ISPConfig 3.0.5.4p9 Not updating IPTables and Fail2ban not working

Discussion in 'ISPConfig 3 Priority Support' started by rgwilliams20, Jun 22, 2016.

  1. rgwilliams20

    rgwilliams20 New Member

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this a virtual server or a root server?
     
  3. rgwilliams20

    rgwilliams20 New Member

    Hi,

    This is a root server.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. Fail2ban is not connected to ISPConfig, so when fail2ban fails and bastille firewall fails, then there must be a general problem with iptables on your server which is not related to ISPConfig.

    Please post the output of:

    iptables -L
     
  5. rgwilliams20

    rgwilliams20 New Member

    Output below:

    [root@server1 ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, what happens with this output when you start faul2ban and the bastille-firewall with their init scripts?
     
  7. rgwilliams20

    rgwilliams20 New Member

    I get this:

    [root@server1 ~]# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:urd
    ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
    ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
    ACCEPT tcp -- anywhere anywhere tcp dpt:imap
    ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:webcache

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Although I have no idea where those rules are coming from as they do not match those in ISP Config which are TCP Ports 20,21,22,25,53,80,110,143,443,587,816,993,995,3306,8080,8081,10000
     
  8. rgwilliams20

    rgwilliams20 New Member

    Also

    [root@server1 ~]# service bastille-firewall status Chain INPUT (policy DROP 203 packets, 16646 bytes)
    pkts bytes target prot opt in out source destination
    41569 10M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
    162 8124 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    44 2416 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080

    Chain FORWARD (policy ACCEPT 3 packets, 128 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 41969 packets, 9839K bytes)
    pkts bytes target prot opt in out source destination

    So does it mean that ISP Config is not updating Bastille correctly?
     
  9. rgwilliams20

    rgwilliams20 New Member

    I have reconfigured services (using the update script) and now get:
    [root@server1 install]# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere loopback/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    ACCEPT all -- anywhere anywhere
    DROP all -- base-address.mcast.net/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (16 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (5 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-un
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:submission
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3s
    PAROLE tcp -- anywhere anywhere tcp dpt:webcache
    PAROLE tcp -- anywhere anywhere tcp dpt:tproxy
    PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (5 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    However if I make a change to the firewall settings (open an additional port) this is not displayed here.

    Also, when I click the monitor option within ISP Config and select Show IPTables, I get this:

    iptables -S (ipv4)
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT

    ip6tables -S (ipv6)
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT

    Not sure if its related but seems strange (unless I am misunderstanding what this page should show)
     
    Last edited: Jun 22, 2016
  10. rgwilliams20

    rgwilliams20 New Member

    It appears that the jobs are stuck in the Job queue, I get the following in the system-log

    2016-06-22 14:29 server1.***.co.uk Debug There is already a lockfile set. Waiting another 10 seconds...
    2016-06-22 14:29 server1.***.co.uk Debug There is already a lockfile set. Waiting another 10 seconds...
    2016-06-22 14:29 server1.***.co.uk Debug There is already an instance of server.php running. Exiting.
     
  11. rgwilliams20

    rgwilliams20 New Member

    Fixed this with

    rm -f /usr/local/ispconfig/server/temp/.ispconfig_lock

    Firewall has now updated and working normally
     

Share This Page