Linux firewall prevented from starting.

Discussion in 'Installation/Configuration' started by jenjen, Dec 4, 2007.

  1. jenjen

    jenjen New Member

    Dear List members:
    This one has me scratching my head... FC6, ISPConfig 2.2.9, then just upgraded to 2.2.18. Pre-production box.
    Usually I turn off the firewall rules in ISPConfig and just run rules in IPtables, I can get a bit more technical this way, and I have this running on 4 other boxes this way. One of which is FC6 as well.
    Unfortunately, this new box, installed FC6, configured firewall, then installed ISPconfig, changed ISPconfig firewall service to off.
    Problem is, I should be blocking access to certain ports (like 81) from all IP addresses but 2. And my testing shows that this is not happening. I have also tested by blocking access to port 80, completely in IPtables, and this is not working as I can still get to my development websites.
    iptables -L returns:
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT esp -- anywhere anywhere
    ACCEPT ah -- anywhere anywhere
    ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
    ACCEPT udp -- anywhere anywhere udp dpt:ipp
    ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- 209.104.160.30 anywhere tcp multiport dports ndmp,ssh,mysql state NEW
    ACCEPT tcp -- xtreme-157-7.static.aci.on.ca anywhere tcp multiport dports ndmp,ssh,hosts2-ns,mysql state NEW
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


    Any help would be appreciated because this has got me stumped!!!
    Thank you in advance!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Seems to be a problem with the built-in RedHat firewall... Is its configuration the same as on your other servers?
     
  3. jenjen

    jenjen New Member

    Thanks -checking firewall settings and testing today.

    Thanks for replying, your suggestion is the logical one I also came to.... after I had posted. So I am currently changing the firewall settings to match, and then I will be testing. Will let you know how it turns out. Just can't seem to see where the problem is.
     
  4. jenjen

    jenjen New Member

    Still not working.

    Ongoing problem,
    Even after a holiday break...there has been no break through. I have followed Falko's advise and configured the firewalls the same and I can still not limit access to a particular IP range.
    If possible, could I edit the firewall that ISPconfig uses manually?
    If so, where is it?
    Thanks again.
    Jenn
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig firewall is not meant for limiting IP ranges, it is just for opening and closing ports. I recommend that you deactivate the firewall in ISPConfig and install a firewall of your choice which supports IP ranges.
     
  6. jenjen

    jenjen New Member

    Solution to firewall problem.

    In the hopes that someone will find this useful at some point in the future, here is what solved this problem:

    there was one small rule in the output of IPTables that had me curious, on comparison with other machines with similar software and use, I could not find the line:
    ACCEPT all -- anywhere anywhere

    listed 2X
    when I looked in webmin, the ipchains had one extra line for:

    Accept If input interface is eth0

    On the other machines there was only one rule at the top:
    Accept If input interface is lo

    So I took out the rule for eth0, and voila! Lucky guess.
    In order to limit access to the server for administrative tasks, to only a few IP ranges, turn off the ISPConfig firewall and turn on the iptables firewall. This does of course mean that you must add rules manually for FTP or SMTP.
    Thank you for all of your good suggestions. It is much appreciated, keep up the good work!
     

Share This Page