IPtables / Bastille

Hi,

normally I work with IPTables and want to use the buildin option (Bastille) of ISPConfig. When I try to start Bastille (/etc/rc.d/init.d/Basti...) it it's looking for IPChains (which is not on the machine)

Searched the sources if I could change this manual - without any result.

Any suggestions?

WKR, JL

BTW I use : Fedora Core 4

 

Bastille is looking for ipchains and iptables - so it should work for you. Do you get error messages when trying to start Bastille?

 

Hi Falko,

I got a message like can't find /sbin/ipchains

Did a new install and it's working now!

WKR, JL

----

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain PAROLE (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:10000
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

 

I'm looking for some help on iptables issues I'm encountering with my VPS. It seems to work fine for most things, but when the firewall is on, it the server can't resolve domain names.

Having looked at the previous post's output, I'm missing the RELATED,ESTABLISHED part. Here's my iptables -L -n output (iptables -L hangs!):

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  224.0.0.0/4          0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0

Chain PAROLE (12 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:81
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:943
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:43
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

When I try to add this rule, I get:

Code:

iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name

I've scoured the web for information on why this is, and whilst others have this problem, I've come up with no solutions.

I'd be very glad of any help from you guys, as this is the only bit that isn't working, and is holding us back from going live.

Cheers!
Ben

 

After much researching, I found the my VPS didn't have all the iptables modules loaded into the kernel. I asked my supplier to enable a few extra modules and it still doesn't quite work.

I've switched to using APF, which uses an allow all and block selected items approach, rather than bastille's bloack all and allow a few. This means ESTABLISHED isn't required, I manuall block certain ports above 1023, so all others are free for request replies.

I know I could reconfigure bastille to do this, but APF already does it, so why spend the time

Only drawback now is that the firewall is not configurable through ISP Config, but that's not such a problem. One problem is that starting it in ISP Config will break things, so I might remove the option from the interface.

Anyway - hope this helps someone else...

 

You can disable the firewall under Management -> Server -> Services.

 

That's true - but if another administrator comes in and enables it again, then that would cause problems. Admitedly they should be trained, and the firewall issue should be documented in internal policies so this mistake doesn't happen, but I don't trust people to read documentation, or remember what someone told them. Taking the option out makes it certain that it won't be re-enabled

That said - I can't find an easy way to remove it. Seems the list of services is based on the field names in the services table, and I don't want to delete it from the table. I might just leave it afterall

 

You can edit the file /root/ispconfig/scripts/shell/firewall.php and change the following part:

PHP:

if($dienst["dienst_firewall_status"] != "off"){
  $mod->system->daemon_init("bastille-firewall", "restart");
} else {
  if(is_file("/var/lock/subsys/bastille-firewall")) $mod->system->daemon_init("bastille-firewall", "stop");
}