:

iptables -L
?

gragus 5th March 2012 01:26

# iptables -L
Code:

Chain INPUT (policy DROP)
target    prot opt source              destination
DROP      tcp  --  anywhere            127.0.0.0/8
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere
DROP      all  --  base-address.mcast.net/4  anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

Chain FORWARD (policy DROP)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
DROP      all  --  anywhere            anywhere

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
PUB_OUT    all  --  anywhere            anywhere
PUB_OUT    all  --  anywhere            anywhere
PUB_OUT    all  --  anywhere            anywhere
PUB_OUT    all  --  anywhere            anywhere

Chain INT_IN (0 references)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

Chain INT_OUT (0 references)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere

Chain PAROLE (5 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere

Chain PUB_IN (4 references)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:ssh
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:smtp
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:www
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:81
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:https
DROP      icmp --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

Chain PUB_OUT (4 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere

Thanks!

falko 5th March 2012 18:37

Looks as if Bastille is working. I can't say why you get those error messages.


All times are GMT +2. The time now is 06:05.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.