Servers are not accessible after Bastille is activated

Discussion in 'General' started by zimon, Apr 13, 2023.

  1. zimon

    zimon New Member

    I have 3 servers running CentOS 7.9. I never activated the ISPConfig built-in firewall, but decided to do so after the latest ISPConfig upgrade to 3.2.8p1. Strangely enough, on 2 out of the 3 servers the machines became unreachable after I run: bastille-firewall start

    When I stop the firewall the machines became accessible again. No other firewall is activated on these machines (from what I can tell). What am I doing wrong?

    Including below the output of iptables -n -L from each of the machines.
     
  2. zimon

    zimon New Member

    Server A: Machine IS accessible after bastille is activated
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination        
        0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            127.0.0.0/8        
       12   768 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0          
        0     0 PUB_IN     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_IN     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_IN     all  --  slip+  *       0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_IN     all  --  venet+ *       0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_IN     all  --  bond+  *       0.0.0.0/0            0.0.0.0/0          
        3   132 PUB_IN     all  --  en+    *       0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination        
        0     0 PUB_OUT    all  --  *      eth+    0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_OUT    all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_OUT    all  --  *      slip+   0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_OUT    all  --  *      venet+  0.0.0.0/0            0.0.0.0/0          
        0     0 PUB_OUT    all  --  *      bond+   0.0.0.0/0            0.0.0.0/0          
       16  3769 PUB_OUT    all  --  *      en+     0.0.0.0/0            0.0.0.0/0          
    
    Chain INT_IN (0 references)
     pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain INT_OUT (0 references)
     pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain PAROLE (18 references)
     pkts bytes target     prot opt in     out     source               destination        
        1    52 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain PUB_IN (6 references)
     pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
        1    52 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8321
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8322
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3306
        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
        2    80 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain PUB_OUT (6 references)
     pkts bytes target     prot opt in     out     source               destination        
       12  1537 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain f2b-postfix-sasl (0 references)
     pkts bytes target     prot opt in     out     source               destination        
       74  4410 REJECT     all  --  *      *       141.98.10.151        0.0.0.0/0            reject-with icmp-port-unreachable
      337 19742 REJECT     all  --  *      *       141.98.10.159        0.0.0.0/0            reject-with icmp-port-unreachable
      784 45102 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
    
     
  3. zimon

    zimon New Member

    Server B: Machine is NOT accessible after bastille is activated
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            127.0.0.0/8         
       17  1144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
        0     0 PUB_IN     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  slip+  *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  venet+ *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  bond+  *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  en+    *       0.0.0.0/0            0.0.0.0/0           
       13   740 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 13 packets, 1748 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 PUB_OUT    all  --  *      eth+    0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      slip+   0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      venet+  0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      bond+   0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      en+     0.0.0.0/0            0.0.0.0/0           
    
    Chain INT_IN (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain INT_OUT (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain PAROLE (19 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain PUB_IN (6 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8321
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8322
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:57283
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3306
        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain PUB_OUT (6 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain f2b-postfix-sasl (0 references)
     pkts bytes target     prot opt in     out     source               destination         
       18  1080 REJECT     all  --  *      *       87.246.7.229         0.0.0.0/0            reject-with icmp-port-unreachable
       18  1080 REJECT     all  --  *      *       80.94.95.205         0.0.0.0/0            reject-with icmp-port-unreachable
       14   840 REJECT     all  --  *      *       46.148.40.65         0.0.0.0/0            reject-with icmp-port-unreachable
       12   720 REJECT     all  --  *      *       46.148.40.62         0.0.0.0/0            reject-with icmp-port-unreachable
       12   720 REJECT     all  --  *      *       46.148.40.60         0.0.0.0/0            reject-with icmp-port-unreachable
       32  1920 REJECT     all  --  *      *       141.98.10.159        0.0.0.0/0            reject-with icmp-port-unreachable
        7   420 REJECT     all  --  *      *       141.98.10.151        0.0.0.0/0            reject-with icmp-port-unreachable
       27  1550 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
    
     
  4. zimon

    zimon New Member

    Server C: Machine is NOT accessible after bastille is activated
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            127.0.0.0/8         
       37  2430 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
        0     0 PUB_IN     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  slip+  *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  venet+ *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  bond+  *       0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_IN     all  --  en+    *       0.0.0.0/0            0.0.0.0/0           
      105  9702 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 59 packets, 91265 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 PUB_OUT    all  --  *      eth+    0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      slip+   0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      venet+  0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      bond+   0.0.0.0/0            0.0.0.0/0           
        0     0 PUB_OUT    all  --  *      en+     0.0.0.0/0            0.0.0.0/0           
    
