SSL Cert Question for ISPConfig Access

Discussion in 'Installation/Configuration' started by giganet, Feb 12, 2008.

  1. giganet

    giganet New Member

    Hi Falko

    Thank you..

    I stopped Shorewall and attempted accessing ISPConfig without success.

    Regards
     
  2. falko

    falko Super Moderator

    What's the output of
    Code:
    iptables -L
    and
    Code:
    netstat -tap
    now?
     
  3. giganet

    giganet New Member

    Thank you Falko


    the following values are with Shorewall started...

    Code:
    iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    eth0_in    0    --  anywhere             anywhere
    Reject     0    --  anywhere             anywhere
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:'
    reject     0    --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    eth0_fwd   0    --  anywhere             anywhere
    Reject     0    --  anywhere             anywhere
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:'
    reject     0    --  anywhere             anywhere
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    eth0_out   0    --  anywhere             anywhere
    Reject     0    --  anywhere             anywhere
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:'
    reject     0    --  anywhere             anywhere
    
    Chain Drop (2 references)
    target     prot opt source               destination
    reject     tcp  --  anywhere             anywhere            tcp dpt:auth
    dropBcast  0    --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    dropInvalid  0    --  anywhere             anywhere
    DROP       udp  --  anywhere             anywhere            multiport dports loc-srv,microsoft-ds
    DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
    DROP       udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
    DROP       tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds
    DROP       udp  --  anywhere             anywhere            udp dpt:1900
    dropNotSyn  tcp  --  anywhere             anywhere
    DROP       udp  --  anywhere             anywhere            udp spt:domain
    
    Chain Reject (4 references)
    target     prot opt source               destination
    reject     tcp  --  anywhere             anywhere            tcp dpt:auth
    dropBcast  0    --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    dropInvalid  0    --  anywhere             anywhere
    reject     udp  --  anywhere             anywhere            multiport dports loc-srv,microsoft-ds
    reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
    reject     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
    reject     tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds
    DROP       udp  --  anywhere             anywhere            udp dpt:1900
    dropNotSyn  tcp  --  anywhere             anywhere
    DROP       udp  --  anywhere             anywhere            udp spt:domain
    
    Chain all2all (0 references)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    Reject     0    --  anywhere             anywhere
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:'
    reject     0    --  anywhere             anywhere
    
    Chain dropBcast (2 references)
    target     prot opt source               destination
    DROP       0    --  anywhere             anywhere            PKTTYPE = broadcast
    DROP       0    --  anywhere             anywhere            PKTTYPE = multicast
    
    Chain dropInvalid (2 references)
    target     prot opt source               destination
    DROP       0    --  anywhere             anywhere            state INVALID
    
    Chain dropNotSyn (2 references)
    target     prot opt source               destination
    DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN
    
    Chain dynamic (2 references)
    target     prot opt source               destination
    
    Chain eth0_fwd (1 references)
    target     prot opt source               destination
    dynamic    0    --  anywhere             anywhere            state INVALID,NEW
    smurfs     0    --  anywhere             anywhere            state INVALID,NEW
    norfc1918  0    --  anywhere             anywhere            state NEW
    tcpflags   tcp  --  anywhere             anywhere
    
    Chain eth0_in (1 references)
    target     prot opt source               destination
    dynamic    0    --  anywhere             anywhere            state INVALID,NEW
    smurfs     0    --  anywhere             anywhere            state INVALID,NEW
    norfc1918  0    --  anywhere             anywhere            state NEW
    tcpflags   tcp  --  anywhere             anywhere
    net2fw     0    --  anywhere             anywhere
    
    Chain eth0_out (1 references)
    target     prot opt source               destination
    fw2net     0    --  anywhere             anywhere
    
    Chain fw2net (1 references)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    
    Chain logdrop (0 references)
    target     prot opt source               destination
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:logdrop:DROP:'
    DROP       0    --  anywhere             anywhere
    
    Chain logflags (5 references)
    target     prot opt source               destination
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:logflags:DROP:'
    DROP       0    --  anywhere             anywhere
    
    Chain logreject (0 references)
    target     prot opt source               destination
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:logreject:REJECT:'
    reject     0    --  anywhere             anywhere
    
    Chain net2all (0 references)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    Drop       0    --  anywhere             anywhere
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:net2all:DROP:'
    DROP       0    --  anywhere             anywhere
    
