Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th July 2009, 10:38
aglenday aglenday is offline
Junior Member
 
Join Date: Feb 2007
Location: Sydney, Australia
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default ISPconfig firewall blocking outgoing connections

Hey guys, I've been looking at the forums and I've seen a few people with the same problem and the same thing keeps coming up, it's not an ISPconfig problem but a DNS problem. The problem is as I'm experiencing it, is I can resolve DNS queries, I can ping outside and do RBL lookups but anything that requires an actual connection i.e. FTP from the server or browsing (using lynx) won't work. I suspect that the high number ports that the outgoing connection would latch on to is closed by ISPconfig's bastille firewall. Has anyone else experienced this or has an idea of a solution?

I'm using Centos 5.3 on a VPS using VMware.

Ashley
Reply With Quote
Sponsored Links
  #2  
Old 31st July 2009, 19:18
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Does it work if you switch off the ISPConfig firewall?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 1st August 2009, 01:36
aglenday aglenday is offline
Junior Member
 
Join Date: Feb 2007
Location: Sydney, Australia
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Yes, it all works perfectly with no firewall. I'm also using fail2ban but other then that I haven't added any iptables rules other then those the VPS operator has.

Ashley
Reply With Quote
  #4  
Old 1st August 2009, 10:41
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

That's strange, because the firewall should block only incoming connections. What's the output of
Code:
iptables -L
when the firewall is on?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 1st August 2009, 11:38
aglenday aglenday is offline
Junior Member
 
Join Date: Feb 2007
Location: Sydney, Australia
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Falko,

The output is:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
DROP all -f anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- 224.0.0.0/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (9 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap
PAROLE tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain fail2ban-BadBots (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ProFTPD (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-SSH (0 references)
target prot opt source destination
DROP all -- 202.109.242.18 anywhere
DROP all -- 122.129.245.231 anywhere
DROP all -- host9.abaks.pl anywhere
DROP all -- 61.152.175.61 anywhere
RETURN all -- anywhere anywhere

Chain fail2ban-sasl (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Ashley
Reply With Quote
  #6  
Old 2nd August 2009, 12:04
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

What happens when you switch off fail2ban?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 2nd August 2009, 12:11
aglenday aglenday is offline
Junior Member
 
Join Date: Feb 2007
Location: Sydney, Australia
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Turning off fail2ban doesn't change anything, it still won't talk to the outside world.

In case it helps, with fail2ban off, here is the output of /etc/init.d/bastille-firewall status:

Chain INPUT (policy DROP 1 packets, 92 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
316 140K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
240 26190 PUB_IN all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 PUB_IN all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 PUB_IN all -- slip+ * 0.0.0.0/0 0.0.0.0/0
0 0 PUB_IN all -- venet+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 316 packets, 140K bytes)
pkts bytes target prot opt in out source destination
208 67955 PUB_OUT all -- * eth+ 0.0.0.0/0 0.0.0.0/0
0 0 PUB_OUT all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 PUB_OUT all -- * slip+ 0.0.0.0/0 0.0.0.0/0
0 0 PUB_OUT all -- * venet+ 0.0.0.0/0 0.0.0.0/0

Chain INT_IN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INT_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PAROLE (10 references)
pkts bytes target prot opt in out source destination
225 23620 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PUB_IN (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
172 13484 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
53 10136 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:953
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:993
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:995
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:953
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
15 2570 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PUB_OUT (4 references)
pkts bytes target prot opt in out source destination
208 67955 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

and iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere
DROP all -- 224.0.0.0/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (10 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:rndc
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dptop3s
ACCEPT udp -- anywhere anywhere udp dpt:rndc
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig behind an OpenBSD binat firewall hitechwizard Installation/Configuration 4 23rd August 2007 02:20
ISPConfig and outgoing port 25 blocked eldaria Installation/Configuration 4 7th July 2006 12:27
ISPConfig configuration or ipcop firewall being the cuase of trouble? AZMel Installation/Configuration 6 15th March 2006 00:20
ISPConfig Firewall and no sense MyLinux General 7 9th September 2005 17:35
Firewall and ISPConfig MyLinux General 3 7th September 2005 09:36


All times are GMT +2. The time now is 14:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.