Linux firewall prevented from starting.

[jenjen]

Dear List members:
This one has me scratching my head... FC6, ISPConfig 2.2.9, then just upgraded to 2.2.18. Pre-production box.
Usually I turn off the firewall rules in ISPConfig and just run rules in IPtables, I can get a bit more technical this way, and I have this running on 4 other boxes this way. One of which is FC6 as well.
Unfortunately, this new box, installed FC6, configured firewall, then installed ISPconfig, changed ISPconfig firewall service to off.
Problem is, I should be blocking access to certain ports (like 81) from all IP addresses but 2. And my testing shows that this is not happening. I have also tested by blocking access to port 80, completely in IPtables, and this is not working as I can still get to my development websites.
iptables -L returns:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 209.104.160.30 anywhere tcp multiport dports ndmp,ssh,mysql state NEW
ACCEPT tcp -- xtreme-157-7.static.aci.on.ca anywhere tcp multiport dports ndmp,ssh,hosts2-ns,mysql state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Any help would be appreciated because this has got me stumped!!!
Thank you in advance!

[falko]

Seems to be a problem with the built-in RedHat firewall... Is its configuration the same as on your other servers?

[jenjen]

Thanks for replying, your suggestion is the logical one I also came to.... after I had posted. So I am currently changing the firewall settings to match, and then I will be testing. Will let you know how it turns out. Just can't seem to see where the problem is.

[jenjen]

Ongoing problem,
Even after a holiday break...there has been no break through. I have followed Falko's advise and configured the firewalls the same and I can still not limit access to a particular IP range.
If possible, could I edit the firewall that ISPconfig uses manually?
If so, where is it?
Thanks again.
Jenn

[till]

The ISPConfig firewall is not meant for limiting IP ranges, it is just for opening and closing ports. I recommend that you deactivate the firewall in ISPConfig and install a firewall of your choice which supports IP ranges.

[jenjen]

In the hopes that someone will find this useful at some point in the future, here is what solved this problem:

there was one small rule in the output of IPTables that had me curious, on comparison with other machines with similar software and use, I could not find the line:
ACCEPT all -- anywhere anywhere

listed 2X
when I looked in webmin, the ipchains had one extra line for:

Accept If input interface is eth0

On the other machines there was only one rule at the top:
Accept If input interface is lo

So I took out the rule for eth0, and voila! Lucky guess.
In order to limit access to the server for administrative tasks, to only a few IP ranges, turn off the ISPConfig firewall and turn on the iptables firewall. This does of course mean that you must add rules manually for FTP or SMTP.
Thank you for all of your good suggestions. It is much appreciated, keep up the good work!