ISPconfig firewall blocking outgoing connections

Discussion in 'General' started by aglenday, Jul 30, 2009.

  1. aglenday

    aglenday New Member

    Hey guys, I've been looking at the forums and I've seen a few people with the same problem and the same thing keeps coming up, it's not an ISPconfig problem but a DNS problem. The problem is as I'm experiencing it, is I can resolve DNS queries, I can ping outside and do RBL lookups but anything that requires an actual connection i.e. FTP from the server or browsing (using lynx) won't work. I suspect that the high number ports that the outgoing connection would latch on to is closed by ISPconfig's bastille firewall. Has anyone else experienced this or has an idea of a solution?

    I'm using Centos 5.3 on a VPS using VMware.

    Ashley
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Does it work if you switch off the ISPConfig firewall?
     
  3. aglenday

    aglenday New Member

    Yes, it all works perfectly with no firewall. I'm also using fail2ban but other then that I haven't added any iptables rules other then those the VPS operator has.

    Ashley
     
  4. falko

    falko Super Moderator ISPConfig Developer

    That's strange, because the firewall should block only incoming connections. What's the output of
    Code:
    iptables -L
    when the firewall is on?
     
  5. aglenday

    aglenday New Member

    Falko,

    The output is:
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere 127.0.0.0/8
    DROP all -f anywhere anywhere
    ACCEPT all -- anywhere anywhere
    DROP all -- 224.0.0.0/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (9 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-BadBots (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ProFTPD (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-SSH (0 references)
    target prot opt source destination
    DROP all -- 202.109.242.18 anywhere
    DROP all -- 122.129.245.231 anywhere
    DROP all -- host9.abaks.pl anywhere
    DROP all -- 61.152.175.61 anywhere
    RETURN all -- anywhere anywhere

    Chain fail2ban-sasl (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Ashley
     
  6. falko

    falko Super Moderator ISPConfig Developer

    What happens when you switch off fail2ban?
     
  7. aglenday

    aglenday New Member

    Turning off fail2ban doesn't change anything, it still won't talk to the outside world.

    In case it helps, with fail2ban off, here is the output of /etc/init.d/bastille-firewall status:

    Chain INPUT (policy DROP 1 packets, 92 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
    316 140K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
    240 26190 PUB_IN all -- eth+ * 0.0.0.0/0 0.0.0.0/0
    0 0 PUB_IN all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 PUB_IN all -- slip+ * 0.0.0.0/0 0.0.0.0/0
    0 0 PUB_IN all -- venet+ * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 316 packets, 140K bytes)
    pkts bytes target prot opt in out source destination
    208 67955 PUB_OUT all -- * eth+ 0.0.0.0/0 0.0.0.0/0
    0 0 PUB_OUT all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
    0 0 PUB_OUT all -- * slip+ 0.0.0.0/0 0.0.0.0/0
    0 0 PUB_OUT all -- * venet+ 0.0.0.0/0 0.0.0.0/0

    Chain INT_IN (0 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain INT_OUT (0 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain PAROLE (10 references)
    pkts bytes target prot opt in out source destination
    225 23620 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain PUB_IN (4 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
    172 13484 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    53 10136 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:953
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:993
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:995
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:953
    0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
    15 2570 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain PUB_OUT (4 references)
    pkts bytes target prot opt in out source destination
    208 67955 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

    and iptables -L

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere 127.0.0.0/8
    ACCEPT all -- anywhere anywhere
    DROP all -- 224.0.0.0/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (10 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:rndc
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:imaps
    ACCEPT udp -- anywhere anywhere udp dpt:pop3s
    ACCEPT udp -- anywhere anywhere udp dpt:rndc
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
     

Share This Page