Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 24th November 2006, 17:13
IKShadow IKShadow is offline
Member
 
Join Date: Jan 2006
Location: Slovenia
Posts: 85
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to IKShadow
Default

Quote:
Originally Posted by falko
Are both systems in the same local network?
Actually is its a bit complicated.

Yes they are, but some special vlans were made etc...

However if I check some last -i

admin pts/0 213.143.90.139 Mon Nov 20 19:27 - 20:26 (00:59)

So iam logged in from 213.143.90.139 IP.
My server is on 212.72.115.185

I hope I can solve this somehow
I also tried to allow one ip from remote location, but it also does not work.

Code:
krneki:/etc/Bastille/firewall.d # vi post-rule-setup.sh
krneki:/etc/Bastille/firewall.d # ll
total 4
-rw-r--r-- 1 root root 150 2006-11-24 17:12 post-rule-setup.sh
krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
krneki:/etc/Bastille/firewall.d #
__________________
SUSE 11.3 (perfect install)
ISPConfig 3.0.3.2

Last edited by IKShadow; 24th November 2006 at 17:21.
Reply With Quote
Sponsored Links
  #12  
Old 25th November 2006, 14:18
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

What's the output of
Code:
iptables -L
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #13  
Old 25th November 2006, 19:29
IKShadow IKShadow is offline
Member
 
Join Date: Jan 2006
Location: Slovenia
Posts: 85
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to IKShadow
Default

rule disabled
Code:
krneki:/ # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
LISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
LISHED
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (11 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-un
reachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ndmp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:soap-http
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:soap-http
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
rule enabled:

Code:
krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
krneki:/etc/Bastille/firewall.d # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
ACCEPT     tcp  --  89.212.94.160        anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (11 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ndmp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:soap-http
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:soap-http
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
__________________
SUSE 11.3 (perfect install)
ISPConfig 3.0.3.2
Reply With Quote
  #14  
Old 26th November 2006, 15:57
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Quote:
Originally Posted by IKShadow
rule enabled:

Code:
krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
krneki:/etc/Bastille/firewall.d # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
ACCEPT     tcp  --  89.212.94.160        anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (11 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ndmp
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:soap-http
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:soap-http
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Why does it say 89.212.94.160?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #15  
Old 26th November 2006, 16:29
IKShadow IKShadow is offline
Member
 
Join Date: Jan 2006
Location: Slovenia
Posts: 85
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to IKShadow
Default

That was IP of remote PC Iam trying to add to allow list.
(curently Iam at home and trying to connect to it )

But it does not allow me to connect.
__________________
SUSE 11.3 (perfect install)
ISPConfig 3.0.3.2
Reply With Quote
  #16  
Old 27th November 2006, 14:19
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Please switch off the firewall, then try to connect to the system and have a look at /var/log/auth.log at the same time. Is the IP address of the system that you're connecting from logged correctly? Or is a different IP address logged (maybe due to NATting)?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #17  
Old 27th November 2006, 18:32
IKShadow IKShadow is offline
Member
 
Join Date: Jan 2006
Location: Slovenia
Posts: 85
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to IKShadow
Default

