Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th December 2007, 19:00
jenjen jenjen is offline
Junior Member
 
Join Date: Jul 2006
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default Linux firewall prevented from starting.

Dear List members:
This one has me scratching my head... FC6, ISPConfig 2.2.9, then just upgraded to 2.2.18. Pre-production box.
Usually I turn off the firewall rules in ISPConfig and just run rules in IPtables, I can get a bit more technical this way, and I have this running on 4 other boxes this way. One of which is FC6 as well.
Unfortunately, this new box, installed FC6, configured firewall, then installed ISPconfig, changed ISPconfig firewall service to off.
Problem is, I should be blocking access to certain ports (like 81) from all IP addresses but 2. And my testing shows that this is not happening. I have also tested by blocking access to port 80, completely in IPtables, and this is not working as I can still get to my development websites.
iptables -L returns:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 209.104.160.30 anywhere tcp multiport dports ndmp,ssh,mysql state NEW
ACCEPT tcp -- xtreme-157-7.static.aci.on.ca anywhere tcp multiport dports ndmp,ssh,hosts2-ns,mysql state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Any help would be appreciated because this has got me stumped!!!
Thank you in advance!
Reply With Quote
Sponsored Links
  #2  
Old 5th December 2007, 14:29
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Seems to be a problem with the built-in RedHat firewall... Is its configuration the same as on your other servers?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 5th December 2007, 15:40
jenjen jenjen is offline
Junior Member
 
Join Date: Jul 2006
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default Thanks -checking firewall settings and testing today.

Thanks for replying, your suggestion is the logical one I also came to.... after I had posted. So I am currently changing the firewall settings to match, and then I will be testing. Will let you know how it turns out. Just can't seem to see where the problem is.
Reply With Quote
  #4  
Old 15th January 2008, 21:05
jenjen jenjen is offline
Junior Member
 
Join Date: Jul 2006
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default Still not working.

Ongoing problem,
Even after a holiday break...there has been no break through. I have followed Falko's advise and configured the firewalls the same and I can still not limit access to a particular IP range.
If possible, could I edit the firewall that ISPconfig uses manually?
If so, where is it?
Thanks again.
Jenn
Reply With Quote
  #5  
Old 16th January 2008, 08:41
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,389 Times in 4,234 Posts
Default

The ISPConfig firewall is not meant for limiting IP ranges, it is just for opening and closing ports. I recommend that you deactivate the firewall in ISPConfig and install a firewall of your choice which supports IP ranges.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
jenjen (16th January 2008)
  #6  
Old 16th January 2008, 15:36
jenjen jenjen is offline
Junior Member
 
Join Date: Jul 2006
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
 
Talking Solution to firewall problem.

In the hopes that someone will find this useful at some point in the future, here is what solved this problem:

there was one small rule in the output of IPTables that had me curious, on comparison with other machines with similar software and use, I could not find the line:
ACCEPT all -- anywhere anywhere

listed 2X
when I looked in webmin, the ipchains had one extra line for:

Accept If input interface is eth0

On the other machines there was only one rule at the top:
Accept If input interface is lo

So I took out the rule for eth0, and voila! Lucky guess.
In order to limit access to the server for administrative tasks, to only a few IP ranges, turn off the ISPConfig firewall and turn on the iptables firewall. This does of course mean that you must add rules manually for FTP or SMTP.
Thank you for all of your good suggestions. It is much appreciated, keep up the good work!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
not receiving mail (postfix) lathrodectus General 7 28th June 2006 14:12
Problems installing NForce4 sound drivers Wraithfire Installation/Configuration 21 16th April 2006 17:30
KErnel not showing all my memory Jorem Kernel Questions 8 13th April 2006 12:59
'Linux Firewall' 232 bytes per conntrack? edge Server Operation 2 21st February 2006 20:47
I need a suitable firewall. agul Server Operation 4 23rd November 2005 00:12


All times are GMT +2. The time now is 00:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.