Dear List members: This one has me scratching my head... FC6, ISPConfig 2.2.9, then just upgraded to 2.2.18. Pre-production box. Usually I turn off the firewall rules in ISPConfig and just run rules in IPtables, I can get a bit more technical this way, and I have this running on 4 other boxes this way. One of which is FC6 as well. Unfortunately, this new box, installed FC6, configured firewall, then installed ISPconfig, changed ISPconfig firewall service to off. Problem is, I should be blocking access to certain ports (like 81) from all IP addresses but 2. And my testing shows that this is not happening. I have also tested by blocking access to port 80, completely in IPtables, and this is not working as I can still get to my development websites. iptables -L returns: Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- 209.104.160.30 anywhere tcp multiport dports ndmp,ssh,mysql state NEW ACCEPT tcp -- xtreme-157-7.static.aci.on.ca anywhere tcp multiport dports ndmp,ssh,hosts2-ns,mysql state NEW REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Any help would be appreciated because this has got me stumped!!! Thank you in advance!
Seems to be a problem with the built-in RedHat firewall... Is its configuration the same as on your other servers?
Thanks -checking firewall settings and testing today. Thanks for replying, your suggestion is the logical one I also came to.... after I had posted. So I am currently changing the firewall settings to match, and then I will be testing. Will let you know how it turns out. Just can't seem to see where the problem is.
Still not working. Ongoing problem, Even after a holiday break...there has been no break through. I have followed Falko's advise and configured the firewalls the same and I can still not limit access to a particular IP range. If possible, could I edit the firewall that ISPconfig uses manually? If so, where is it? Thanks again. Jenn
The ISPConfig firewall is not meant for limiting IP ranges, it is just for opening and closing ports. I recommend that you deactivate the firewall in ISPConfig and install a firewall of your choice which supports IP ranges.
Solution to firewall problem. In the hopes that someone will find this useful at some point in the future, here is what solved this problem: there was one small rule in the output of IPTables that had me curious, on comparison with other machines with similar software and use, I could not find the line: ACCEPT all -- anywhere anywhere listed 2X when I looked in webmin, the ipchains had one extra line for: Accept If input interface is eth0 On the other machines there was only one rule at the top: Accept If input interface is lo So I took out the rule for eth0, and voila! Lucky guess. In order to limit access to the server for administrative tasks, to only a few IP ranges, turn off the ISPConfig firewall and turn on the iptables firewall. This does of course mean that you must add rules manually for FTP or SMTP. Thank you for all of your good suggestions. It is much appreciated, keep up the good work!
