Ispconfig 3.0.5.4p8 block port 53 when firewall is on. Debian Jessie.

Discussion in 'Installation/Configuration' started by Memek, Jan 14, 2016.

  1. Memek

    Memek New Member

    I use ISPConfig for several years and the first time I can not solve the problem yourself. There also found nothing that worked on the internet or in the forum.

    ISPConfig ##### #####
    ISPConfig version is 3.0.5.4p8

    CHECK VERSION ##### #####
    [INFO] php (CLI) version is 5.6.14-0 + deb8u1
    [INFO] php-cgi (used for cgi php in default vhost!) Is version 5.6.14-0 + deb8u1

    Sytem Debian Jessie updated, installation as described in https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/

    When Ispconfig Firewalls in the System -> Firewall menu is on, server stops resolve domain names to IP address.

    According to one of the guides I added parameter of listen-on port 53 {any; }; /etc/bind/named.conf.option file - it has not changed anything.

    When the Ispconfig firewall is turned ON:
    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:110 (950/dovecot)
    [anywhere]:143 (1/init)
    [anywhere]:465 (1199/master)
    ***.***.***.***:53 (2670/named)
    [localhost]:53 (2670/named)
    [anywhere]:21 (12614/pure-ftpd)
    [anywhere]:22 (308/sshd)
    [localhost]:953 (2670/named)
    [anywhere]:25 (1199/master)
    [anywhere]:993 (1/init)
    [anywhere]:995 (950/dovecot)
    [localhost]:10025 (1199/master)
    [anywhere]:587 (1199/master)
    [localhost]:11211 (310/memcached)
    [localhost]10 (950/dovecot)
    [localhost]43 (950/dovecot)
    *:*:*:*::*:8080 (3638/fcgi-pm)
    *:*:*:*::*:80 (3638/fcgi-pm)
    *:*:*:*::*:8081 (3638/fcgi-pm)
    *:*:*:*::*:465 (1199/master)
    *:*:*:*::*:53 (2670/named)
    *:*:*:*::*:21 (12614/pure-ftpd)
    *:*:*:*::*:22 (308/sshd)
    *:*:*:*::*:953 (2670/named)
    *:*:*:*::*:25 (1199/master)
    *:*:*:*::*:443 (3638/fcgi-pm)
    *:*:*:*::*:993 (950/dovecot)
    *:*:*:*::*:995 (950/dovecot)
    *:*:*:*::*:3306 (29366/mysqld)
    *:*:*:*::*:587 (1199/master)




    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- [anywhere]/0 ***.***.***.***/8
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    DROP all -- ***.***.***.***/4 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    PUB_IN all -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0
    PUB_OUT all -- [anywhere]/0 [anywhere]/0

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain PAROLE (16 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain PUB_IN (5 references)
    target prot opt source destination
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 0
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:10000
    PAROLE tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:3306
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53
    DROP icmp -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain PUB_OUT (5 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-dovecot-pop3imap (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-postfix-sasl (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-pureftpd (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-ssh (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0


    When the Ispconfig firewall is turned OFF:
    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:110 (950/dovecot)
    [anywhere]:143 (1/init)
    [anywhere]:465 (1199/master)
    ***.***.***.***:53 (2670/named)
    [localhost]:53 (2670/named)
    [anywhere]:21 (12614/pure-ftpd)
    [anywhere]:22 (308/sshd)
    [localhost]:953 (2670/named)
    [anywhere]:25 (1199/master)
    [anywhere]:993 (1/init)
    [anywhere]:995 (950/dovecot)
    [localhost]:10025 (1199/master)
    [anywhere]:587 (1199/master)
    [localhost]:11211 (310/memcached)
    [localhost]10 (950/dovecot)
    [localhost]43 (950/dovecot)
    *:*:*:*::*:8080 (3638/fcgi-pm)
    *:*:*:*::*:80 (3638/fcgi-pm)
    *:*:*:*::*:8081 (3638/fcgi-pm)
    *:*:*:*::*:465 (1199/master)
    *:*:*:*::*:53 (2670/named)
    *:*:*:*::*:21 (12614/pure-ftpd)
    *:*:*:*::*:22 (308/sshd)
    *:*:*:*::*:953 (2670/named)
    *:*:*:*::*:25 (1199/master)
    *:*:*:*::*:443 (3638/fcgi-pm)
    *:*:*:*::*:993 (950/dovecot)
    *:*:*:*::*:995 (950/dovecot)
    *:*:*:*::*:3306 (29366/mysqld)
    *:*:*:*::*:587 (1199/master)




    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-dovecot-pop3imap (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-postfix-sasl (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-pureftpd (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-ssh (0 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Greetings and congratulations on the excellent work which is ISPConfig!
     

    Attached Files:

    • on.txt
      File size:
      6.4 KB
      Views:
      17
    • off.txt
      File size:
      2.7 KB
      Views:
      20
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this a virtual server? There can be problems on servers that use openvz / virtuozzo when using iptables firewalls.
     
  3. Memek

    Memek New Member

    Exactly! This is my first VPS server. Until now, I put servers as independent units.

    So take advantage of the firewall, which is in panel of VPS Provider and ISPConfig firewall leave off?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, if the provider has a firewall, then use that one.
     
    Memek likes this.

Share This Page