    Chain net2fw (1 references)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere
    ACCEPT     tcp  --  giganetwireless.net  anywhere            tcp dpt:www limit: avg 20/sec burst 24
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:telnet
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     tcp  --  65.197.209.0         anywhere            tcp dpt:69
    ACCEPT     udp  --  65.197.209.0         anywhere            udp dpt:tftp
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www limit: avg 20/sec burst 24
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:81 limit: avg 20/sec burst 24
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:imap2
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https limit: avg 20/sec burst 24
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 5/sec burst 8
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
    ACCEPT     tcp  --  65.197.209.0/24      anywhere            tcp dpt:54000
    ACCEPT     tcp  --  anywhere             anywhere            MAC 00:03:25:21:FA:23 tcp dpt:54000
    ACCEPT     tcp  --  anywhere             giganetwireless.net tcp dpt:www
    ACCEPT     tcp  --  anywhere             giganetwireless.net tcp dpt:https
    Drop       0    --  anywhere             anywhere
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:net2fw:DROP:'
    DROP       0    --  anywhere             anywhere
    
    Chain norfc1918 (2 references)
    target     prot opt source               destination
    rfc1918    0    --  172.16.0.0/12        anywhere
    rfc1918    0    --  anywhere             anywhere            ctorigdst 172.16.0.0/12
    rfc1918    0    --  192.168.0.0/16       anywhere
    rfc1918    0    --  anywhere             anywhere            ctorigdst 192.168.0.0/16
    rfc1918    0    --  10.0.0.0/8           anywhere
    rfc1918    0    --  anywhere             anywhere            ctorigdst 10.0.0.0/8
    
    Chain reject (11 references)
    target     prot opt source               destination
    DROP       0    --  anywhere             anywhere            PKTTYPE = broadcast
    DROP       0    --  anywhere             anywhere            PKTTYPE = multicast
    DROP       0    --  65.197.209.128       anywhere
    DROP       0    --  255.255.255.255      anywhere
    DROP       0    --  BASE-ADDRESS.MCAST.NET/4  anywhere
    REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
    REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable
    REJECT     0    --  anywhere             anywhere            reject-with icmp-host-prohibited
    
    Chain rfc1918 (6 references)
    target     prot opt source               destination
    LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:rfc1918:DROP:'
    DROP       0    --  anywhere             anywhere
    
    Chain shorewall (0 references)
    target     prot opt source               destination
    
    Chain smurfs (2 references)
    target     prot opt source               destination
    LOG        0    --  65.197.209.128       anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
    DROP       0    --  65.197.209.128       anywhere
    LOG        0    --  255.255.255.255      anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
    DROP       0    --  255.255.255.255      anywhere
    LOG        0    --  BASE-ADDRESS.MCAST.NET/4  anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
    DROP       0    --  BASE-ADDRESS.MCAST.NET/4  anywhere
    
    Chain tcpflags (2 references)
    target     prot opt source               destination
    logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    logflags   tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
    logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
    logflags   tcp  --  anywhere             anywhere            tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
    
    Code:
    netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     19507/mysqld
    tcp        0      0 *:54000                 *:*                     LISTEN     3458/sshd
    tcp        0      0 *:www                   *:*                     LISTEN     12605/apache2
    tcp        0      0 *:81                    *:*                     LISTEN     32013/ispconfig_htt
    tcp        0      0 *:ftp                   *:*                     LISTEN     4087/proftpd: (acce
    tcp        0      0 65.197.209.20:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.19:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.18:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.17:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.16:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.15:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.14:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.13:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.12:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.11:domain    *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.9:domain     *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.8:domain     *:*                     LISTEN     32313/named
    tcp        0      0 65.197.209.7:domain     *:*                     LISTEN     32313/named
    tcp        0      0 mail.webmail.gig:domain *:*                     LISTEN     32313/named
    tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     32313/named
    tcp        0      0 giganetwireless.:domain *:*                     LISTEN     32313/named
    tcp        0      0 localhost.locald:domain *:*                     LISTEN     32313/named
    tcp        0      0 *:smtp                  *:*                     LISTEN     4002/master
    tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     32313/named
    tcp        0      0 *:https                 *:*                     LISTEN     12605/apache2
    tcp        0      0 giganetwireless.n:54000 65.197.209.112:1048     ESTABLISHED2183/sshd: bender [
    tcp6       0      0 *:imaps                 *:*                     LISTEN     6845/couriertcpd
    tcp6       0      0 *:pop3s                 *:*                     LISTEN     6884/couriertcpd
    tcp6       0      0 *:pop3                  *:*                     LISTEN     6860/couriertcpd
    tcp6       0      0 *:imap2                 *:*                     LISTEN     6821/couriertcpd
    tcp6       0      0 *:smtp                  *:*                     LISTEN     4002/master
    tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     32313/named
    
    Regards
     
  4. falko

    falko Super Moderator

    And with Shorewall switched off?
     
