Navigation

ZKool · #1 17th July 2012, 15:27

Hi guys,

hoping someone can help here..

I followed the guide to install ISPConfig 3.0.4.6 on Centos 6.3;
Everything has been working well for the most part.

The issue I am having is when i enable the ISPConfig firewall I can not resolve outside hostname -> IPaddresses.

FIREWALL DISABLED

Code:

[root@ns2 /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

[root@ns2 /]# ping google.com
PING google.com (173.194.38.164) 56(84) bytes of data.
64 bytes from sin04s02-in-f4.1e100.net (173.194.38.164): icmp_seq=1 ttl=58 time=1.62 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 926ms
rtt min/avg/max/mdev = 1.626/1.626/1.626/0.000 ms
[root@ns2 /]#

WITH ISPCONFIG FIREWALL ENABLED

Code:

[root@ns2 /]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  224.0.0.0/4          0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PAROLE (16 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (5 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8081
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:40000:40010
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:3306
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_OUT (5 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (0 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0


[root@ns2 /]# nslookup google.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

[root@ns2 /]# ping google.com
ping: unknown host google.com

[root@ns2 /]# ping 173.194.38.164
PING 173.194.38.164 (173.194.38.164) 56(84) bytes of data.
64 bytes from 173.194.38.164: icmp_seq=1 ttl=58 time=1.68 ms

I added more rules on each table to accept UDP port 53 - but no difference.

Code:

#/etc/resolv.conf
#OpenDNS Servers

nameserver 208.67.222.222
nameserver 208.67.220.220

Code:

[root@ns2 /]# /etc/rc.d/init.d/bastille-firewall restart
FATAL: Module ip_tables not found.
FATAL: Module ip_tables not found.
iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do                                                                                                              you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do                                                                                                              you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ipt_LOG not found.
Setting up IP spoofing protection... done.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.

Not sure if the missing modules is the issue here..

I'm stuck with this right now, does anyone have any ideas or possible insight on this?

Thanks.

falko · #2 18th July 2012, 12:58

Not sure if this is the problem, but is SELinux disabled?

ZKool · #3 18th July 2012, 13:43

Thanks for the reply.

Yes SElinux is disabled.

Also - here is some more information which is probably irrelevant, but i dont know..

I have another VPS with the same host [godaddy], running Centos 6.2

On my 6.2 server i use the following firewall setup;

Code:

#!/bin/bash

# Clear Tables
iptables -F

# Set default chain polocies to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP



#ICMP Rules
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT

#HTTP/HTTPS Rules
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#DNS Rules
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT

#Mail Rules
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

#Squid Rules
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3128 -j ACCEPT

#Loopback Rules
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

#Other Allowable Traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#FTP Rules
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 47389:47489 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 47389:47489 -j ACCEPT

When i try and load this on my 6.3 server, my SSH connection is dropped instantly and I am unable to connect to any services or ping the host..

On 6.3 I currently receive an error when running this;

Code:

[root@ns2 /]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.
[root@ns2 /]# iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.

This server was upgraded from 6.2 to 6.3 through 'yum upgrade'.
Kernel version is the same, iptables version is the same...

I'm lost on where to go from here.

Maybe i should move to a new host and go to debian...

ZKool · #4 24th July 2012, 11:24

*** RESOLVED ***

Did some digging and found that on one server I did not have the "state + conntrack" modules for iptables.

Spoke to my VPS host and they added it back in.

Setup now works fine.

Navigation

Facebook

News

Recent comments

Newsletter