Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th July 2013, 22:14
keybd_user keybd_user is offline
Member
 
Join Date: Apr 2006
Location: Coimbra, Portugal
Posts: 39
Thanks: 0
Thanked 1 Time in 1 Post
Default Iptables blocking dns and also http ...

Hi,

I have ISPConfg 2.2.40 on a VPS Centos 5.6 x86.

Since I made a ispconfig upgrade about a Month ago I noticed I could not send emails.

Since then I have tried to see what was the problem and stopping the firewall would allow all types of nslookup, lynx and email working ok.

Once the iptables goes up ... all that stops.
After many attempt to reconfigure the iptables I have managed to at least have outbound dns resolution.
But so far I can not have no http outbound. So yum does only work with the iptables disabled.

Also I have changed the OUTPUT chain default policy to ACCEPT in order to not have problems with outbound connections to no avail.

Iptables rules are as follows:

Code:
 /sbin/iptables -L -v -n --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            127.0.0.0/8         
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3       88 11318 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
5       60  9214 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 
6        0     0 PUB_IN     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
7        0     0 PUB_IN     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
8        0     0 PUB_IN     all  --  slip+  *       0.0.0.0/0            0.0.0.0/0           
9     1064  119K PUB_IN     all  --  venet+ *       0.0.0.0/0            0.0.0.0/0           
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
11       0     0 ACCEPT     udp  --  venet+ *       0.0.0.0/0            0.0.0.0/0           udp spt:53 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 769 packets, 202K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain PUB_IN (4 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
4        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
6      532 42544 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
7       24  3817 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
8        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
9       49  6175 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
10      26  3268 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:81 
11       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 
12       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
13       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
14       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:225 
15       2   123 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
16       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:43 
17       0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
18     431 62928 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Does anyone have the same problem?
Does anyone have a solution?


Regards.
__________________
4.000.000.000 + years and No one -----> NO ONE <------ ... complained about Pluto's orbit excentricity or tilt (non-equatorial orbit ) ... and after all this time a bunch of guys with nothing to do decide Pluto is not a Planet !!!
Something is really wrong on This Planet ...
_____________________________

Fight Microsoftism --> PLUTO _IS_ A PLANET !!!
Reply With Quote
The Following User Says Thank You to keybd_user For This Useful Post:
NornAdono (27th August 2013)
Sponsored Links
  #2  
Old 19th July 2013, 01:18
keybd_user keybd_user is offline
Member
 
Join Date: Apr 2006
Location: Coimbra, Portugal
Posts: 39
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hi,

Can anyone place in here a _Working_ ispconfig 2.2.40 iptables rules , that is the listings of :

Code:
/sbin/iptables -L -v -n --line-numbers

Regards.
__________________
4.000.000.000 + years and No one -----> NO ONE <------ ... complained about Pluto's orbit excentricity or tilt (non-equatorial orbit ) ... and after all this time a bunch of guys with nothing to do decide Pluto is not a Planet !!!
Something is really wrong on This Planet ...
_____________________________

Fight Microsoftism --> PLUTO _IS_ A PLANET !!!
Reply With Quote
  #3  
Old 19th July 2013, 20:50
keybd_user keybd_user is offline
Member
 
Join Date: Apr 2006
Location: Coimbra, Portugal
Posts: 39
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hi,

Looking at the rules there was a obvious problem ... the Input chain did not allow for Outgoing port 80 traffic ..
So I added :

/sbin/iptables -I INPUT 6 -p tcp --sport 80 -j ACCEPT

And now I have full outgoing http ..


Regards.
__________________
4.000.000.000 + years and No one -----> NO ONE <------ ... complained about Pluto's orbit excentricity or tilt (non-equatorial orbit ) ... and after all this time a bunch of guys with nothing to do decide Pluto is not a Planet !!!
Something is really wrong on This Planet ...
_____________________________

Fight Microsoftism --> PLUTO _IS_ A PLANET !!!
Reply With Quote
  #4  
Old 21st September 2013, 12:52
jasonorland88 jasonorland88 is offline
Junior Member
 
Join Date: Sep 2013
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

With IPTables rules, order matters. The rules are added, and applied, in order. Moreover, when adding rules manually they get applied immediately. Thus, in your example, any packets going through the INPUT and OUTPUT chains start getting dropped as soon as the default policy is set. This is also, incidentally, why you received the error message you did. What is happening is this:

The default DROP policy get applied
IPTables receives a hostname as a destination
IPTables attempts a DNS lookup on 'serverfault.com'
The DNS lookup is blocked by the DROP action
__________________
backlinksvault
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 22:41.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.