Cant find auth.log anywhere

Code:
krneki:/var/log # ll
total 35508
-rw-r----- 1 root   root     5262 2006-11-24 16:04 acpid
drwxr-x--- 2 root   root     4096 2006-11-26 22:01 apache2
-rw-r----- 1 root   root        0 2006-11-15 21:50 boot.log
-rw-r--r-- 1 root   root    32252 2006-11-24 16:04 boot.msg
-rw-r--r-- 1 root   root    35654 2006-11-24 16:02 boot.omsg
drwxr-xr-x 2 wwwrun root     4096 2006-11-26 22:01 cacti
-rw------- 1 root   root   288168 2006-11-20 21:44 faillog
drwxr-xr-x 2 root   root     4096 2006-11-27 00:30 httpd
-rw-r--r-- 1 root   root    18799 2006-11-23 18:28 ispconfig_install.log
drwx------ 2 root   root     4096 2006-05-02 09:03 krb5
-rw-r--r-- 1 root   tty   3506044 2006-11-27 18:29 lastlog
-rw-r----- 1 root   root     4220 2006-11-21 18:34 localmessages
-rw-r----- 1 root   root  2913193 2006-11-27 18:29 mail
-rw-r----- 1 root   root      146 2006-11-24 16:04 mail.err
-rw-r----- 1 root   root  3211790 2006-11-27 18:29 mail.info
-rw-r----- 1 root   root   299694 2006-11-26 22:01 mail.info-20061126.bz2
-rw-r--r-- 1 root   root 11936823 2006-11-26 23:59 mail.ispconfigsave
-rw-r----- 1 root   root      613 2006-11-26 21:48 mail.warn
-rw-r----- 1 root   root   854429 2006-11-27 18:30 messages
lrwxrwxrwx 1 root   root       23 2006-11-15 22:19 mysqld.log -> ../lib/mysql/mysqld.log
drwxr-x--- 2 news   news     4096 2006-11-15 21:27 news
-rw-r--r-- 1 root   root     5418 2006-11-24 16:08 ntp
-rw-r--r-- 1 root   root    11760 2006-11-24 17:48 scpm
-rw-r----- 1 root   root   136511 2006-11-27 16:34 warn
-rw-rw-r-- 1 root   tty     61440 2006-11-27 18:29 wtmp
-rw-rw-r-- 1 root   tty      9504 2006-11-17 22:00 wtmp-20061117.bz2
-rw-rw-r-- 1 root   tty     10888 2006-11-25 22:00 wtmp-20061125.bz2
-rw-r--r-- 1 root   root   566138 2006-11-27 18:29 xferlog
-rw-r--r-- 1 root   root 14558779 2006-11-26 23:59 xferlog.ispconfigsave
drwx------ 3 root   root     4096 2006-11-24 18:11 YaST2
-rw-r----- 1 root   root   373772 2006-11-27 15:36 zmd-backend.log
-rw-r----- 1 root   root   132397 2006-11-15 22:00 zmd-backend.log-20061115.bz2
-rw-r----- 1 root   root   356771 2006-11-16 22:00 zmd-backend.log-20061116.bz2
-rw-r----- 1 root   root   155100 2006-11-17 22:00 zmd-backend.log-20061117.bz2
-rw-r----- 1 root   root    47752 2006-11-20 22:00 zmd-backend.log-20061120.bz2
-rw-r----- 1 root   root    76112 2006-11-22 22:00 zmd-backend.log-20061122.bz2
-rw-r----- 1 root   root    68516 2006-11-23 22:00 zmd-backend.log-20061123.bz2
-rw-r----- 1 root   root    55366 2006-11-26 22:01 zmd-backend.log-20061126.bz2
-rw-r--r-- 1 root   root     2510 2006-11-27 16:34 zmd-messages.log
-rw------- 1 root   root    16523 2006-11-15 23:12 zmd-messages.log.2006-11-15
-rw------- 1 root   root    83036 2006-11-16 18:50 zmd-messages.log.2006-11-16
-rw------- 1 root   root    17748 2006-11-17 22:22 zmd-messages.log.2006-11-17
-rw------- 1 root   root     2502 2006-11-18 18:44 zmd-messages.log.2006-11-18
-rw------- 1 root   root     2433 2006-11-19 18:34 zmd-messages.log.2006-11-19
-rw------- 1 root   root     2510 2006-11-20 18:24 zmd-messages.log.2006-11-20
-rw------- 1 root   root     2502 2006-11-21 10:00 zmd-messages.log.2006-11-21
-rw------- 1 root   root     7387 2006-11-22 23:59 zmd-messages.log.2006-11-22
-rw------- 1 root   root     8499 2006-11-23 19:37 zmd-messages.log.2006-11-23
-rw------- 1 root   root     2502 2006-11-24 17:04 zmd-messages.log.2006-11-24
-rw------- 1 root   root     2826 2006-11-25 16:54 zmd-messages.log.2006-11-25
-rw------- 1 root   root     2510 2006-11-26 16:44 zmd-messages.log.2006-11-26
however in last i can see a my ip:

Code:
admin    pts/0        195.95.158.246   Mon Nov 27 18:29   still logged in
Code:
krneki:/var/log # vi /etc/Bastille/firewall.d/post-rule-setup.sh
/sbin/iptables -I INPUT -p tcp -m tcp -s 195.95.158.246 --dport 22 --syn -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT
__________________
SUSE 11.3 (perfect install)
ISPConfig 3.0.3.2

Last edited by IKShadow; 27th November 2006 at 18:37.
Reply With Quote
  #18  
Old 28th November 2006, 16:21
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Then use 195.95.158.246 in your firewall rules and test if you can connect then.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #19  
Old 7th December 2006, 08:09
smartcall smartcall is offline
Senior Member
 
Join Date: Nov 2006
Posts: 116
Thanks: 10
Thanked 7 Times in 3 Posts
Default

Actually, if you take a look at your iptables -L output, you'll see that the REJECT rule is preceeding the ACCEPT rule.
And the way you make it work is:
the post-rule-setup.sh is applied from last-to-first rule. and if you put the REJECT before the ACCEPT it will apply them correcrly to the firewall.
Reply With Quote
  #20  
Old 7th December 2006, 10:46
IKShadow IKShadow is offline
Member
 
Join Date: Jan 2006
Location: Slovenia
Posts: 85
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to IKShadow
 
Thumbs up

Quote:
Originally Posted by smartcall
Actually, if you take a look at your iptables -L output, you'll see that the REJECT rule is preceeding the ACCEPT rule.
And the way you make it work is:
the post-rule-setup.sh is applied from last-to-first rule. and if you put the REJECT before the ACCEPT it will apply them correcrly to the firewall.
yap that did help

Thanks
__________________
SUSE 11.3 (perfect install)
ISPConfig 3.0.3.2
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability (Load Balancing) behind a firewall geek.de.nz Server Operation 7 4th January 2011 13:58
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
Firewall script ColdDoT Server Operation 1 8th May 2006 23:50
The Perfect Setup - SUSE 9.3 (firewall?!) bogdinator HOWTO-Related Questions 7 12th December 2005 12:31
I need a suitable firewall. agul Server Operation 4 23rd November 2005 00:12


All times are GMT +2. The time now is 11:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.