  5. giganet

    giganet New Member

    Thank you Falko...


    With Shorewall stopped the server returns the following values:

    iptables -L
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
    LISHED
    ACCEPT     0    --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
    LISHED
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    netstat -tap
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    PID/Program name
    tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     1
    9507/mysqld
    tcp        0      0 *:54000                 *:*                     LISTEN     3
    458/sshd
    tcp        0      0 *:www                   *:*                     LISTEN     1
    2605/apache2
    tcp        0      0 *:81                    *:*                     LISTEN     3
    2013/ispconfig_htt
    tcp        0      0 *:ftp                   *:*                     LISTEN     5
    952/proftpd: (acce
    tcp        0      0 65.197.209.20:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.19:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.18:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.17:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.16:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.15:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.14:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.13:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.12:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.11:domain    *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.9:domain     *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.8:domain     *:*                     LISTEN     3
    2313/named
    tcp        0      0 65.197.209.7:domain     *:*                     LISTEN     3
    2313/named
    tcp        0      0 mail.webmail.gig:domain *:*                     LISTEN     3
    2313/named
    tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     3
    2313/named
    tcp        0      0 giganetwireless.:domain *:*                     LISTEN     3
    2313/named
    tcp        0      0 localhost.locald:domain *:*                     LISTEN     3
    2313/named
    tcp        0      0 *:smtp                  *:*                     LISTEN     5
    913/master
    tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     3
    2313/named
    tcp        0      0 *:https                 *:*                     LISTEN     1
    2605/apache2
    tcp        0      0 giganetwireless.n:54000 65.197.209.112:3956     ESTABLISHED2
    2438/sshd: bender
    tcp6       0      0 *:imaps                 *:*                     LISTEN     6
    845/couriertcpd
    tcp6       0      0 *:pop3s                 *:*                     LISTEN     6
    884/couriertcpd
    tcp6       0      0 *:pop3                  *:*                     LISTEN     6
    860/couriertcpd
    tcp6       0      0 *:imap2                 *:*                     LISTEN     6
    821/couriertcpd
    tcp6       0      0 *:smtp                  *:*                     LISTEN     5
    913/master
    tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     3
    2313/named
    Regards
     
  6. falko

    falko Super Moderator

    This means that there still some active firewall rules. Are you maybe using an additional firewall that interferes with Shorewall?
     
  7. giganet

    giganet New Member

    Thank you Falko...

    Hmm, I have only Shorewall on the server itself.
    My DS1' routers have firewall rules within them that specifically allows :81 to each respective servers IP.

    In /etc/network/interfaces I have the following lines:
    Code:
    pre-up iptables-restore < /etc/iptables.up.rules
    post-down iptables-save > /etc/iptables.up.rules
    Regards
     
  8. falko

    falko Super Moderator

    That might be the problem. Comment out these lines and restart the network.
     
  9. giganet

    giganet New Member

    Thank you Falko


    I commented out the two lines:
    Code:
    pre-up iptables-restore < /etc/iptables.up.rules
    post-down iptables-save > /etc/iptables.up.rules
    then I issued /etc/init.d/networking restart.

    After that I stopped Shorewall the issued iptables -L and the server still returns the following:
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     0    --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Regards
     
  10. falko

    falko Super Moderator

    Please try this:
    Code:
    update-rc.d -f shorewall remove
    Then reboot the system.
     
  11. giganet

    giganet New Member

    Thank you Falko

    I have a question of ignorance here; the command
    Code:
    update-rc.d -f shorewall remove
    isn't going to remove Shorewall is it?


    Thank you

    Regards
     
  12. falko

    falko Super Moderator

    No, it just removes the startup links for Shorewall so that Shorewall isn't started automatically when the system boots.
     
  13. giganet

    giganet New Member

    Thank you, Thank you, Thank you Falko

    Thank you, Thank you, Thank you Falko...

    I am sorry for the huge delay in replying to you, I just today had time to try your last suggestion out.

    That did it!

    I appreciate your stick-to-it'ness attitude and I sincerely appreciate all the help you have provided me with.


    Regards
     
  14. kextra1

    kextra1 ISPConfig Developer

    Firewall problem

    Hehe, yeah it was a firewall problem. Falko's on top of his game! Helped me out more than once.

    I'm self educated on this stuff but out of curiosity....where'd u go to schoool falko?
     

Share This Page