ISPConfig and IPTABLES - Trash Automatic Setting??

Discussion in 'Installation/Configuration' started by vaio1, Jan 22, 2010.

  1. vaio1

    vaio1 ISPConfig Developer

    Hi guys,

    I have seen for the first time today the rules generated by the ISPConfig application. Many users in various IRC chat told me that are only trash! Is it possible?

    These are the IpTables generated by ISPConfig:

    Code:
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    DROP       tcp  --  anywhere             127.0.0.0/8         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    
    Chain INT_IN (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain PAROLE (11 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ndmp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql 
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
    DROP       icmp --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere    
    
    how can rewrite them or improve them?
     
  2. till

    till Super Moderator

    They are not generated by ispconfig, they are generated by the bastille firewall. Bastille firewall is a a well known firewall script that is used to enhance linux security and is around there for > 10 years. Its a very stable and well known software....

    http://www.linux.com/archive/feature/118353

    Some other rules might be from fail2ban. If you use fail2ban on the same system, you should configure it to use the route command instead of iptables. see ispconfig FAQ for details.
     
  3. vaio1

    vaio1 ISPConfig Developer

    So why in the CentOs IRC chat told that is only trash?
     
  4. till

    till Super Moderator

    I guess you find many funny poeple in IRC. Or do you think that linux.com and many other well known linux sites and newspapers write artciles about trash ;)
     
  5. vaio1

    vaio1 ISPConfig Developer

    Strange situation! :D ahahha
    Anyway, thanks
     

Share This Page