Hi, normally I work with IPTables and want to use the buildin option (Bastille) of ISPConfig. When I try to start Bastille (/etc/rc.d/init.d/Basti...) it it's looking for IPChains (which is not on the machine) Searched the sources if I could change this manual - without any result. Any suggestions? WKR, JL BTW I use : Fedora Core 4
Bastille is looking for ipchains and iptables - so it should work for you. Do you get error messages when trying to start Bastille?
Hi Falko, I got a message like can't find /sbin/ipchains Did a new install and it's working now! WKR, JL ---- Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain PAROLE (8 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (3 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dptop3 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:10000 DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere
I'm looking for some help on iptables issues I'm encountering with my VPS. It seems to work fine for most things, but when the firewall is on, it the server can't resolve domain names. Having looked at the previous post's output, I'm missing the RELATED,ESTABLISHED part. Here's my iptables -L -n output (iptables -L hangs!): Code: Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- 0.0.0.0/0 127.0.0.0/8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 224.0.0.0/4 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 PUB_IN all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0 Chain PAROLE (12 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:943 PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain PUB_OUT (4 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 When I try to add this rule, I get: Code: iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables: No chain/target/match by that name I've scoured the web for information on why this is, and whilst others have this problem, I've come up with no solutions. I'd be very glad of any help from you guys, as this is the only bit that isn't working, and is holding us back from going live. Cheers! Ben
After much researching, I found the my VPS didn't have all the iptables modules loaded into the kernel. I asked my supplier to enable a few extra modules and it still doesn't quite work. I've switched to using APF, which uses an allow all and block selected items approach, rather than bastille's bloack all and allow a few. This means ESTABLISHED isn't required, I manuall block certain ports above 1023, so all others are free for request replies. I know I could reconfigure bastille to do this, but APF already does it, so why spend the time Only drawback now is that the firewall is not configurable through ISP Config, but that's not such a problem. One problem is that starting it in ISP Config will break things, so I might remove the option from the interface. Anyway - hope this helps someone else...
That's true - but if another administrator comes in and enables it again, then that would cause problems. Admitedly they should be trained, and the firewall issue should be documented in internal policies so this mistake doesn't happen, but I don't trust people to read documentation, or remember what someone told them. Taking the option out makes it certain that it won't be re-enabled That said - I can't find an easy way to remove it. Seems the list of services is based on the field names in the services table, and I don't want to delete it from the table. I might just leave it afterall
You can edit the file /root/ispconfig/scripts/shell/firewall.php and change the following part: PHP: if($dienst["dienst_firewall_status"] != "off"){ $mod->system->daemon_init("bastille-firewall", "restart"); } else { if(is_file("/var/lock/subsys/bastille-firewall")) $mod->system->daemon_init("bastille-firewall", "stop"); }