Centos 6.3 + Firewall issue

Discussion in 'General' started by ZKool, Jul 17, 2012.

  1. ZKool

    ZKool New Member

    Hi guys,

    hoping someone can help here..

    I followed the guide to install ISPConfig 3.0.4.6 on Centos 6.3;
    Everything has been working well for the most part.

    The issue I am having is when i enable the ISPConfig firewall I can not resolve outside hostname -> IPaddresses.

    FIREWALL DISABLED
    Code:
    [root@ns2 /]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-SSH (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    [root@ns2 /]# ping google.com
    PING google.com (173.194.38.164) 56(84) bytes of data.
    64 bytes from sin04s02-in-f4.1e100.net (173.194.38.164): icmp_seq=1 ttl=58 time=1.62 ms
    
    --- google.com ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 926ms
    rtt min/avg/max/mdev = 1.626/1.626/1.626/0.000 ms
    [root@ns2 /]#
    

    WITH ISPCONFIG FIREWALL ENABLED
    Code:
    
    [root@ns2 /]# iptables -L -n
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  224.0.0.0/4          0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain INT_IN (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain PAROLE (16 references)
    target     prot opt source               destination
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain PUB_IN (5 references)
    target     prot opt source               destination
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8081
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:40000:40010
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:3306
    DROP       icmp --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain PUB_OUT (5 references)
    target     prot opt source               destination
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain fail2ban-SSH (0 references)
    target     prot opt source               destination
    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
    
    
    [root@ns2 /]# nslookup google.com
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    
    [root@ns2 /]# ping google.com
    ping: unknown host google.com
    
    [root@ns2 /]# ping 173.194.38.164
    PING 173.194.38.164 (173.194.38.164) 56(84) bytes of data.
    64 bytes from 173.194.38.164: icmp_seq=1 ttl=58 time=1.68 ms
    
    
    I added more rules on each table to accept UDP port 53 - but no difference.


    Code:
    #/etc/resolv.conf
    #OpenDNS Servers
    
    nameserver 208.67.222.222
    nameserver 208.67.220.220
    
    
    Code:
    [root@ns2 /]# /etc/rc.d/init.d/bastille-firewall restart
    FATAL: Module ip_tables not found.
    FATAL: Module ip_tables not found.
    iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do                                                                                                              you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    FATAL: Module ip_tables not found.
    iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do                                                                                                              you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    FATAL: Module ip_conntrack not found.
    FATAL: Module ip_conntrack_ftp not found.
    FATAL: Module ipt_LOG not found.
    Setting up IP spoofing protection... done.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules... done.
    
    Not sure if the missing modules is the issue here..


    I'm stuck with this right now, does anyone have any ideas or possible insight on this?

    Thanks.
     
    Last edited: Jul 17, 2012
  2. falko

    falko Super Moderator

    Not sure if this is the problem, but is SELinux disabled?
     
  3. ZKool

    ZKool New Member

    Thanks for the reply.

    Yes SElinux is disabled.



    Also - here is some more information which is probably irrelevant, but i dont know..

    I have another VPS with the same host [godaddy], running Centos 6.2

    On my 6.2 server i use the following firewall setup;

    Code:
    #!/bin/bash
    
    # Clear Tables
    iptables -F
    
    # Set default chain polocies to DROP
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    
    
    #ICMP Rules
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A OUTPUT -p icmp -j ACCEPT
    iptables -A FORWARD -p icmp -j ACCEPT
    
    #HTTP/HTTPS Rules
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    
    #DNS Rules
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A FORWARD -p udp --dport 53 -j ACCEPT
    
    #Mail Rules
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    
    #Squid Rules
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 3128 -j ACCEPT
    
    #Loopback Rules
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    
    #Other Allowable Traffic
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    
    #FTP Rules
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
    
    iptables -A INPUT -p tcp --dport 47389:47489 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 47389:47489 -j ACCEPT
    
    
    When i try and load this on my 6.3 server, my SSH connection is dropped instantly and I am unable to connect to any services or ping the host..

    On 6.3 I currently receive an error when running this;

    Code:
    [root@ns2 /]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables: No chain/target/match by that name.
    [root@ns2 /]# iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables: No chain/target/match by that name.
    
    This server was upgraded from 6.2 to 6.3 through 'yum upgrade'.
    Kernel version is the same, iptables version is the same...

    I'm lost on where to go from here.

    Maybe i should move to a new host and go to debian...
     
    Last edited: Jul 18, 2012
  4. ZKool

    ZKool New Member

    *** RESOLVED ***

    Did some digging and found that on one server I did not have the "state + conntrack" modules for iptables.

    Spoke to my VPS host and they added it back in.

    Setup now works fine.
     

Share This Page