Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th February 2012, 07:24
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default ISPConfig 2: Firewall function not working

Hi,

I'd like to prevent users from using POP3/IMAP other than via SSL. To do that I am attempting to use the firewall to close non-SSL POP3/IMAP ports.

I am having trouble getting the firewall function to work properly.

System: ISPConfig 2.2.40 running on Ubuntu 10.04.4 LTS configured as described in the Perfect Server Manual.

I activated all services under Management > Server > Services, including Firewall which was initially OFF. On the Firewall tab I set the following configuration:
Code:
Name         Port     Type      Active 
  FTP         21       tcp       no 
  SSH         22       tcp       yes 
  SMTP        25       tcp       yes 
  DNS         53       tcp       no 
  DNS         53       udp       no   
  WWW         80       tcp       yes 
  ISPConfig   81       tcp       yes 
  POP3        110      tcp       no 
  IMAP2       143      tcp       no 
  SSL (www)   443      tcp       yes 
  Webmin      10000    tcp       no 
  IMAPS       993      tcp       no
However, when performing a port scan I am seeing 53, 110, 143 open.
I have not seen any error messages.
I am avoiding configuring a firewall separately because I do not want to interfere with ISPConfig.
Does anyone have any hints?

Is there another way to ensure that users can only use SSL to connect to email services?

Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 27th February 2012, 17:20
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

What's the output of
Code:
iptables -L
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 28th February 2012, 00:36
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hi Falko,

# iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Furthermore, this seems not right:

# /etc/init.d/bastille-firewall restart
Code:
/sbin/bastille-ipchains: line 232: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 234: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 236: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 238: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 240: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 242: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 251: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 252: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 258: /sbin/ipchains: No such file or directory
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces.../sbin/bastille-ipchains: line 283: /sbin/ipchains: No such file or directory
 done.
/sbin/bastille-ipchains: line 297: /sbin/ipchains: No such file or directory
Setting up chains for public/internal interface traffic.../sbin/bastille-ipchains: line 340: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 342: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 345: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 347: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 351: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 353: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 356: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 358: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
 done.
Setting up general rules.../sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 445: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 446: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 473: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
 done.
Setting up outbound rules.../sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 584: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 590: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 591: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
 done.
I am not sure how a correct setup needs to look like, but here are a few queries that I expect you would want to run:

# find / | grep ipchains
Code:
/usr/share/Bastille/bastille-ipchains
/sbin/bastille-ipchains
Looking at the /sbin/bastille-ipchains file, it seems the errors are caused by an incorrect definition of the symbol '${IPCHAINS}'. The error lines seem to be using that symbol. E.g., line 232:
Code:
${IPCHAINS} -P forward DENY
It appears to be defined in line 42:
Code:
IPCHAINS=/sbin/ipchains
Any clues?

Thanks.
Reply With Quote
  #4  
Old 28th February 2012, 17:38
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

What's your kernel version? Is it 3.x? You can find it in the output of
Code:
uname -a
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 28th February 2012, 20:21
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

# uname -a

Code:
Linux ncc-1701-d 3.0.18-linode43 #1 SMP Mon Jan 30 11:44:09 EST 2012 i686 GNU/Linux
Reply With Quote
  #6  
Old 29th February 2012, 12:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

http://www.howtoforge.com/forums/sho...70&postcount=3
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 1st March 2012, 20:36
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

This worked, thank you very much.
A post scan now shows only the expected open ports.
However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern?
Code:
FATAL: Module ip_tables not found.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ipt_LOG not found.
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
Now that I resolved this security concern, would you please have any pointers about the chroot setup question or should I better post that question on a different forum?

Thanks heaps!
Reply With Quote
The Following User Says Thank You to gragus For This Useful Post:
maximufrancesa9928 (1st June 2014)
  #8  
Old 3rd March 2012, 10:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Quote:
Originally Posted by gragus View Post
This worked, thank you very much.
A post scan now shows only the expected open ports.
However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern?
What's the output of
Code:
iptables -L
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 5th March 2012, 01:26
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

# iptables -L
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             127.0.0.0/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  base-address.mcast.net/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:81
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Thanks!
Reply With Quote
  #10  
Old 5th March 2012, 18:37
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
 
Default

Looks as if Bastille is working. I can't say why you get those error messages.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Tags
firewall, ispconfig 2, ubuntu 10.04

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 3.0.4.1 and bind9 pjanzen General 8 13th March 2012 09:34
All files gone after changing quota to 0 spynode General 17 19th January 2012 14:41
ISPConfig cronjob not working why? ph-tvs Installation/Configuration 3 22nd February 2011 17:29
Urgent! pop server down, website down, ispconfig working gwa7 Installation/Configuration 4 8th November 2008 18:56
ispconfig behind firewall using NAT bigger_travis Installation/Configuration 3 5th November 2008 18:54


All times are GMT +2. The time now is 07:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.