#1  
Old 22nd January 2013, 22:48
ispconfig_question ispconfig_question is offline
Junior Member
 
Join Date: Jan 2012
Posts: 13
Thanks: 4
Thanked 0 Times in 0 Posts
Default Firewall down?

Hello,

I have two ISPconfig boxes, both have the same settings in ISPconfig in System-Firewall-Basic:
Code:
20,21,22,25,53,80,110,143,443,465,587,993,995,3306,8080,8081,10000
53,3306
But when I click Monitor-Logfiles-Show IPtables, I have totally different outputs.

Box1:
Code:
iptables -S (ipv4)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A fail2ban-SSH -j RETURN 


ip6tables -S (ipv6)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Box2:
Code:
iptables -S (ipv4)
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N INT_IN
-N INT_OUT
-N PAROLE
-N PUB_IN
-N PUB_OUT
-N fail2ban-SSH
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/4 -j DROP 
-A INPUT -i eth+ -j PUB_IN 
-A INPUT -i ppp+ -j PUB_IN 
-A INPUT -i slip+ -j PUB_IN 
-A INPUT -i venet+ -j PUB_IN 
-A INPUT -i bond+ -j PUB_IN 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -o eth+ -j PUB_OUT 
-A OUTPUT -o ppp+ -j PUB_OUT 
-A OUTPUT -o slip+ -j PUB_OUT 
-A OUTPUT -o venet+ -j PUB_OUT 
-A OUTPUT -o bond+ -j PUB_OUT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_IN -j DROP 
-A INT_OUT -p icmp -j ACCEPT 
-A INT_OUT -j ACCEPT 
-A PAROLE -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 465 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 587 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT 
-A PUB_IN -p icmp -j DROP 
-A PUB_IN -j DROP 
-A PUB_OUT -j ACCEPT 
-A fail2ban-SSH -j RETURN 


ip6tables -S (ipv6)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Does it mean I have no firewall at all on Box1 (everything passes)? (It is perfectly possible I have turned it off accidentally and I don't remember it now, it is already some time I have configured the first box.)

Is there some setting in ISPConfig how to turn it back on? As I have read on this forum, modifying IPtables directly is not the preferred method as it might interfere with Bastille.

Is it default configuration of ISPconfig to have all ports open over IPv6, or have I messed up something even on the Box2 (the newly installed one)?

I have observed no problems with the Box1 for all the months the firewall was down. Is it a real threat to have all the ports open?
Reply With Quote
Sponsored Links
  #2  
Old 23rd January 2013, 08:30
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,977
Thanks: 825
Thanked 5,369 Times in 4,216 Posts
Default

The firewall on box 1 is down. Generally it does not matter much because on a normal ispconfog server, you run only the services that shall be accessible anyway. So if the firewall is on or off does not make any difference.

Quote:
Is there some setting in ISPConfig how to turn it back on? As I have read on this forum, modifying IPtables directly is not the preferred method as it might interfere with Bastille.
Restart bastille by running the bastille firewall init script.

Quote:
Is it default configuration of ISPconfig to have all ports open over IPv6, or have I messed up something even on the Box2 (the newly installed one)?
Bastille does not suppport ipv6 (biút a firewall is normally not nescessary anyway like I pointed out above). With ispconfig 3.0.5, there is also support for ufw builtin which supports ipv4 and ipv6.

Quote:
I have observed no problems with the Box1 for all the months the firewall was down. Is it a real threat to have all the ports open?
No.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
ispconfig_question (23rd January 2013)
  #3  
Old 23rd January 2013, 09:59
ispconfig_question ispconfig_question is offline
Junior Member
 
Join Date: Jan 2012
Posts: 13
Thanks: 4
Thanked 0 Times in 0 Posts
Default

Thanks alot for response. I have restarted bastille. (Is there any difference in issuing "service xxx restart" and "/etc/init.d/xxx restart" commands? The first one didn't work for me with bastille-firewall.)
The firewall seems to be on now, but the FTP service stopped to work. It seems there is a problem with passive transfer - it needs the whole port range open on firewall. Do I have to add this range to the list of open ports? I suppose the answer is yes, because you have already stated it is no major risk to have ports open.
Reply With Quote
  #4  
Old 23rd January 2013, 10:49
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,977
Thanks: 825
Thanked 5,369 Times in 4,216 Posts
Default

Quote:
Do I have to add this range to the list of open ports
Yes. Port ranges are defined with -. Example:

50-100

to open port 50 to 100 in the firewall.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
ispconfig_question (23rd January 2013)
  #5  
Old 23rd January 2013, 11:47
ispconfig_question ispconfig_question is offline
Junior Member
 
Join Date: Jan 2012
Posts: 13
Thanks: 4
Thanked 0 Times in 0 Posts
 
Default

Thank you, I'll do it this way.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability (Load Balancing) behind a firewall geek.de.nz Server Operation 7 4th January 2011 13:58
Running customised firewall script -RHEL 4 sud.tech Technical 0 12th June 2008 15:17
firewall scripts error in RHEL 4 sud.tech Technical 1 6th June 2008 11:22
ISP Services firewall page ustoopia Feature Requests 2 17th July 2007 18:39
I need a suitable firewall. agul Server Operation 4 23rd November 2005 00:12


All times are GMT +2. The time now is 21:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.