iptables seems to block necessary ports

Discussion in 'Server Operation' started by ZeroEnna, Nov 26, 2010.

  1. ZeroEnna

    ZeroEnna Member

    Hello guys,

    I had to reboot my server in the morning, and afterwards, some ports I need to use my server were blocked. My provider is innocent, he didn't change anything. So I suspect iptables.

    My Tables are like this:

    Code:
    # Generated by iptables-save v1.4.2 on Fri Nov 26 14:15:54 2010
*mangle
:PREROUTING ACCEPT [124907:46116516]
:INPUT ACCEPT [124907:46116516]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [120693:60193224]
:POSTROUTING ACCEPT [120693:60193224]
COMMIT
# Completed on Fri Nov 26 14:15:54 2010
# Generated by iptables-save v1.4.2 on Fri Nov 26 14:15:54 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [54274:19356789]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
:fail2ban-courierauth - [0:0]
:fail2ban-postfix - [0:0]
:fail2ban-sasl - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-co$
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-sa$
-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -d 127.0.0.0/8 -i ! lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A PUB_IN -p tcp -m tcp --dport 8000 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 6667 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 2057 -j PAROLE
-A PUB_OUT -j ACCEPT
-A fail2ban-courierauth -j RETURN
-A fail2ban-postfix -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Nov 26 14:15:54 2010
# Generated by iptables-save v1.4.2 on Fri Nov 26 14:15:54 2010
*nat
:PREROUTING ACCEPT [4178:230004]
:POSTROUTING ACCEPT [8112:499095]
:OUTPUT ACCEPT [8112:499095]
COMMIT
# Completed on Fri Nov 26 14:15:54 2010
    I guess you alreaddy figured out, the ports I need are 6667, 8000 and 2057. So It seems that iptables knows them (iptables -L shows these ports), but it is still not working.

    Did I make a mistake?

    is "PAROLE" wrong?

    Please help me asap, as the services running on these ports are needed by tonight.

    Kind Regards

    Zero
     
    ZeroEnna, Nov 26, 2010
    #1
  2. ZeroEnna

    ZeroEnna Member

    Okay, request revoked... I re-configured the iptables' chains and rules via ISPConfig, now it is working... I wonder though, why iptables suddenly self-activated....
     
    ZeroEnna, Nov 26, 2010
    #2
  3. 537mfb

    537mfb New Member

    Please

    Could you please tell me what you did?

    Am getting the same issue - all ports marked as PAROLE are inaccessable even from within my LAN - if i stop Bastille then everything works

    Also - even if i have no rules in ISPConfig for the firewall and Bastille has been started at least FTP is blocked (although HTTP and HTTPS are open)

    Any help is appreciated
     
    537mfb, Apr 24, 2014
    #3
  4. srijan

    srijan New Member HowtoForge Supporter

    Hi

    Please refer the thread, it might be helpful to you.


    Br//
    Srijan
     
    srijan, Apr 24, 2014
    #4
  5. 537mfb

    537mfb New Member

    Following that thread all i see is creation of scripts for the rules from outsider ISPConfig.

    So that means the Firewall settings in Sistem -> Sistem -> Firewall are useless and shouldn't be used at all?
     
    537mfb, Apr 24, 2014
    #5
  6. zimon

    zimon New Member

    I'm having the same issue. Were you able to resolve it? How?
     
    zimon, Apr 14, 2023
    #6
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    This thread is 9 years old. You should not revive ancient threads. Create new thread. Or refer to this thread in your new thread if this thread is relevant.
    In this tread, seems problem was resolved by reconfiguring iptables via ISPConfig panel. Have you modified firewall rules outside of ISPConfig?
     
    Taleman, Apr 14, 2023
    #7
  8. zimon

    zimon New Member

    You're right. My apologices. I was searching the forum for posts where my issue was described, so I ended up at this years old thread.
    This is the thread where I describe the issue in much more detail:
    https://forum.howtoforge.com/threads/servers-are-not-accessible-after-bastille-is-activated.90466/

    I updated and activated the firewall through the ISPConfig panel, which is when the 2 of the servers become unreachable. I have not modified the rules outside of ISPConfig.
     
    zimon, Apr 14, 2023
    #8

Share This Page