#1  
Old 22nd September 2011, 04:55
cly cly is offline
Junior Member
 
Join Date: Sep 2011
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Question Firewall/DNS issue?

I have installed ISPConfig3 and used it for a couple of months successfully on 2 seperate VPS servers at the same ISP - one as a web/mysql/ftp/dns server, and the other as a mail/dns server. Just recently, for some reason, the web server has, what I believe, a firewall issue, but I can't figure out what is going on:

Configuration:
Server A (with the problem): Web/mysql/ftp/dns
Firewall configuration: TCP 20,21,22,25,53,80,443,3306,8080,8081 UDP 53,161,3306
Debian 6 64bit on OpenVZ

Server B (works fine): mail/dns
Firewall configuration: TCP 22,25,53,110,143,3306 UDP 53,161,3306
Debian 6 64bit on OpenVZ

What happens:
1) Server A has login delays of 15 seconds between entering username and password
2) Cannot ping/resolve any name from Server A (no name resolution)
3) Can ping IP addresses fine
4) If I telnet to a DNS server on port 53, it fails unless the firewall is disabled, even though both TCP and UDP 53 are configured on the firewall.
4) If the firewall is disabled, everything works fine - name resolution and fast logins

The first time I built Server A it worked fine the whole time. I installed SNMPD and it stopped working, so thought it might have been that, but it appears that it may have been a coincidence. So I rebuilt the server, and as soon as the firewall is turned on, the problem comes back. There is no such problem with Server B. I have deleted the firewall rules and recreated them (and even rebuilt the whole server).

Both servers have the same resolv.conf, and Server A works fine with the firewall disabled and Sever B works fine all the time.

Any help would be appreciated
Reply With Quote
Sponsored Links
  #2  
Old 22nd September 2011, 09:45
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

Maybe there is some kind of iptables conflict between the ispconfig firewall and another softeare. The bastille firewall which is used in ispconfig does not block any outgoing connections.

Please stop fail2ban and then start the firewall again and check if it works. If it does not work, please post the output of:

iptables -L

when the ispconfig firewall is turned on.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd September 2011, 10:27
cly cly is offline
Junior Member
 
Join Date: Sep 2011
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
Please stop fail2ban and then start the firewall again and check if it works. If it does not work, please post the output of:

iptables -L

when the ispconfig firewall is turned on.
I stopped fail2ban and confirmed that it wasn't going, and the problem does still exist unfortunately.

Below is the output from iptables as requested:

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- 224.0.0.0/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (11 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpt:tproxy
PAROLE tcp -- anywhere anywhere tcp dpts:41000:41100
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:snmp
ACCEPT udp -- anywhere anywhere udp dpt:mysql
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere


There's also one other rule in there (41000:41100) that I noticed I had omitted - that is for passive FTP.
Reply With Quote
  #4  
Old 23rd September 2011, 09:40
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Can you disable the firewall completely for testing purposes so that we can see if it really is the problem?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 23rd September 2011, 11:22
cly cly is offline
Junior Member
 
Join Date: Sep 2011
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Sure, below are some quick tests with the firewall ENABLED:


iptables -L

(as above, to confirm enabled)


root@hydrogen:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=51 time=1.77 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=51 time=1.94 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=51 time=10.3 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.776/4.683/10.328/3.992 ms

root@hydrogen:~# ping google.com
ping: unknown host google.com

root@hydrogen:~# nslookup google.com
;; connection timed out; no servers could be reached


And then the same tests again with the DISABLED firewall:


iptables -L
(With fail2ban enabled)
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-pureftpd (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

root@hydrogen:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=51 time=1.67 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=51 time=1.69 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=51 time=2.77 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.678/2.050/2.773/0.511 ms

root@hydrogen:~# ping google.com
PING google.com (74.125.237.49) 56(84) bytes of data.
64 bytes from 74.125.237.49: icmp_req=1 ttl=50 time=1.78 ms
64 bytes from 74.125.237.49: icmp_req=2 ttl=50 time=3.24 ms
64 bytes from 74.125.237.49: icmp_req=3 ttl=51 time=69.2 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.788/24.759/69.243/31.460 ms

root@hydrogen:~# nslookup google.com
Server: x.x.x.x
Address: x.x.x.x#53
(ISP's DNS server, as per resolv.conf)


Non-authoritative answer:
Name: google.com
Address: 74.125.237.48
Name: google.com
Address: 74.125.237.49
Name: google.com
Address: 74.125.237.50
Name: google.com
Address: 74.125.237.51
Name: google.com
Address: 74.125.237.52


As you will see, a simple disable of the firewall gets name resolution working, but to me iptables appears to be working fine (however, perhaps I am missing something obvious).

Any help would be appreciated as I am scratching my head here
Reply With Quote
  #6  
Old 24th September 2011, 04:36
cly cly is offline
Junior Member
 
Join Date: Sep 2011
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

As an update, I rebuilt the server without fail2ban, and the same problem exists, so it is not fail2ban causing issues. I also have rebuilt the server to 32bit to see if it was anything to do with my ISP's 64bit Debian 6 OpenVZ template, but the same thing still happens
Reply With Quote
Reply

Bookmarks

Tags
dns, firewall, login, resolve, slow

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Incoming Emails abintipl Installation/Configuration 3 11th May 2011 09:03
The dreaded OpenSuse/Postfix issue pinky Installation/Configuration 2 11th April 2008 22:35
charset issue. lifeisboost Installation/Configuration 8 20th February 2008 15:47
DNS MX Issue jmead Installation/Configuration 3 29th November 2007 10:06
iptables issue with xen perfect setup - debian alexnz HOWTO-Related Questions 3 25th November 2006 13:49


All times are GMT +2. The time now is 02:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.