IPtables / Bastille

Discussion in 'Installation/Configuration' started by jlaughy, Sep 28, 2005.

  1. jlaughy

    jlaughy New Member

    Hi,

    normally I work with IPTables and want to use the buildin option (Bastille) of ISPConfig. When I try to start Bastille (/etc/rc.d/init.d/Basti...) it it's looking for IPChains (which is not on the machine)

    Searched the sources if I could change this manual - without any result.

    Any suggestions?

    WKR, JL

    BTW I use : Fedora Core 4
     
    Last edited: Sep 28, 2005
  2. falko

    falko Super Moderator

    Bastille is looking for ipchains and iptables - so it should work for you. Do you get error messages when trying to start Bastille?
     
  3. jlaughy

    jlaughy New Member

    Hi Falko,

    I got a message like can't find /sbin/ipchains

    Did a new install and it's working now!

    WKR, JL

    ----

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere 127.0.0.0/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain PAROLE (8 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (3 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:81
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:10000
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (3 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
     
  4. benbalbo

    benbalbo ISPConfig Developer

    I'm looking for some help on iptables issues I'm encountering with my VPS. It seems to work fine for most things, but when the firewall is on, it the server can't resolve domain names.

    Having looked at the previous post's output, I'm missing the RELATED,ESTABLISHED part. Here's my iptables -L -n output (iptables -L hangs!):

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  224.0.0.0/4          0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain INT_IN (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain PAROLE (12 references)
    target     prot opt source               destination
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:81
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:943
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:43
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
    DROP       icmp --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    When I try to add this rule, I get:

    Code:
    iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables: No chain/target/match by that name
    I've scoured the web for information on why this is, and whilst others have this problem, I've come up with no solutions.

    I'd be very glad of any help from you guys, as this is the only bit that isn't working, and is holding us back from going live.

    Cheers!
    Ben
     
  5. benbalbo

    benbalbo ISPConfig Developer

    After much researching, I found the my VPS didn't have all the iptables modules loaded into the kernel. I asked my supplier to enable a few extra modules and it still doesn't quite work.

    I've switched to using APF, which uses an allow all and block selected items approach, rather than bastille's bloack all and allow a few. This means ESTABLISHED isn't required, I manuall block certain ports above 1023, so all others are free for request replies.

    I know I could reconfigure bastille to do this, but APF already does it, so why spend the time :)

    Only drawback now is that the firewall is not configurable through ISP Config, but that's not such a problem. One problem is that starting it in ISP Config will break things, so I might remove the option from the interface.

    Anyway - hope this helps someone else...
     
  6. falko

    falko Super Moderator

    You can disable the firewall under Management -> Server -> Services. :)
     
  7. benbalbo

    benbalbo ISPConfig Developer

    That's true - but if another administrator comes in and enables it again, then that would cause problems. Admitedly they should be trained, and the firewall issue should be documented in internal policies so this mistake doesn't happen, but I don't trust people to read documentation, or remember what someone told them. Taking the option out makes it certain that it won't be re-enabled :)

    That said - I can't find an easy way to remove it. Seems the list of services is based on the field names in the services table, and I don't want to delete it from the table. I might just leave it afterall :)
     
  8. falko

    falko Super Moderator

    You can edit the file /root/ispconfig/scripts/shell/firewall.php and change the following part:

    PHP:
    if($dienst["dienst_firewall_status"] != "off"){
      
    $mod->system->daemon_init("bastille-firewall""restart");
    } else {
      if(
    is_file("/var/lock/subsys/bastille-firewall")) $mod->system->daemon_init("bastille-firewall""stop");
    }
     

Share This Page