I have been trying to work out a problem for a few days, and figured someone here -- Till! Till! Till! -- may be able to help out Recently, a single server / instance of ISPConfig3 has been dropping connections to everything outside of the subnet. It is seemingly random as there is no specific time or reason I've found so far for it dropping. Like I said, it only drops connections to the outside world. Everything on my side of the modem can still connect. Also, it is not the modem, I've checked that and also just replaced it yet the problem persists. Other servers are not having this issue. Here are some details about the server: OS: Ubuntu 14.04 Interfaces (2 NICs): eth1 -> LAN p5p1 -> WAN ISPConfig3 v. 3.0.5.4p9 I'm using bastille for the firewall, and it seems the issue is specific to it, or iptables related. There are two instances of bastille-firewall running which is also weird. One is called 'bastille-firewall' and the other is called 'bastille-firewall.backup'. So, I disabled the backup instance thinking this was the solution. I then added a firewall rule in ISPConfig to test, but shortly after applying it dropped all connections externally. Upon stopping the bastille-firewall service connection was restored. Here is my iptables -L before applying the rule in ISPConfig: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-postfix-sasl tcp -- anywhere anywhere multiport dports smtp fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-postfix-sasl (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination REJECT all -- 121.18.238.29 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Here is iptables -L after applying a firewall rule to open ports for: 20,21,22,25,53,80,110,143,443,3306,8080,10000 Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (16 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (5 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dptop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:submission PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dptop3s PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:http-alt PAROLE tcp -- anywhere anywhere tcp dpt:tproxy PAROLE tcp -- anywhere anywhere tcp dpt:webmin ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:mysql DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (5 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-dovecot-pop3imap (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-postfix-sasl (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (0 references) target prot opt source destination RETURN all -- anywhere anywhere When the above is set I can only access the server from it's local ip on eth1. So, I can do one of two things at this point to restore connection to the outside world. 1. Log into ISPConfig3 from the local ip and disable the rule. 2. Stop the bastille-firewall service. I then tried to run the update.sh script to reconfigure things. This in turn added back the bastille-firewall.backup service...very confusing...why? Basically, I'd like to get back to a place where I can set rules in the Firewall tab in ISPConfig3 and have it properly apply them to iptables. Any help or guidance would be much appreciated. Thanks!
The problem might be the name of the wan interface, is it really p5p1 ? In this case, try to edit /etc/Bastille/bastille-firewall.cfg, you will find aline PUBLIC_INTERFACES there, add e.g. p+ to that line or p5+ to allow all p* or p5* interfaces as external interfaces. Then restart bastille with /etc/init.d/bastille-firewall restart and test if it works then. If thats the case, then copy /usr/local/ispconfig/server/conf/bastille-firewall.cfg.master to /usr/local/ispconfig/server/conf-custom/bastille-firewall.cfg.master and edit that copy to add the p+ interface there too.
Yes, the NIC is named p5p1 for whatever reason...first time I've seen that name for an interface though I have a faint memory of seeing similar names on newer Redhat / CentOS releases...could be wrong though. Ok, I'm going to try that when I get to the office. In the instance this suggestion works I have 2 questions: 1. Why might that cause the seemingly random drops? 2. Why might that cause the 2 bastille-firewall services to be there? Thanks
1) The drops dont have to be caused by bastille, it can also be that ou get blocked by fail2ban or any other software on your server that might add a iptables rule. stopping bastille simply clears iptables completely, so that bastille stop fixes it does not mean the issue has been caused by bastille. 2) There is just one service. the second file is just an inactive backup copy of the first one.
This solved the problem of the external connection dropping, so I can now change the Firewall within ISPConfig3 and it works. I'm going to wait a day or so before marking this thread solved as I want to see if the connection drops without any manual config changes as it was doing previously. Thanks for your help so far. EDIT: Also, I should note, I had stripped out the bastille-firewall.backup service and haven't bothered to add it back. Just wanted to mention it as an aside.
