Bastille firewall vs iptables

Discussion in 'Installation/Configuration' started by jnewman67, Sep 9, 2021 at 2:49 PM.

  1. jnewman67

    jnewman67 Member HowtoForge Supporter

    ISPConfig 3.2.5 perfect server instructions have you disable firewall/iptables so it can install Bastille, but then fail2ban is installed, which uses iptables, i believe (that's where it's rules are ending up).
    am i seeing that wrong, or misreading something.
    also, if you enable iptables - all network traffic stops. I'm betting thats because no default firewall was configured.

    here's my iptables list after running for a few days, even though it was off (and is repeatedly attempting logins, but isn't blocked from trying because iptables isn't running)

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-postfix-sasl tcp -- multiport dports 25,465,587

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    REJECT all -- reject-with icmp-port-unreachable
    RETURN all --​

    thanks for the clarification
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Just install ufw and configure the firewall ports to allow in the ispconfig interface.

    All the tools use iptables as the underlying firewall interface. Bastille is quite dated and doesn't support ipv6.

    What you so above is that you have fail2ban active and no other firewall rules.
  3. jnewman67

    jnewman67 Member HowtoForge Supporter

    that's the default result (plus the f2b rules it added) from the perfect server centos installation.

    I'm not familiar with the Bastille firewall, or ufw, but if the rules shown in iptables are supposed to be used and active, they aren't. as of 1 minute ago, is still getting through to the system.
    if I "rpm -qa | grep astille" i see no Bastille listed, so maybe it got missed, but the PS instructions say Bastille is preferred and included and configured by the the ISPConfig install script - the instructions have you purposefully disable iptables.

    any other way to find it to make sure Bastille's working correctly or configured correctly?

    not accusing, just relaying what I'm finding and trying to figure it out.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If that's the output of "iptables -L -n -v" then yes, they are. Fail2ban will remove those firewall rules after 10 minutes, so you would have to check again if it's still in effect. Also the rule that is setup only matches traffic for destination ports 25, 465 and 587, so any other type of traffic will still be allowed (I generally (always?) configure fail2ban to use a different action so that all traffic is blocked, not just traffic to a few ports).
    bastille is a (set of) shell script(s) that ships with ISPConfig (and used to be available as a separate package in the OS; I think it was removed years ago in debian, but I have no idea about centos), so not being installed as an rpm isn't a problem.

    As far as disabling "iptables," I checked one centos tutorial and it shows disabling the "default CentOS firewall" with no mention of disabling "iptables", I'd guess maybe you're using an older centos version, and there is a service called "iptables"? (Both the bastille firewall script and ufw (and surely the "default CentOS firewall") are interfaces to use the 'iptables' command to setup firewall rules, so could be some confusion on terminology). It looks like the bastille-netfilter script itself disables that service via chkconfig if it is detected, so you actually might be covered already on that.

    If you're following the tutorial and with to continue with Bastille, did you set that as the firewall type in server config and specify a list of ports to allow?

    According to your iptables output, it isn't configured/enabled, there are no firewall rules other than fail2ban's.

    No worries, but I will again advise to abandon Bastille and install ufw. It creates a more comprehensive firewall rule set, and includes ipv6 (if you use Bastille, do not enable ipv6, or you will have absolutely no firewall in place, even though it works for ipv4 rules).

Share This Page