    Chain INT_IN (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain INT_OUT (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain PAROLE (19 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain PUB_IN (6 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8321
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8322
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
        0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:57283
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3306
        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain PUB_OUT (6 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain f2b-FTP (0 references)
     pkts bytes target     prot opt in     out     source               destination         
       35  1628 REJECT     all  --  *      *       121.5.50.91          0.0.0.0/0            reject-with icmp-port-unreachable
       15   704 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain f2b-postfix-sasl (0 references)
     pkts bytes target     prot opt in     out     source               destination         
       26  1560 REJECT     all  --  *      *       87.246.7.229         0.0.0.0/0            reject-with icmp-port-unreachable
       27  1620 REJECT     all  --  *      *       80.94.95.205         0.0.0.0/0            reject-with icmp-port-unreachable
       59  3542 REJECT     all  --  *      *       141.98.10.159        0.0.0.0/0            reject-with icmp-port-unreachable
       12   720 REJECT     all  --  *      *       141.98.10.151        0.0.0.0/0            reject-with icmp-port-unreachable
      100  5716 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain f2b-sshd (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     all  --  *      *       47.254.120.250       0.0.0.0/0            reject-with icmp-port-unreachable
        0     0 REJECT     all  --  *      *       211.115.68.228       0.0.0.0/0            reject-with icmp-port-unreachable
        0     0 REJECT     all  --  *      *       8.215.65.177         0.0.0.0/0            reject-with icmp-port-unreachable
        0     0 REJECT     all  --  *      *       122.254.95.86        0.0.0.0/0            reject-with icmp-port-unreachable
        0     0 REJECT     all  --  *      *       159.223.184.117      0.0.0.0/0            reject-with icmp-port-unreachable
        0     0 REJECT     all  --  *      *       20.189.74.132        0.0.0.0/0            reject-with icmp-port-unreachable
        0     0 REJECT     all  --  *      *       121.173.251.86       0.0.0.0/0            reject-with icmp-port-unreachable
      174 12831 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
    
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Do you have the ports opened in the ISPConfig firewall settings? System > Firewall > server1.example.com (add server if it does not exist there yet)
     
  6. zimon

    zimon New Member

    I do have all the ports opened in the Firewall section of ISPConfig. However, when I check the activate button (or run the bastille start command from CLI) is where the server become inaccesible. The only way to get back into the server is to run the bastille stop command (from CLI) and then deactivate the firewall from within the ISPConfig GUI.
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You have fail2ban running on those hosts, and it has blocked some IP-numbers. Do those numbers belong to the hosts you try to test from?
     
  8. Alex Mamatuik

    Alex Mamatuik Member

    If you were looking how to open ports:
    Code:
    iptables -L --line-numbers -n
    iptables -I INPUT -p tcp --dport {desired_port} -m state --state NEW -j ACCEPT
    service iptables save
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Those REJECT ports are blocked by fail2ban, better to use fail2ban-client for unblocking. Read man fail2ban-client, the unban command.
     
  10. Alex Mamatuik

    Alex Mamatuik Member

    From the documentation:
    The unban works with IP, not with ports.
     
  11. zimon

    zimon New Member

    No, those numbers do not belong to host from where I test. When I stop the bastille/ISPConfig firewall the Fail2Ban rules are still active, yet at that point I am able to access the servers again. So indeed the issue seems to be with the bastille/ISPConfig rules. The question is what.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Stop fail2ban as well as bastille, are there any iptables rules left? If yes, then you might run another firewall like firewalls already which interferes with bastille.
     
  13. zimon

    zimon New Member

    Good idea. Just tried that. No rules are active after I stop Fail2ban:
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination      
       
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    I then started Bastille without Fail2ban and at that point the server becomes unaccessible. These are the iptables rules with Fail2ban stopped and Bastille started:
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination        
    DROP       tcp  --  0.0.0.0/0            127.0.0.0/8        
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
    DROP       all  --  224.0.0.0/4          0.0.0.0/0          
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0          
    DROP       all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination        
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    DROP       all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination        
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0          
    PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain INT_IN (0 references)
    target     prot opt source               destination        
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
    DROP       all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination        
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain PAROLE (19 references)
    target     prot opt source               destination        
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain PUB_IN (6 references)
    target     prot opt source               destination        
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:465
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8321
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8322
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
    PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:57283
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:3306
    DROP       icmp --  0.0.0.0/0            0.0.0.0/0          
    DROP       all  --  0.0.0.0/0            0.0.0.0/0          
    
    Chain PUB_OUT (6 references)
    target     prot opt source               destination        
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    
     

Share This Page