ispconfig3 firewall ?

Discussion in 'Installation/Configuration' started by rlischer, Aug 11, 2009.

  1. rlischer

    rlischer Member HowtoForge Supporter

    Does ISPConfig 3 use iptables for its firewall? I made some changes and added a port in IPSConfig 3 system/firewall and clicked save. Then I restarted iptables and looked at the status and I do not see the ports I added.

    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses the bastille-firewall script which uses iptables. If you do a change in ispconfig, it takes a minute until they get applied and do not manually restart iptables as iptables will loose it settings if you restart it manually without using the bastille-firewall script.
     
  3. rlischer

    rlischer Member HowtoForge Supporter

    Is there somewhere I can look to verify that bastile is working and see what ports are open/closed other than in ISPConfig 3?

    Thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As with any Linux firewall, run:

    iptables -L
     
  5. rlischer

    rlischer Member HowtoForge Supporter

    With iptable running I can't see my websites, and from I see here port 80 is open. Perhaps the port for DNS is not?

    Code:
    [root@server ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination
    1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    num  target     prot opt source               destination
    1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
    3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
    4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
    5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
    6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
    7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
    8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
    10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23
    13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    17   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137
    18   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138
    19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139
    20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445
    21   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049
    22   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
    
    

    here is iptables -L

    Code:
    
    [root@server ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp any
    ACCEPT     esp  --  anywhere             anywhere
    ACCEPT     ah   --  anywhere             anywhere
    ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:telnet
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
    ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
    ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
    
    
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The firewall you are running is not from ispconfig. make sure that the ispconfig firewall is disabled if you use another firewall.
     
  7. rlischer

    rlischer Member HowtoForge Supporter

    ok, thanks. Someone told me I had to have iptables running in order for fail2ban to work. I will shut down iptables.
     
  8. QuetzalFirst

    QuetzalFirst Member HowtoForge Supporter

    Hi Till
    I'm unable to open port 445 (for direct samba)
    Port scan say that 445 is close!
    Can you help?
    Thank you
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    check qith:

    iptables -l

    if port 445 is open or closed ithe firewall and check with:

    netstat -ntap
    of samba is listening on that port. when samba is not listening or not started, then a portsacn will report the port as closed too, so this does not has to be a firewall issue.
     
  10. QuetzalFirst

    QuetzalFirst Member HowtoForge Supporter

    Here my iptables -L

    I think that tcp dpt:microsoft-ds is 445 ? Right?

    When I start samba, is listen on 137,138,139,445; answer on smbclient -L //serverIP when I'm on samba server but anwser
    Connection failed (Error NT_STATUS_HOST_UNREACHABLE)
    on any other machine.
    When I guest with windows server2008 machine, server tell me that
    Thank
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe you have an external firewall in fron of the server?
     
  12. florian030

    florian030 ISPConfig Developer ISPConfig Developer

Share This Page