Solved: Botched my IPTABLES / UFW config, but can't get things back up and running right

Discussion in 'Installation/Configuration' started by fbarcenas, Mar 20, 2018.

  1. fbarcenas

    fbarcenas Member

    I was trying to BAN a few ipranges and make those changes persistent. I messed up and ended up locking my self out, so I just decided I want to go back to the original config. So I ran a:
    Code:
    apt-get remove --purge iptables ufw
    then I re installed them with
    Code:
    apt-get install iptables ufw
    then I ran a
    Code:
    ispconfig_update.sh
    and when it told me that my FIREWALL was disabled I told it to config it, and when it asked to config services I put SELECTED and only configured FIREWALL again.
    Then I went into the ISPCONFIG PANEL and toggled the FIREWALL OFF and bakc ON again, and I got locked out again.
    What could I be doing wrong?
    When UFW is ACTIVE I have no access and my rules are as follows:
    Code:
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N ufw-after-forward
    -N ufw-after-input
    -N ufw-after-logging-forward
    -N ufw-after-logging-input
    -N ufw-after-logging-output
    -N ufw-after-output
    -N ufw-before-forward
    -N ufw-before-input
    -N ufw-before-logging-forward
    -N ufw-before-logging-input
    -N ufw-before-logging-output
    -N ufw-before-output
    -N ufw-logging-allow
    -N ufw-logging-deny
    -N ufw-not-local
    -N ufw-reject-forward
    -N ufw-reject-input
    -N ufw-reject-output
    -N ufw-skip-to-policy-forward
    -N ufw-skip-to-policy-input
    -N ufw-skip-to-policy-output
    -N ufw-track-input
    -N ufw-track-output
    -N ufw-user-forward
    -N ufw-user-input
    -N ufw-user-limit
    -N ufw-user-limit-accept
    -N ufw-user-logging-forward
    -N ufw-user-logging-input
    -N ufw-user-logging-output
    -N ufw-user-output
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
    -A ufw-before-input -m state --state INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
    -A ufw-track-output -p udp -m state --state NEW -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
     
    Last edited: Mar 20, 2018
  2. fbarcenas

    fbarcenas Member

    Update: I removed the firewall record in ISPCONFIG and created a NEW one and it all began to work well. Go figure.
     

Share This Page