Hi, I have the above setup which was installed using the following - https://www.howtoforge.com/perfect-...l-php-pureftpd-postfix-dovecot-and-ispconfig3 However, when I update the firewall rules in ISP Config it does not update the IP Tables (their blank) and also fail2ban does not seem to work. Can you help resolve this issue? Where do I start?
Ok. Fail2ban is not connected to ISPConfig, so when fail2ban fails and bastille firewall fails, then there must be a general problem with iptables on your server which is not related to ISPConfig. Please post the output of: iptables -L
Output below: [root@server1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Ok, what happens with this output when you start faul2ban and the bastille-firewall with their init scripts?
I get this: [root@server1 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:urd ACCEPT tcp -- anywhere anywhere tcp dptop3 ACCEPT tcp -- anywhere anywhere tcp dptop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:webcache Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Although I have no idea where those rules are coming from as they do not match those in ISP Config which are TCP Ports 20,21,22,25,53,80,110,143,443,587,816,993,995,3306,8080,8081,10000
Also [root@server1 ~]# service bastille-firewall status Chain INPUT (policy DROP 203 packets, 16646 bytes) pkts bytes target prot opt in out source destination 41569 10M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 162 8124 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 44 2416 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 Chain FORWARD (policy ACCEPT 3 packets, 128 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41969 packets, 9839K bytes) pkts bytes target prot opt in out source destination So does it mean that ISP Config is not updating Bastille correctly?
I have reconfigured services (using the update script) and now get: [root@server1 install]# iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTAB ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTAB DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (16 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (5 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-un ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dptop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:submission PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dptop3s PAROLE tcp -- anywhere anywhere tcp dpt:webcache PAROLE tcp -- anywhere anywhere tcp dpt:tproxy PAROLE tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT udp -- anywhere anywhere udp dpt:domain DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (5 references) target prot opt source destination ACCEPT all -- anywhere anywhere However if I make a change to the firewall settings (open an additional port) this is not displayed here. Also, when I click the monitor option within ISP Config and select Show IPTables, I get this: iptables -S (ipv4) -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT ip6tables -S (ipv6) -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT Not sure if its related but seems strange (unless I am misunderstanding what this page should show)
It appears that the jobs are stuck in the Job queue, I get the following in the system-log 2016-06-22 14:29 server1.***.co.uk Debug There is already a lockfile set. Waiting another 10 seconds... 2016-06-22 14:29 server1.***.co.uk Debug There is already a lockfile set. Waiting another 10 seconds... 2016-06-22 14:29 server1.***.co.uk Debug There is already an instance of server.php running. Exiting.
Fixed this with rm -f /usr/local/ispconfig/server/temp/.ispconfig_lock Firewall has now updated and working normally