Hello all I have the latest ispconfig version on debian 4.0. When I do a nslookup with the firewall enabled I get an DNS timout. When I disable the firewall all dns stuff in running fine. What can cause this error? can someone help? tia stefan
what does iptables -L show, when the firewall is enabled? Guess it blocks outgoind connections (tcp/udp) on port 53 (dns). If so you should also see this blocked request in /var/log/messages what data do you have in your /etc/resolv.conf?
Code: willy:/home/stefan# iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere DROP 0 -- 224.0.0.0/4 anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere DROP 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED DROP 0 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT 0 -- anywhere anywhere Chain PAROLE (13 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:webmin PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:rplay PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:domain DROP icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain fail2ban-apache (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-apache-noscript (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-couriersmtp (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-proftpd (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-sasl (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-ssh (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere willy:/home/stefan# In /var/log /messages is nothing and resolv.conf is okay, cause its working with firewall disabled. okay the firewall blocks loopback. Can this cause the error? How can I configure the firewall correct with ispconfig? And I see that there is no DNS entries via iptables -L but I have it on the firewall webinterface! tia stefan
Can you post your /etc/resolv.conf? I'd like to see if you use external nameservers or internal ones (maybe on the system itself - that might get blocked by the firewall if you use 192.168.0.100 for example instead of 127.0.0.1).
you see, I played around with resolv.conf: Code: search nopanicsystems.org nameserver 127.0.0.1 nameserver 212.144.241.130 -> local IP #nameserver 127.0.0.1 nameserver 212.144.241.129 -> forwarder #nameserver 127.0.0.1 tia stefan
When I have the firewall enabled I get email messages that: Code: WARNING: service web not running (server: host.domain.tld, port: 80)! every 30 minutes. I think it means the ispconfig itself, or? Cause I dont have a web called "host.domain.tld" hmm, what is going wrong here? can someone help? tia stefan
Maybe you set host.domain.tld in the server settings of ISPConfig? Please check it there and correct it. You should also have a look at your /etc/hosts file and the output of the command "hostname -f"
Please try external nameservers in /etc/resolv.conf, e.g. Code: nameserver 145.253.2.75 nameserver 193.174.32.18
I changed resolv.conf to your nameserver and its working. So its a firewall issue? What can I do to use the systems nameserver with firewall enabled? tia stefan
This ports are already defined, open and active on webinterface , and this is not working. tia stefan
Code: willy:~# iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere DROP 0 -- 224.0.0.0/4 anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere DROP 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED DROP 0 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT 0 -- anywhere anywhere Chain PAROLE (14 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:webmin PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:rplay PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:953 ACCEPT udp -- anywhere anywhere udp dpt:domain DROP icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain fail2ban-apache (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-apache-noscript (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-couriersmtp (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-proftpd (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-sasl (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere Chain fail2ban-ssh (0 references) target prot opt source destination RETURN 0 -- anywhere anywhere willy:~# tia stefan
Hello all I still have the problem. The last check seems to be some cache entries. Now I have to notice that a dns lookup is not working with firewall enabled using loopback or external nameservers! Also I tried my official IP 's. Can someone help? tia stefan
hmm, I tried iptables -F and did a system reboot. no change reinstalling iptables dont take it too. What else can I try? tia stefan
I think its solved Hello all I think I have it solved. On that machine there is a openvz ( http://openvz.org) installation. I did a openvz kernel upgrade and it seems that now all is running well!!! thanks all for help stefan
