Hi, I followed step by step the Centos 7.1 tutorial (i have centos 7.1) and work fine except for firewall issues: after install fail2ban, the 7.1 tutorial show start iptables again but i lost conection to server, http, ssh, etc: Code: yum -y install iptables-services fail2ban fail2ban-systemd systemctl mask firewalld.service systemctl enable iptables.service systemctl enable ip6tables.service systemctl stop firewalld.service systemctl start iptables.service systemctl start ip6tables.service .... Code: systemctl enable fail2ban.service systemctl start fail2ban.service howerver i saw in the Centos 7.3 tutorial that iptables service do not start after fail2ban instructions: Code: yum -y install iptables-services fail2ban fail2ban-systemd systemctl stop firewalld.service systemctl mask firewalld.service systemctl disable firewalld.service systemctl stop firewalld.service .... Code: mkdir /var/run/fail2ban systemctl enable fail2ban.service systemctl start fail2ban.service What is the correct way? I must disable iptables or not? Whithout iptables, ispconfig work ok but I'm afraid leaves my server vulnerable. Thanks in advance
Hi, You can check the iptables rules with: iptables -L -n Make sure you have all the service's ports open, httpd 80, ssh 22 (unless you changed it), SQL 3006.... You can check those rules and open the ports in case you have them closed, at the ISPConfig Panel, go to System > Firewall, and edit the server you are having problems with.
HI @DonniesCat , This is iptables settings after install Fail2ban and ISPConfig. There are not entries from ISPConfig firewall: Code: iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination f2b-postfix-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 f2b-dovecot tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993 f2b-FTP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22222 (my input) ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22222 (my input) Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-FTP (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-dovecot (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 After start iptables service can't connect to web, ssh, etc, etc but ISPConfig firewall is active: Code: Open TCP ports: 20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,8081,10000,22222 Open UDP ports: 53,3306 Thanks for feedback
It looks like your iptables are not being updated with your ISPConfig's Firewall rules, have you tried to get into system > firewall add a random port (leaving the other ones untouched) and click Save? Maybe that pushes those ports that are shown into the iptables rules, as it seems like those "open ports" are just saved into the database but are not real rules. by the way, how do you stop iptables after you start it? I mean, if the port 22 is blocked, It doesn't seem to be blocked though. You can use Till's tool to check which ports are listening or not Code: wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" && php -q htf-common-issues.php And then read it with Code: cat htf_report.txt | more
Great!! i added new port and now is working! Code: Chain INPUT (policy DROP) num target prot opt source destination 1 DROP tcp -- anywhere loopback/8 2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 3 ACCEPT all -- anywhere anywhere 4 DROP all -- base-address.mcast.net/4 anywhere 5 PUB_IN all -- anywhere anywhere 6 PUB_IN all -- anywhere anywhere 7 PUB_IN all -- anywhere anywhere 8 PUB_IN all -- anywhere anywhere 9 PUB_IN all -- anywhere anywhere 10 PUB_IN all -- anywhere anywhere 11 DROP all -- anywhere anywhere Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 PUB_OUT all -- anywhere anywhere 2 PUB_OUT all -- anywhere anywhere 3 PUB_OUT all -- anywhere anywhere 4 PUB_OUT all -- anywhere anywhere 5 PUB_OUT all -- anywhere anywhere 6 PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) num target prot opt source destination 1 ACCEPT icmp -- anywhere anywhere 2 DROP all -- anywhere anywhere Chain INT_OUT (0 references) num target prot opt source destination 1 ACCEPT icmp -- anywhere anywhere 2 ACCEPT all -- anywhere anywhere Chain PAROLE (16 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere Chain PUB_IN (6 references) num target prot opt source destination 1 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable 2 ACCEPT icmp -- anywhere anywhere icmp echo-reply 3 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 4 ACCEPT icmp -- anywhere anywhere icmp echo-request 5 PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data 6 PAROLE tcp -- anywhere anywhere tcp dpt:ftp 7 PAROLE tcp -- anywhere anywhere tcp dpt:smtp 8 PAROLE tcp -- anywhere anywhere tcp dpt:domain 9 PAROLE tcp -- anywhere anywhere tcp dpt:http 10 PAROLE tcp -- anywhere anywhere tcp dpt:pop3 11 PAROLE tcp -- anywhere anywhere tcp dpt:imap 12 PAROLE tcp -- anywhere anywhere tcp dpt:https 13 PAROLE tcp -- anywhere anywhere tcp dpt:submission 14 PAROLE tcp -- anywhere anywhere tcp dpt:imaps 15 PAROLE tcp -- anywhere anywhere tcp dpt:pop3s 16 PAROLE tcp -- anywhere anywhere tcp dpt:mysql 17 PAROLE tcp -- anywhere anywhere tcp dpt:webcache 18 PAROLE tcp -- anywhere anywhere tcp dpt:tproxy 19 PAROLE tcp -- anywhere anywhere tcp dpt:ndmp 20 PAROLE tcp -- anywhere anywhere tcp dpt:22222 21 ACCEPT udp -- anywhere anywhere udp dpt:domain 22 ACCEPT udp -- anywhere anywhere udp dpt:mysql 23 DROP icmp -- anywhere anywhere 24 DROP all -- anywhere anywhere Chain PUB_OUT (6 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere Chain f2b-FTP (0 references) num target prot opt source destination 1 RETURN all -- anywhere anywhere Chain f2b-dovecot (0 references) num target prot opt source destination 1 RETURN all -- anywhere anywhere Chain f2b-postfix-sasl (0 references) num target prot opt source destination 1 RETURN all -- anywhere anywhere Chain f2b-sshd (0 references) num target prot opt source destination 1 RETURN all -- anywhere anywhere Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.1.3 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.4.16 ##### PORT CHECK ##### [WARN] Port 465 (SMTP server SSL) seems NOT to be listening [WARN] Port 22 (SSH server) seems NOT to be listening ##### MAIL SERVER CHECK ##### [WARN] I found no "submission" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this. [WARN] I found no "smtps" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this. ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (httpd) (PID 2376) [INFO] I found the following mail server(s): Unknown process (smtpd) (PID 3209) [INFO] I found the following pop3 server(s): Dovecot (PID 28559) [INFO] I found the following imap server(s): Dovecot (PID 28559) [INFO] I found the following ftp server(s): PureFTP (PID 28596) ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:10027 (28501/master) [anywhere]:110 (28559/dovecot) [anywhere]:22222 (758/sshd) [anywhere]:143 (28559/dovecot) [anywhere]:111 (1/systemd) ***.***.***.***:53 (28619/named) [localhost]:53 (28619/named) [anywhere]:21 (28596/pure-ftpd) [localhost]:953 (28619/named) [anywhere]:25 (3209/smtpd) [anywhere]:993 (28559/dovecot) [anywhere]:995 (28559/dovecot) [localhost]:10024 (434/amavisd) [localhost]:9000 (773/php-fpm:) [localhost]:10025 (28501/master) ......... thanks you very much!!
You're welcome the f2b installation could've overwritten your previous iptables config, so everytime it happens, just click on "save" within system>firewall and it will apply the rules again.
Yes. i agree because installed f2b after ISPConfig. I didn't want to install f2b on server Thanks again!!
