vServer and Bastille Firewall

Discussion in 'ISPConfig 3 Priority Support' started by rgwilliams20, Aug 31, 2016.

  1. rgwilliams20

    rgwilliams20 New Member HowtoForge Supporter

    Hi,

    I am trying to setup a virtual machine, but....

    Although it has been created, I am able to enter it via SSH (vzctl enter 101) I cannot enter it using the IP address it has been assigned. Although, if I restart the server (which ispconfig is on) then I can access it very briefly after the server starts but this then stops.

    I assume this is an issue with the firewall, I have stopped iptables but I still cannot access it.
    IPTables below:

    Data from: 2016-08-31 18:45
    iptables -S (ipv4)
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N INT_IN
    -N INT_OUT
    -N PAROLE
    -N PUB_IN
    -N PUB_OUT
    -A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -s 224.0.0.0/4 -j DROP
    -A INPUT -i eth+ -j PUB_IN
    -A INPUT -i ppp+ -j PUB_IN
    -A INPUT -i slip+ -j PUB_IN
    -A INPUT -i venet+ -j PUB_IN
    -A INPUT -i bond+ -j PUB_IN
    -A INPUT -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j DROP
    -A OUTPUT -o eth+ -j PUB_OUT
    -A OUTPUT -o ppp+ -j PUB_OUT
    -A OUTPUT -o slip+ -j PUB_OUT
    -A OUTPUT -o venet+ -j PUB_OUT
    -A OUTPUT -o bond+ -j PUB_OUT
    -A INT_IN -p icmp -j ACCEPT
    -A INT_IN -j DROP
    -A INT_OUT -p icmp -j ACCEPT
    -A INT_OUT -j ACCEPT
    -A PAROLE -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 816 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 3000 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 40110:40210 -j PAROLE
    -A PUB_IN -p udp -m udp --dport 53 -j ACCEPT
    -A PUB_IN -p icmp -j DROP
    -A PUB_IN -j DROP
    -A PUB_OUT -j ACCEPT

    ip6tables -S (ipv6)
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT

    Not sure what else I can provide.

    Any suggestions / ideas ????

    Thank you
     
  2. rgwilliams20

    rgwilliams20 New Member HowtoForge Supporter

    I have now disabled the firewall:


    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    but still unable to access
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    So you run a firewall on the host as well? OpenVZ is a bit tricky when it comes to iptables, a firewall on the host can also block access to a container.
     

Share This Page