Hi, I have ISPConfg 2.2.40 on a VPS Centos 5.6 x86. Since I made a ispconfig upgrade about a Month ago I noticed I could not send emails. Since then I have tried to see what was the problem and stopping the firewall would allow all types of nslookup, lynx and email working ok. Once the iptables goes up ... all that stops. After many attempt to reconfigure the iptables I have managed to at least have outbound dns resolution. But so far I can not have no http outbound. So yum does only work with the iptables disabled. Also I have changed the OUTPUT chain default policy to ACCEPT in order to not have problems with outbound connections to no avail. Iptables rules are as follows: Code: /sbin/iptables -L -v -n --line-numbers Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8 2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 88 11318 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 5 60 9214 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 6 0 0 PUB_IN all -- eth+ * 0.0.0.0/0 0.0.0.0/0 7 0 0 PUB_IN all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 8 0 0 PUB_IN all -- slip+ * 0.0.0.0/0 0.0.0.0/0 9 1064 119K PUB_IN all -- venet+ * 0.0.0.0/0 0.0.0.0/0 10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 11 0 0 ACCEPT udp -- venet+ * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 769 packets, 202K bytes) num pkts bytes target prot opt in out source destination Chain PUB_IN (4 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 6 532 42544 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 7 24 3817 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 9 49 6175 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 10 26 3268 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 12 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 13 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 14 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:225 15 2 123 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 16 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 17 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 18 431 62928 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Does anyone have the same problem? Does anyone have a solution? Regards.
Hi, Can anyone place in here a _Working_ ispconfig 2.2.40 iptables rules , that is the listings of : Code: /sbin/iptables -L -v -n --line-numbers Regards.
Hi, Looking at the rules there was a obvious problem ... the Input chain did not allow for Outgoing port 80 traffic .. So I added : /sbin/iptables -I INPUT 6 -p tcp --sport 80 -j ACCEPT And now I have full outgoing http .. Regards.
With IPTables rules, order matters. The rules are added, and applied, in order. Moreover, when adding rules manually they get applied immediately. Thus, in your example, any packets going through the INPUT and OUTPUT chains start getting dropped as soon as the default policy is set. This is also, incidentally, why you received the error message you did. What is happening is this: The default DROP policy get applied IPTables receives a hostname as a destination IPTables attempts a DNS lookup on 'serverfault.com' The DNS lookup is blocked by the DROP action
