bastille-firewall

Discussion in 'Installation/Configuration' started by Steffan, Jun 19, 2020.

  1. Steffan

    Steffan Member

    As soon as i start Bastille firewall
    all ipv4 http traffic is blocked
    ipv6 is working
    if i stop the firewall it is working again without a restart of apache
    Any idees what is going on?

    Code:
     /etc/Bastille/bastille-firewall.cfg:
TCP_PUBLIC_SERVICES="20 21 22 25 80 800 1984 2812 3306 5355 8000 8081 50110:50210"           # MINIMAL/SAFEST
    the output below is not compleet, i exceed the max allowed lines in this post
    Code:
     iptables-save
# Generated by xtables-save v1.8.2 on Fri Jun 19 11:52:12 2020
*filter
:INPUT DROP [42994091:39852175299]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [36968135:30168827624]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -i bond+ -j PUB_IN
-A INPUT -i en+ -j PUB_IN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A OUTPUT -o bond+ -j PUB_OUT
-A OUTPUT -o en+ -j PUB_OUT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 800 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 1984 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 2812 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 5355 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8000 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 50110:50210 -j PAROLE
-A PUB_IN -p icmp -j DROP
-A PUB_OUT -j DROP
-A PUB_OUT -j ACCEPT
-A INT_IN -j DROP
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -i bond+ -j PUB_IN
-A INPUT -i en+ -j PUB_IN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A OUTPUT -o bond+ -j PUB_OUT
-A OUTPUT -o en+ -j PUB_OUT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 800 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 1984 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 2812 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 5355 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8000 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 50110:50210 -j PAROLE
-A PUB_IN -p icmp -j DROP
-A PUB_OUT -j DROP
-A PUB_OUT -j ACCEPT
-A INT_IN -j DROP
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -i bond+ -j PUB_IN
-A INPUT -i en+ -j PUB_IN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A OUTPUT -o bond+ -j PUB_OUT
-A OUTPUT -o en+ -j PUB_OUT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 800 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 1984 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 2812 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 5355 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8000 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 50110:50210 -j PAROLE
-A PUB_IN -p icmp -j DROP
-A PUB_OUT -j DROP
-A PUB_OUT -j ACCEPT
-A INT_IN -j DROP
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -i bond+ -j PUB_IN
-A INPUT -i en+ -j PUB_IN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A OUTPUT -o bond+ -j PUB_OUT
-A OUTPUT -o en+ -j PUB_OUT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 800 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 1984 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 2812 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 5355 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8000 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 50110:50210 -j PAROLE


-----

# Completed on Fri Jun 19 11:52:12 2020
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
     
    Steffan, Jun 19, 2020
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you are using HTTPS, are the HTTPS ports open?
     
    Taleman, Jun 19, 2020
    #2
  3. Steffan

    Steffan Member

    this is the setting in ispconfig
    20,21,22,25,80,443,800,1984,2812,3306,5355,8000,8081,50110:50210
    ipv6 keeps wordking
    ipv4 not
     
    Steffan, Jun 20, 2020
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Surely that is because bastille doesn't add any ipv6 firewalling whatsoever, your server is completely unprotected on ipv6. Bastille has been obsolete for some time, you should remove it and switch to ufw, particularly if you use ipv6. (Even if you're ipv4 only, ufw creates a much better firewall than bastille.)

    My guess is that http works, but https is blocked because port 443 is not allowed. Your latest comment says it is, but your firewall rules output shows that it is not.
     
    Jesse Norell, Jun 22, 2020
    #4
    ahrasis likes this.

Share This Page