SSL Cert Question for ISPConfig Access

giganet · Feb 29, 2008

Hi Falko

Thank you..

I stopped Shorewall and attempted accessing ISPConfig without success.

Regards

falko · Mar 1, 2008

What's the output of
Code:
iptables -L
and
Code:
netstat -tap
now?

giganet · Mar 3, 2008

Thank you Falko

the following values are with Shorewall started...

Code:

iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
eth0_in    0    --  anywhere             anywhere
Reject     0    --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:'
reject     0    --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
eth0_fwd   0    --  anywhere             anywhere
Reject     0    --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject     0    --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
eth0_out   0    --  anywhere             anywhere
Reject     0    --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject     0    --  anywhere             anywhere

Chain Drop (2 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  0    --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
dropInvalid  0    --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            multiport dports loc-srv,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpt:1900
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain Reject (4 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  0    --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
dropInvalid  0    --  anywhere             anywhere
reject     udp  --  anywhere             anywhere            multiport dports loc-srv,microsoft-ds
reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
reject     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
reject     tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpt:1900
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain all2all (0 references)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
Reject     0    --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:'
reject     0    --  anywhere             anywhere

Chain dropBcast (2 references)
target     prot opt source               destination
DROP       0    --  anywhere             anywhere            PKTTYPE = broadcast
DROP       0    --  anywhere             anywhere            PKTTYPE = multicast

Chain dropInvalid (2 references)
target     prot opt source               destination
DROP       0    --  anywhere             anywhere            state INVALID

Chain dropNotSyn (2 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (2 references)
target     prot opt source               destination

Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    0    --  anywhere             anywhere            state INVALID,NEW
smurfs     0    --  anywhere             anywhere            state INVALID,NEW
norfc1918  0    --  anywhere             anywhere            state NEW
tcpflags   tcp  --  anywhere             anywhere

Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    0    --  anywhere             anywhere            state INVALID,NEW
smurfs     0    --  anywhere             anywhere            state INVALID,NEW
norfc1918  0    --  anywhere             anywhere            state NEW
tcpflags   tcp  --  anywhere             anywhere
net2fw     0    --  anywhere             anywhere

Chain eth0_out (1 references)
target     prot opt source               destination
fw2net     0    --  anywhere             anywhere

Chain fw2net (1 references)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:logdrop:DROP:'
DROP       0    --  anywhere             anywhere

Chain logflags (5 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:logflags:DROP:'
DROP       0    --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:logreject:REJECT:'
reject     0    --  anywhere             anywhere

Chain net2all (0 references)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       0    --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:net2all:DROP:'
DROP       0    --  anywhere             anywhere

Chain net2fw (1 references)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere
ACCEPT     tcp  --  giganetwireless.net  anywhere            tcp dpt:www limit: avg 20/sec burst 24
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:telnet
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  65.197.209.0         anywhere            tcp dpt:69
ACCEPT     udp  --  65.197.209.0         anywhere            udp dpt:tftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www limit: avg 20/sec burst 24
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:81 limit: avg 20/sec burst 24
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere            udp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https limit: avg 20/sec burst 24
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 5/sec burst 8
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
ACCEPT     tcp  --  65.197.209.0/24      anywhere            tcp dpt:54000
ACCEPT     tcp  --  anywhere             anywhere            MAC 00:03:25:21:FA:23 tcp dpt:54000
ACCEPT     tcp  --  anywhere             giganetwireless.net tcp dpt:www
ACCEPT     tcp  --  anywhere             giganetwireless.net tcp dpt:https
Drop       0    --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:net2fw:DROP:'
DROP       0    --  anywhere             anywhere

Chain norfc1918 (2 references)
target     prot opt source               destination
rfc1918    0    --  172.16.0.0/12        anywhere
rfc1918    0    --  anywhere             anywhere            ctorigdst 172.16.0.0/12
rfc1918    0    --  192.168.0.0/16       anywhere
rfc1918    0    --  anywhere             anywhere            ctorigdst 192.168.0.0/16
rfc1918    0    --  10.0.0.0/8           anywhere
rfc1918    0    --  anywhere             anywhere            ctorigdst 10.0.0.0/8

Chain reject (11 references)
target     prot opt source               destination
DROP       0    --  anywhere             anywhere            PKTTYPE = broadcast
DROP       0    --  anywhere             anywhere            PKTTYPE = multicast
DROP       0    --  65.197.209.128       anywhere
DROP       0    --  255.255.255.255      anywhere
DROP       0    --  BASE-ADDRESS.MCAST.NET/4  anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable
REJECT     0    --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level info prefix `Shorewall:rfc1918:DROP:'
DROP       0    --  anywhere             anywhere

Chain shorewall (0 references)
target     prot opt source               destination

Chain smurfs (2 references)
target     prot opt source               destination
LOG        0    --  65.197.209.128       anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
DROP       0    --  65.197.209.128       anywhere
LOG        0    --  255.255.255.255      anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
DROP       0    --  255.255.255.255      anywhere
LOG        0    --  BASE-ADDRESS.MCAST.NET/4  anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
DROP       0    --  BASE-ADDRESS.MCAST.NET/4  anywhere

Chain tcpflags (2 references)
target     prot opt source               destination
logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags   tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
logflags   tcp  --  anywhere             anywhere            tcp spt:0 flags:FIN,SYN,RST,ACK/SYN

