Hi guys, hoping someone can help here.. I followed the guide to install ISPConfig 3.0.4.6 on Centos 6.3; Everything has been working well for the most part. The issue I am having is when i enable the ISPConfig firewall I can not resolve outside hostname -> IPaddresses. FIREWALL DISABLED Code: [root@ns2 /]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (0 references) target prot opt source destination RETURN all -- anywhere anywhere [root@ns2 /]# ping google.com PING google.com (173.194.38.164) 56(84) bytes of data. 64 bytes from sin04s02-in-f4.1e100.net (173.194.38.164): icmp_seq=1 ttl=58 time=1.62 ms --- google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 926ms rtt min/avg/max/mdev = 1.626/1.626/1.626/0.000 ms [root@ns2 /]# WITH ISPCONFIG FIREWALL ENABLED Code: [root@ns2 /]# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- 0.0.0.0/0 127.0.0.0/8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 224.0.0.0/4 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain PAROLE (16 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain PUB_IN (5 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:40000:40010 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain PUB_OUT (5 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-SSH (0 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 [root@ns2 /]# nslookup google.com ;; connection timed out; trying next origin ;; connection timed out; no servers could be reached [root@ns2 /]# ping google.com ping: unknown host google.com [root@ns2 /]# ping 173.194.38.164 PING 173.194.38.164 (173.194.38.164) 56(84) bytes of data. 64 bytes from 173.194.38.164: icmp_seq=1 ttl=58 time=1.68 ms I added more rules on each table to accept UDP port 53 - but no difference. Code: #/etc/resolv.conf #OpenDNS Servers nameserver 208.67.222.222 nameserver 208.67.220.220 Code: [root@ns2 /]# /etc/rc.d/init.d/bastille-firewall restart FATAL: Module ip_tables not found. FATAL: Module ip_tables not found. iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. FATAL: Module ip_tables not found. iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. FATAL: Module ip_conntrack not found. FATAL: Module ip_conntrack_ftp not found. FATAL: Module ipt_LOG not found. Setting up IP spoofing protection... done. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. Not sure if the missing modules is the issue here.. I'm stuck with this right now, does anyone have any ideas or possible insight on this? Thanks.
Thanks for the reply. Yes SElinux is disabled. Also - here is some more information which is probably irrelevant, but i dont know.. I have another VPS with the same host [godaddy], running Centos 6.2 On my 6.2 server i use the following firewall setup; Code: #!/bin/bash # Clear Tables iptables -F # Set default chain polocies to DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #ICMP Rules iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT #HTTP/HTTPS Rules iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT #DNS Rules iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A FORWARD -p udp --dport 53 -j ACCEPT #Mail Rules iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp --dport 993 -j ACCEPT iptables -A INPUT -p tcp --dport 995 -j ACCEPT #Squid Rules iptables -A INPUT -p tcp --dport 3128 -j ACCEPT iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT iptables -A FORWARD -p tcp --dport 3128 -j ACCEPT #Loopback Rules iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT #Other Allowable Traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #FTP Rules iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 47389:47489 -j ACCEPT iptables -A OUTPUT -p tcp --dport 47389:47489 -j ACCEPT When i try and load this on my 6.3 server, my SSH connection is dropped instantly and I am unable to connect to any services or ping the host.. On 6.3 I currently receive an error when running this; Code: [root@ns2 /]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name. [root@ns2 /]# iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name. This server was upgraded from 6.2 to 6.3 through 'yum upgrade'. Kernel version is the same, iptables version is the same... I'm lost on where to go from here. Maybe i should move to a new host and go to debian...
*** RESOLVED *** Did some digging and found that on one server I did not have the "state + conntrack" modules for iptables. Spoke to my VPS host and they added it back in. Setup now works fine.
