iptables seems to block necessary ports

Discussion in 'Server Operation' started by ZeroEnna, Nov 26, 2010.

  1. ZeroEnna

    ZeroEnna Member

    Hello guys,

    I had to reboot my server in the morning, and afterwards, some ports I need to use my server were blocked. My provider is innocent, he didn't change anything. So I suspect iptables.

    My Tables are like this:

    Code:
    # Generated by iptables-save v1.4.2 on Fri Nov 26 14:15:54 2010
    *mangle
    :PREROUTING ACCEPT [124907:46116516]
    :INPUT ACCEPT [124907:46116516]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [120693:60193224]
    :POSTROUTING ACCEPT [120693:60193224]
    COMMIT
    # Completed on Fri Nov 26 14:15:54 2010
    # Generated by iptables-save v1.4.2 on Fri Nov 26 14:15:54 2010
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [54274:19356789]
    :INT_IN - [0:0]
    :INT_OUT - [0:0]
    :PAROLE - [0:0]
    :PUB_IN - [0:0]
    :PUB_OUT - [0:0]
    :fail2ban-courierauth - [0:0]
    :fail2ban-postfix - [0:0]
    :fail2ban-sasl - [0:0]
    :fail2ban-ssh - [0:0]
    -A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-co$
    -A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-sa$
    -A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A INPUT -d 127.0.0.0/8 -i ! lo -p tcp -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -s 224.0.0.0/4 -j DROP
    -A INPUT -i eth+ -j PUB_IN
    -A INPUT -i ppp+ -j PUB_IN
    -A INPUT -i slip+ -j PUB_IN
    -A INPUT -i venet+ -j PUB_IN
    -A INPUT -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j DROP
    -A OUTPUT -o eth+ -j PUB_OUT
    -A OUTPUT -o ppp+ -j PUB_OUT
    -A OUTPUT -o slip+ -j PUB_OUT
    -A OUTPUT -o venet+ -j PUB_OUT
    -A INT_IN -p icmp -j ACCEPT
    -A INT_IN -j DROP
    -A INT_OUT -p icmp -j ACCEPT
    -A INT_OUT -j ACCEPT
    -A PAROLE -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE
    -A PUB_IN -p udp -m udp --dport 53 -j ACCEPT
    -A PUB_IN -p icmp -j DROP
    -A PUB_IN -j DROP
    -A PUB_IN -p tcp -m tcp --dport 8000 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 6667 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 2057 -j PAROLE
    -A PUB_OUT -j ACCEPT
    -A fail2ban-courierauth -j RETURN
    -A fail2ban-postfix -j RETURN
    -A fail2ban-sasl -j RETURN
    -A fail2ban-ssh -j RETURN
    COMMIT
    # Completed on Fri Nov 26 14:15:54 2010
    # Generated by iptables-save v1.4.2 on Fri Nov 26 14:15:54 2010
    *nat
    :PREROUTING ACCEPT [4178:230004]
    :POSTROUTING ACCEPT [8112:499095]
    :OUTPUT ACCEPT [8112:499095]
    COMMIT
    # Completed on Fri Nov 26 14:15:54 2010
    
    
    I guess you alreaddy figured out, the ports I need are 6667, 8000 and 2057. So It seems that iptables knows them (iptables -L shows these ports), but it is still not working.

    Did I make a mistake?

    is "PAROLE" wrong?

    Please help me asap, as the services running on these ports are needed by tonight.

    Kind Regards

    Zero
     
  2. ZeroEnna

    ZeroEnna Member

    Okay, request revoked... I re-configured the iptables' chains and rules via ISPConfig, now it is working... I wonder though, why iptables suddenly self-activated....
     
  3. 537mfb

    537mfb New Member

    Please

    Could you please tell me what you did?

    Am getting the same issue - all ports marked as PAROLE are inaccessable even from within my LAN - if i stop Bastille then everything works

    Also - even if i have no rules in ISPConfig for the firewall and Bastille has been started at least FTP is blocked (although HTTP and HTTPS are open)

    Any help is appreciated
     
  4. srijan

    srijan New Member HowtoForge Supporter

    Hi

    Please refer the thread, it might be helpful to you.


    Br//
    Srijan
     
  5. 537mfb

    537mfb New Member

    Following that thread all i see is creation of scripts for the rules from outsider ISPConfig.

    So that means the Firewall settings in Sistem -> Sistem -> Firewall are useless and shouldn't be used at all?
     

Share This Page