Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th November 2012, 00:59
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default Tell ISPConfig to stop trying to initialize iptables

I've installed ISPConfig 3 on a vServer on which I'm not able to use iptables.

I believe I was able to get fail2ban running via a php-scrip accessing the server's web-interface and adding/deleting the firewall-rules there (the script is working fine, but I haven't seen any ban-events triggered yet, which is very unusual, because we could observe break-in attempts permanently on the old server).

The ISPConfig-log, however, keeps telling me the same thing over and over again:

/var/log/ispconfig/cron.log:
Quote:
iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.
How can I make it stop - or maybe even fix it?
Reply With Quote
Sponsored Links
  #2  
Old 14th November 2012, 14:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

I think you can configure fail2ban to not use iptables.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 14th November 2012, 19:02
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko View Post
I think you can configure fail2ban to not use iptables.
I think fail2ban should actually be working fine.
As a workaround, I made the following changes in /etc/fail2ban/action.d/iptables-multiport.conf:

Quote:
[Definition]
actionstart =
#actionstart = iptables -N fail2ban-<name>
# iptables -A fail2ban-<name> -j RETURN
# iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

actionstop =
#actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# iptables -F fail2ban-<name>
# iptables -X fail2ban-<name>

actioncheck =
#actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

actionban = php -f /etc/fail2ban/firewallapi.php add INPUT "<ip>" DROP
#actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

actionunban = php -f /etc/fail2ban/firewallapi.php delete INPUT "<ip>" DROP
#actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
So basically, everything is commented out and the actionban and actionunban are handled by a PHP-script which queries against the vServer-API. These changes were recommended by my hosting provider.
After changing it as shown above, fail2ban was able to start again (I was getting a 300 error before). Here's what /var/log/fail2ban.log says:
Quote:
fail2ban.jail : INFO Creating new jail 'ssh'
fail2ban.filter : INFO Added logfile = /var/log/auth.log
...
fail2ban.jail : INFO Creating new jail 'pureftpd'
fail2ban.filter : INFO Added logfile = /var/log/syslog
...
fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
fail2ban.filter : INFO Added logfile = /var/log/mail.log
...
fail2ban.jail : INFO Jail 'ssh' started
fail2ban.jail : INFO Jail 'pureftpd' started
fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
So fail2ban seems to be running correctly, BUT: It doesn't seem to care about the filters, because nothing happens (and nothing is logged) even when I try to provoke a ban on purpose. And I suppose it has something to do with ISPConfig endlessly reporting that one error over and over again in /var/log/ispconfig/cron.log:
Quote:
iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.
But if fail2ban is running, what else could be causing that error?
Reply With Quote
  #4  
Old 15th November 2012, 10:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,405
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
 
Default

The errors are most likely caused by the ispconfig monitor which checks your server every 5 minutes.

Search for iptables in the file /usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Tags
firewall, iptables

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in using : perfect-server-ubuntu-12.10-apache2-bind-dovecot-ispconfig-3, rezabagheri Installation/Configuration 7 30th October 2012 22:55
monitrc configuration for Debian ISPConfig 3 server Hans Tips/Tricks/Mods 2 27th March 2011 23:22
Hosting multiple websites and webmail dmwcool Installation/Configuration 8 30th March 2010 03:15
High on Lenny - Lvm Mount Problem Serverman Technical 1 23rd June 2009 16:26
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23


All times are GMT +2. The time now is 01:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.