Navigation

gragus · #1 26th February 2012, 07:24

Hi,

I'd like to prevent users from using POP3/IMAP other than via SSL. To do that I am attempting to use the firewall to close non-SSL POP3/IMAP ports.

I am having trouble getting the firewall function to work properly.

System: ISPConfig 2.2.40 running on Ubuntu 10.04.4 LTS configured as described in the Perfect Server Manual.

I activated all services under Management > Server > Services, including Firewall which was initially OFF. On the Firewall tab I set the following configuration:

Code:

Name         Port     Type      Active 
  FTP         21       tcp       no 
  SSH         22       tcp       yes 
  SMTP        25       tcp       yes 
  DNS         53       tcp       no 
  DNS         53       udp       no   
  WWW         80       tcp       yes 
  ISPConfig   81       tcp       yes 
  POP3        110      tcp       no 
  IMAP2       143      tcp       no 
  SSL (www)   443      tcp       yes 
  Webmin      10000    tcp       no 
  IMAPS       993      tcp       no

However, when performing a port scan I am seeing 53, 110, 143 open.
I have not seen any error messages.
I am avoiding configuring a firewall separately because I do not want to interfere with ISPConfig.
Does anyone have any hints?

Is there another way to ensure that users can only use SSL to connect to email services?

Thanks!

falko · #2 27th February 2012, 17:20

What's the output of

Code:

iptables -L

?

gragus · #3 28th February 2012, 00:36

Hi Falko,

# iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Furthermore, this seems not right:

# /etc/init.d/bastille-firewall restart

Code:

/sbin/bastille-ipchains: line 232: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 234: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 236: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 238: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 240: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 242: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 251: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 252: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 258: /sbin/ipchains: No such file or directory
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces.../sbin/bastille-ipchains: line 283: /sbin/ipchains: No such file or directory
 done.
/sbin/bastille-ipchains: line 297: /sbin/ipchains: No such file or directory
Setting up chains for public/internal interface traffic.../sbin/bastille-ipchains: line 340: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 342: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 345: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 347: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 351: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 353: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 356: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 358: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory
 done.
Setting up general rules.../sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 445: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 446: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 473: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory
 done.
Setting up outbound rules.../sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 584: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 590: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 591: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
/sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory
 done.

I am not sure how a correct setup needs to look like, but here are a few queries that I expect you would want to run:

# find / | grep ipchains

Code:

/usr/share/Bastille/bastille-ipchains
/sbin/bastille-ipchains

Looking at the /sbin/bastille-ipchains file, it seems the errors are caused by an incorrect definition of the symbol '${IPCHAINS}'. The error lines seem to be using that symbol. E.g., line 232:

Code:

${IPCHAINS} -P forward DENY

It appears to be defined in line 42:

Code:

IPCHAINS=/sbin/ipchains

Any clues?

Thanks.

falko · #4 28th February 2012, 17:38

What's your kernel version? Is it 3.x? You can find it in the output of

Code:

uname -a

gragus · #5 28th February 2012, 20:21

# uname -a

Code:

Linux ncc-1701-d 3.0.18-linode43 #1 SMP Mon Jan 30 11:44:09 EST 2012 i686 GNU/Linux

falko · #6 29th February 2012, 12:52

http://www.howtoforge.com/forums/sho...70&postcount=3

gragus · #7 1st March 2012, 20:36

This worked, thank you very much.
A post scan now shows only the expected open ports.
However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern?

Code:

FATAL: Module ip_tables not found.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ipt_LOG not found.
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.

Now that I resolved this security concern, would you please have any pointers about the chroot setup question or should I better post that question on a different forum?

Thanks heaps!

falko · #8 3rd March 2012, 10:56

Quote:

Originally Posted by gragus

This worked, thank you very much.
A post scan now shows only the expected open ports.
However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern?

What's the output of

Code:

iptables -L

?

gragus · #9 5th March 2012, 01:26

# iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             127.0.0.0/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  base-address.mcast.net/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:81
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Thanks!

falko · #10 5th March 2012, 18:37

Looks as if Bastille is working. I can't say why you get those error messages.

Navigation

Facebook

News

Recent comments

Newsletter