iptables / bastille-firewall [Solved]

Discussion in 'ISPConfig 3 Priority Support' started by levi, Jul 28, 2016.

  1. levi

    levi New Member

    I have been trying to work out a problem for a few days, and figured someone here -- Till! Till! Till! -- may be able to help out :)

    Recently, a single server / instance of ISPConfig3 has been dropping connections to everything outside of the subnet. It is seemingly random as there is no specific time or reason I've found so far for it dropping. Like I said, it only drops connections to the outside world. Everything on my side of the modem can still connect. Also, it is not the modem, I've checked that and also just replaced it yet the problem persists. Other servers are not having this issue.

    Here are some details about the server:
    OS: Ubuntu 14.04
    Interfaces (2 NICs): eth1 -> LAN
    p5p1 -> WAN
    ISPConfig3 v. 3.0.5.4p9

    I'm using bastille for the firewall, and it seems the issue is specific to it, or iptables related.

    There are two instances of bastille-firewall running which is also weird. One is called 'bastille-firewall' and the other is called 'bastille-firewall.backup'. So, I disabled the backup instance thinking this was the solution. I then added a firewall rule in ISPConfig to test, but shortly after applying it dropped all connections externally. Upon stopping the bastille-firewall service connection was restored.

    Here is my iptables -L before applying the rule in ISPConfig:


    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-postfix-sasl tcp -- anywhere anywhere multiport dports smtp
    fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
    fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-postfix-sasl (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    REJECT all -- 121.18.238.29 anywhere reject-with icmp-port-unreachable
    RETURN all -- anywhere anywhere


    Here is iptables -L after applying a firewall rule to open ports for: 20,21,22,25,53,80,110,143,443,3306,8080,10000


    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere 127.0.0.0/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- base-address.mcast.net/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (16 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (5 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:submission
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3s
    PAROLE tcp -- anywhere anywhere tcp dpt:mysql
    PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
    PAROLE tcp -- anywhere anywhere tcp dpt:tproxy
    PAROLE tcp -- anywhere anywhere tcp dpt:webmin
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:mysql
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (5 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-dovecot-pop3imap (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-postfix-sasl (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pureftpd (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ssh (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    When the above is set I can only access the server from it's local ip on eth1.

    So, I can do one of two things at this point to restore connection to the outside world.

    1. Log into ISPConfig3 from the local ip and disable the rule.
    2. Stop the bastille-firewall service.

    I then tried to run the update.sh script to reconfigure things. This in turn added back the bastille-firewall.backup service...very confusing...why?

    Basically, I'd like to get back to a place where I can set rules in the Firewall tab in ISPConfig3 and have it properly apply them to iptables.

    Any help or guidance would be much appreciated. Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem might be the name of the wan interface, is it really p5p1 ? In this case, try to edit /etc/Bastille/bastille-firewall.cfg, you will find aline PUBLIC_INTERFACES there, add e.g. p+ to that line or p5+ to allow all p* or p5* interfaces as external interfaces. Then restart bastille with /etc/init.d/bastille-firewall restart and test if it works then. If thats the case, then copy /usr/local/ispconfig/server/conf/bastille-firewall.cfg.master to /usr/local/ispconfig/server/conf-custom/bastille-firewall.cfg.master and edit that copy to add the p+ interface there too.
     
  3. levi

    levi New Member

    Yes, the NIC is named p5p1 for whatever reason...first time I've seen that name for an interface though I have a faint memory of seeing similar names on newer Redhat / CentOS releases...could be wrong though.

    Ok, I'm going to try that when I get to the office. In the instance this suggestion works I have 2 questions:

    1. Why might that cause the seemingly random drops?

    2. Why might that cause the 2 bastille-firewall services to be there?

    Thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    1) The drops dont have to be caused by bastille, it can also be that ou get blocked by fail2ban or any other software on your server that might add a iptables rule. stopping bastille simply clears iptables completely, so that bastille stop fixes it does not mean the issue has been caused by bastille.

    2) There is just one service. the second file is just an inactive backup copy of the first one.
     
  5. levi

    levi New Member

    This solved the problem of the external connection dropping, so I can now change the Firewall within ISPConfig3 and it works.

    I'm going to wait a day or so before marking this thread solved as I want to see if the connection drops without any manual config changes as it was doing previously.

    Thanks for your help so far.

    EDIT: Also, I should note, I had stripped out the bastille-firewall.backup service and haven't bothered to add it back. Just wanted to mention it as an aside.
     

Share This Page