#1  
Old 28th September 2005, 20:04
jlaughy jlaughy is offline
Member
 
Join Date: Aug 2005
Posts: 51
Thanks: 4
Thanked 1 Time in 1 Post
Default IPtables / Bastille

Hi,

normally I work with IPTables and want to use the buildin option (Bastille) of ISPConfig. When I try to start Bastille (/etc/rc.d/init.d/Basti...) it it's looking for IPChains (which is not on the machine)

Searched the sources if I could change this manual - without any result.

Any suggestions?

WKR, JL

BTW I use : Fedora Core 4

Last edited by jlaughy; 28th September 2005 at 20:24.
Reply With Quote
Sponsored Links
  #2  
Old 28th September 2005, 21:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Bastille is looking for ipchains and iptables - so it should work for you. Do you get error messages when trying to start Bastille?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 29th September 2005, 00:01
jlaughy jlaughy is offline
Member
 
Join Date: Aug 2005
Posts: 51
Thanks: 4
Thanked 1 Time in 1 Post
Default

Hi Falko,

I got a message like can't find /sbin/ipchains

Did a new install and it's working now!

WKR, JL

----

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain PAROLE (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:10000
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Reply With Quote
  #4  
Old 9th November 2005, 05:12
benbalbo benbalbo is offline
Member
 
Join Date: Oct 2005
Posts: 50
Thanks: 0
Thanked 4 Times in 4 Posts
Default

I'm looking for some help on iptables issues I'm encountering with my VPS. It seems to work fine for most things, but when the firewall is on, it the server can't resolve domain names.

Having looked at the previous post's output, I'm missing the RELATED,ESTABLISHED part. Here's my iptables -L -n output (iptables -L hangs!):

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  224.0.0.0/4          0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0

Chain PAROLE (12 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:81
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:943
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:43
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
When I try to add this rule, I get:

Code:
iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name
I've scoured the web for information on why this is, and whilst others have this problem, I've come up with no solutions.

I'd be very glad of any help from you guys, as this is the only bit that isn't working, and is holding us back from going live.

Cheers!
Ben
Reply With Quote
  #5  
Old 9th November 2005, 07:58
benbalbo benbalbo is offline
Member
 
Join Date: Oct 2005
Posts: 50
Thanks: 0
Thanked 4 Times in 4 Posts
Default

After much researching, I found the my VPS didn't have all the iptables modules loaded into the kernel. I asked my supplier to enable a few extra modules and it still doesn't quite work.

I've switched to using APF, which uses an allow all and block selected items approach, rather than bastille's bloack all and allow a few. This means ESTABLISHED isn't required, I manuall block certain ports above 1023, so all others are free for request replies.

I know I could reconfigure bastille to do this, but APF already does it, so why spend the time :-)

Only drawback now is that the firewall is not configurable through ISP Config, but that's not such a problem. One problem is that starting it in ISP Config will break things, so I might remove the option from the interface.

Anyway - hope this helps someone else...
Reply With Quote
  #6  
Old 9th November 2005, 10:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Quote:
Originally Posted by benbalbo
One problem is that starting it in ISP Config will break things, so I might remove the option from the interface.
You can disable the firewall under Management -> Server -> Services.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 15th November 2005, 08:36
benbalbo benbalbo is offline
Member
 
Join Date: Oct 2005
Posts: 50
Thanks: 0
Thanked 4 Times in 4 Posts
Default

Quote:
Originally Posted by falko
You can disable the firewall under Management -> Server -> Services.
That's true - but if another administrator comes in and enables it again, then that would cause problems. Admitedly they should be trained, and the firewall issue should be documented in internal policies so this mistake doesn't happen, but I don't trust people to read documentation, or remember what someone told them. Taking the option out makes it certain that it won't be re-enabled :-)

That said - I can't find an easy way to remove it. Seems the list of services is based on the field names in the services table, and I don't want to delete it from the table. I might just leave it afterall :-)
Reply With Quote
  #8  
Old 15th November 2005, 10:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
 
Default

You can edit the file /root/ispconfig/scripts/shell/firewall.php and change the following part:

PHP Code:
if($dienst["dienst_firewall_status"] != "off"){
  
$mod->system->daemon_init("bastille-firewall""restart");
} else {
  if(
is_file("/var/lock/subsys/bastille-firewall")) $mod->system->daemon_init("bastille-firewall""stop");

__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ProFTPD Logins and Authentication pete General 9 15th August 2005 00:24
Problem opening firewall port weedguy General 15 12th August 2005 02:05
iptables leon Installation/Configuration 1 19th May 2005 11:33


All times are GMT +2. The time now is 09:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.