Problem on Bastille firewall with CentOS 6.0 and ispconfig 3.0.3.3

Discussion in 'Installation/Configuration' started by themark, Oct 17, 2011.

  1. themark

    themark Member

    Hi there,

    today we have a strange problem with bastille firewall onto CentOs 6.0 with ispconfig 3.0.3.3

    Firewall look not working, and if we try to change some setting on the firewall setting page from the ispconfig control panel we receive the following errors:

    """""""""
    /sbin/bastille-ipchains: line 228: /sbin/ipchains: No such file or directory
    /sbin/bastille-ipchains: line 230: /sbin/ipchains: No such file or directory
    /sbin/bastille-ipchains: line 232: /sbin/ipchains: No such file or directory
    [...many more...]
    /sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
    /sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
    /sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
    /sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory
    finished.
    """""""""

    We have followed your perfect server installation, but we think that ipchains it's pretty old...so it's normal that on the CentOs 6.0 isn't installed...

    Someone has some hint on how we can solve?
    Thank you.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The firwall tries to use ipchains as fallback only if iptables is not installed on your server. Please post the output of:

    which iptables
     
  3. themark

    themark Member

    on this server iptables is installed:

    [~]# rpm -qa |grep iptables
    iptables-1.4.7-3.el6.x86_64
    iptables-devel-1.4.7-3.el6.x86_64
    iptables-ipv6-1.4.7-3.el6.x86_64

    [~]# which iptables
    /sbin/iptables
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, that good. Please post the output of:

    iptables -L

    and where exactly did you see the errors that you posted above?
     
  5. themark

    themark Member

    I love comunicate good news :)

    The output is:

    """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
    [~]# /sbin/iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request

    Chain PUB_OUT (0 references)
    target prot opt source destination
    REJECT icmp -- anywhere anywhere icmp destination-unreachable reject-with icmp-port-unreachable
    REJECT icmp -- anywhere anywhere icmp time-exceeded reject-with icmp-port-unreachable
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-SSH (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere
    """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

    The errors that we have reported before, was just after a modify of some firwall rules, for example:

    - login into the control panel admin;
    - add a port on the firewall;
    - save;
    - run manually the script /usr/local/ispconfig/server/server.sh;
    - the output of the script it's what we have reported before;

    Thank you
     
  6. themark

    themark Member

    ok solved.

    The problem was that the startup script of bastille made a check of the kernel installed (with uname...etcetc).

    Control that the kernel is newer than 2.3...but the awk syntax used it's ok onlt for all kernel from 2.3 to 2.9

    If you have (like me) a kernel newer than 2.9 (like the brand new 3.0 kernel...) the startup script not start netfilter....

    Change on /etc/rc.d/init.d/bastille-firewall on row (85 or 86...)
    the if statement.

    [FROM] if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
    [TO] if [ -n "$(uname -r | awk -F. ' $1 == 3 {print}')" ]; then

    next i had to save the configuration on sysconfig/iptables (on centos) with the command:

    /sbin/service iptables save

    just before the last case statement on this same script..

    Hope it usefull..:)
     

Share This Page