Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th July 2012, 15:27
ZKool ZKool is offline
Junior Member
 
Join Date: Jul 2012
Posts: 4
Thanks: 0
Thanked 1 Time in 1 Post
Default Centos 6.3 + Firewall issue

Hi guys,

hoping someone can help here..

I followed the guide to install ISPConfig 3.0.4.6 on Centos 6.3;
Everything has been working well for the most part.

The issue I am having is when i enable the ISPConfig firewall I can not resolve outside hostname -> IPaddresses.

FIREWALL DISABLED
Code:
[root@ns2 /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

[root@ns2 /]# ping google.com
PING google.com (173.194.38.164) 56(84) bytes of data.
64 bytes from sin04s02-in-f4.1e100.net (173.194.38.164): icmp_seq=1 ttl=58 time=1.62 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 926ms
rtt min/avg/max/mdev = 1.626/1.626/1.626/0.000 ms
[root@ns2 /]#

WITH ISPCONFIG FIREWALL ENABLED
Code:
[root@ns2 /]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  224.0.0.0/4          0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PAROLE (16 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (5 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8081
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:40000:40010
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:3306
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_OUT (5 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (0 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0


[root@ns2 /]# nslookup google.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

[root@ns2 /]# ping google.com
ping: unknown host google.com

[root@ns2 /]# ping 173.194.38.164
PING 173.194.38.164 (173.194.38.164) 56(84) bytes of data.
64 bytes from 173.194.38.164: icmp_seq=1 ttl=58 time=1.68 ms
I added more rules on each table to accept UDP port 53 - but no difference.


Code:
#/etc/resolv.conf
#OpenDNS Servers

nameserver 208.67.222.222
nameserver 208.67.220.220
Code:
[root@ns2 /]# /etc/rc.d/init.d/bastille-firewall restart
FATAL: Module ip_tables not found.
FATAL: Module ip_tables not found.
iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do                                                                                                              you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do                                                                                                              you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ipt_LOG not found.
Setting up IP spoofing protection... done.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
Not sure if the missing modules is the issue here..


I'm stuck with this right now, does anyone have any ideas or possible insight on this?

Thanks.

Last edited by ZKool; 17th July 2012 at 15:39.
Reply With Quote
Sponsored Links
  #2  
Old 18th July 2012, 12:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Not sure if this is the problem, but is SELinux disabled?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 18th July 2012, 13:43
ZKool ZKool is offline
Junior Member
 
Join Date: Jul 2012
Posts: 4
Thanks: 0
Thanked 1 Time in 1 Post
Default

Thanks for the reply.

Yes SElinux is disabled.



Also - here is some more information which is probably irrelevant, but i dont know..

I have another VPS with the same host [godaddy], running Centos 6.2

On my 6.2 server i use the following firewall setup;

Code:
#!/bin/bash

# Clear Tables
iptables -F

# Set default chain polocies to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP



#ICMP Rules
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT

#HTTP/HTTPS Rules
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#DNS Rules
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT

#Mail Rules
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

#Squid Rules
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3128 -j ACCEPT

#Loopback Rules
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

#Other Allowable Traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#FTP Rules
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 47389:47489 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 47389:47489 -j ACCEPT
When i try and load this on my 6.3 server, my SSH connection is dropped instantly and I am unable to connect to any services or ping the host..

On 6.3 I currently receive an error when running this;

Code:
[root@ns2 /]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.
[root@ns2 /]# iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.
This server was upgraded from 6.2 to 6.3 through 'yum upgrade'.
Kernel version is the same, iptables version is the same...

I'm lost on where to go from here.

Maybe i should move to a new host and go to debian...

Last edited by ZKool; 18th July 2012 at 14:02.
Reply With Quote
  #4  
Old 24th July 2012, 11:24
ZKool ZKool is offline
Junior Member
 
Join Date: Jul 2012
Posts: 4
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

*** RESOLVED ***

Did some digging and found that on one server I did not have the "state + conntrack" modules for iptables.

Spoke to my VPS host and they added it back in.

Setup now works fine.
Reply With Quote
The Following User Says Thank You to ZKool For This Useful Post:
falko (25th July 2012)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem on Bastille firewall with CentOS 6.0 and ispconfig 3.0.3.3 themark Installation/Configuration 5 19th October 2011 12:57
Problems connecting my HTC Desire outgoing mail client to Postfix and ISP Config 2 j.smith1981 Server Operation 6 12th July 2010 19:07
Centos 5.2 + ISPConfig 3 tutorial - Problem with email tanakskool Server Operation 1 3rd June 2009 16:22
Howto analyse a IPTables firewall issue? chillifire Installation/Configuration 2 27th August 2008 07:23
ISPConfig firewall issue dwyoung Installation/Configuration 5 12th December 2005 10:26


All times are GMT +2. The time now is 06:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.