Code:

netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     19507/mysqld
tcp        0      0 *:54000                 *:*                     LISTEN     3458/sshd
tcp        0      0 *:www                   *:*                     LISTEN     12605/apache2
tcp        0      0 *:81                    *:*                     LISTEN     32013/ispconfig_htt
tcp        0      0 *:ftp                   *:*                     LISTEN     4087/proftpd: (acce
tcp        0      0 65.197.209.20:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.19:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.18:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.17:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.16:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.15:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.14:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.13:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.12:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.11:domain    *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.9:domain     *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.8:domain     *:*                     LISTEN     32313/named
tcp        0      0 65.197.209.7:domain     *:*                     LISTEN     32313/named
tcp        0      0 mail.webmail.gig:domain *:*                     LISTEN     32313/named
tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     32313/named
tcp        0      0 giganetwireless.:domain *:*                     LISTEN     32313/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN     32313/named
tcp        0      0 *:smtp                  *:*                     LISTEN     4002/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     32313/named
tcp        0      0 *:https                 *:*                     LISTEN     12605/apache2
tcp        0      0 giganetwireless.n:54000 65.197.209.112:1048     ESTABLISHED2183/sshd: bender [
tcp6       0      0 *:imaps                 *:*                     LISTEN     6845/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     6884/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     6860/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     6821/couriertcpd
tcp6       0      0 *:smtp                  *:*                     LISTEN     4002/master
tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     32313/named

Regards

falko · Mar 3, 2008

And with Shorewall switched off?

giganet · Mar 3, 2008

Thank you Falko...

With Shorewall stopped the server returns the following values:

iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED
ACCEPT     0    --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

netstat -tap

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     1
9507/mysqld
tcp        0      0 *:54000                 *:*                     LISTEN     3
458/sshd
tcp        0      0 *:www                   *:*                     LISTEN     1
2605/apache2
tcp        0      0 *:81                    *:*                     LISTEN     3
2013/ispconfig_htt
tcp        0      0 *:ftp                   *:*                     LISTEN     5
952/proftpd: (acce
tcp        0      0 65.197.209.20:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.19:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.18:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.17:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.16:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.15:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.14:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.13:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.12:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.11:domain    *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.9:domain     *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.8:domain     *:*                     LISTEN     3
2313/named
tcp        0      0 65.197.209.7:domain     *:*                     LISTEN     3
2313/named
tcp        0      0 mail.webmail.gig:domain *:*                     LISTEN     3
2313/named
tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     3
2313/named
tcp        0      0 giganetwireless.:domain *:*                     LISTEN     3
2313/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN     3
2313/named
tcp        0      0 *:smtp                  *:*                     LISTEN     5
913/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     3
2313/named
tcp        0      0 *:https                 *:*                     LISTEN     1
2605/apache2
tcp        0      0 giganetwireless.n:54000 65.197.209.112:3956     ESTABLISHED2
2438/sshd: bender
tcp6       0      0 *:imaps                 *:*                     LISTEN     6
845/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     6
884/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     6
860/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     6
821/couriertcpd
tcp6       0      0 *:smtp                  *:*                     LISTEN     5
913/master
tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     3
2313/named

Regards

falko · Mar 4, 2008

giganet said:
Thank you Falko...

With Shorewall stopped the server returns the following values:

iptables -L
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED
ACCEPT     0    --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Click to expand...
This means that there still some active firewall rules. Are you maybe using an additional firewall that interferes with Shorewall?

giganet · Mar 5, 2008

Thank you Falko...

Hmm, I have only Shorewall on the server itself.
My DS1' routers have firewall rules within them that specifically allows :81 to each respective servers IP.

In /etc/network/interfaces I have the following lines:
Code:
pre-up iptables-restore < /etc/iptables.up.rules
post-down iptables-save > /etc/iptables.up.rules
Regards

falko · Mar 5, 2008

giganet said:
In /etc/network/interfaces I have the following lines:
Code:
pre-up iptables-restore < /etc/iptables.up.rules
post-down iptables-save > /etc/iptables.up.rules
Regards
Click to expand...
That might be the problem. Comment out these lines and restart the network.

giganet · Mar 7, 2008

Thank you Falko

I commented out the two lines:

Code:

pre-up iptables-restore < /etc/iptables.up.rules
post-down iptables-save > /etc/iptables.up.rules

then I issued /etc/init.d/networking restart.

After that I stopped Shorewall the issued iptables -L and the server still returns the following:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Regards

falko · Mar 8, 2008

Please try this:
Code:
update-rc.d -f shorewall remove
Then reboot the system.

giganet · Mar 11, 2008

Thank you Falko

I have a question of ignorance here; the command
Code:
update-rc.d -f shorewall remove
isn't going to remove Shorewall is it?

Thank you

Regards

falko · Mar 12, 2008

No, it just removes the startup links for Shorewall so that Shorewall isn't started automatically when the system boots.

giganet · Mar 25, 2008

Thank you, Thank you, Thank you Falko

Thank you, Thank you, Thank you Falko...

I am sorry for the huge delay in replying to you, I just today had time to try your last suggestion out.

That did it!

I appreciate your stick-to-it'ness attitude and I sincerely appreciate all the help you have provided me with.

Regards

kextra1 · Mar 28, 2009

Firewall problem

Hehe, yeah it was a firewall problem. Falko's on top of his game! Helped me out more than once.

I'm self educated on this stuff but out of curiosity....where'd u go to schoool falko?

Log in or Sign up

SSL Cert Question for ISPConfig Access

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

kextra1 Member

Share This Page

Log in or Sign up

SSL Cert Question for ISPConfig Access

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

falko Super Moderator Howtoforge Staff

giganet New Member

kextra1 Member

Share This Page

Useful Searches