Can't telnet - After installed DirectAdmin the FirewallD is blocked outbound traffic

suse

Verified User
Joined
Sep 11, 2019
Messages
10
Hi,

I try to install DA on GCP VM instance,
before install DirectAdmin the CentOS 7 default firewall rule is worked. (firewalld)
e.g can use telnet to outside severs.
telnet www.abc.com 80 or telnet smtp.gmail.com 587

But! after installed DirectAdmin can't telnet.
only "ping" is working for outbound traffic.

NOTE: install with "./setup.sh"

and then restore VM instance it works (before install DA)
Internal interface "eth0" and External "eth0:0"

What problem is?

Thank you,
 
Try for download...

#wget -O /dev/null https://www.apple.com/index.html
--2019-10-08 23:18:19-- https://www.apple.com/index.html
Resolving www.apple.com (www.apple.com)... 23.199.129.155, 2600:1417:3f:29d::1aca, 2600:1417:3f:2ab::1aca
Connecting to www.apple.com (www.apple.com)|23.199.129.155|:443...


FORWARD
Code:
iptables -v -L FORWARD 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 FORWARD_direct  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_IN_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_OUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited


OUTPUT
Code:
iptables -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 322 packets, 150K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1836   13M ACCEPT     all  --  any    lo      anywhere             anywhere            
  322  150K OUTPUT_direct  all  --  any    any     anywhere             anywhere

INPUT
Code:
iptables -v -L INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
36813  146M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  425 25500 ACCEPT     all  --  lo     any     anywhere             anywhere            
  792 52738 INPUT_direct  all  --  any    any     anywhere             anywhere            
  792 52738 INPUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
  792 52738 INPUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited
 
There is still a firewall working. You send me the iptables output.
Firstly be sure the system firewall is not working aymore.
Code:
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld
The last commando is to check if it's indeed not running anymore.

However, it seems on newly made installations, CSF/LFD is installed automatically with Directadmin.
Have a look in /etc/csf if you find csf there. If yes, edit csf.conf and go to to section to open ports, be sure these ports are open (these are the minimal required ports):
Code:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,23,25,53,80,110,113,443,587,993,995,2222,2703,35000:35999"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,33434:33523"

You need outgoing TCP port 23 to be able to telnet. This is not present by default, so it's present in my first line.
Portrange 35000:35999 is for passive FTP access.

Also check other configuration files and setup CSF to your needs. If present there is a good chance you can do this from withint the Admin level section too because CSF has a plugin.
 
There is still a firewall working. You send me the iptables output.
Firstly be sure the system firewall is not working aymore.
Code:
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld
The last commando is to check if it's indeed not running anymore.

However, it seems on newly made installations, CSF/LFD is installed automatically with Directadmin.
Have a look in /etc/csf if you find csf there. If yes, edit csf.conf and go to to section to open ports, be sure these ports are open (these are the minimal required ports):
Code:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,23,25,53,80,110,113,443,587,993,995,2222,2703,35000:35999"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,33434:33523"

You need outgoing TCP port 23 to be able to telnet. This is not present by default, so it's present in my first line.
Portrange 35000:35999 is for passive FTP access.

Also check other configuration files and setup CSF to your needs. If present there is a good chance you can do this from withint the Admin level section too because CSF has a plugin.


I not see “ /etc/csf “

I not install it!

I try already disabled firewalld and reboot instance

I don’t know “setup.sh”
install rule of iptables.

telnet & yum install is not working!!

VM instance only “ping” to outside network.
 
Richard,

Default "setup.sh" script not included csf.

Before installing DA i try backup firewall rules.

iptables-save > iptables

and then installed DA and iptables-restore , But system not work!

About GCP
Front of DA is Google Firewall. (allow ports already)

Everything works well If there is no installation DA.
 
My step...
0. Install CentOS on GCP
1. First try outgoing traffic (it work)

# telnet smtp.gmail.com 587
Trying 74.125.24.108...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP i7sm454259pjs.1 - gsmtp
^]
telnet> quit


2.
systemctl stop firewalld
systemctl disable firewalld
systemctl staus firewalld

3.
reboot

4.
yum -y install iptables-services
systemctl enable iptables
systemctl start iptables

5.
reboot

6. telnet

# telnet smtp.gmail.com 587
Trying 74.125.24.108...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP i7sm454259pjs.1 - gsmtp
^]
telnet> quit

7. installing DirectAdmin (without csf)

8. reboot and try telnet

Can't not outgoing traffic

wget, yum .... NOT Work!
 
Restore instance and disable firewalld before installing DA.
 
Suse said:
Richard,

Default "setup.sh" script not included csf.

Yes it is, it is included in the setup script, but only does not work when using FreeBSD.
Code:
#CSF if AUTO
if [ "${OS}" != "FreeBSD" ] && [ "${AUTO}" = "1" ]; then
        CSF_LOG=/var/log/directadmin/csf_install.log
        CSF_SH=/root/csf_install.sh
        wget -O ${CSF_SH} ${SERVER}/all/csf/csf_install.sh > ${CSF_LOG} 2>&1
        if [ ! -s ${CSF_SH} ]; then
                echo "Error downloading ${SERVER}/all/csf/csf_install.sh"
                cat ${CSF_LOG}
        else
                #run it
                chmod 755 ${CSF_SH}
                ${CSF_SH} >> ${CSF_LOG} 2>&1
        fi

        ${BUILD} secure_php
fi
 
Last edited:
@Richard,

When using Auto installation of Directadmin the CSF/LFD will be installed on all servers with Debian, CentOS except FreeBSD. Good catch, I did not know that.
 
@Alex:
Ah, I already thought I was going crazy because it was installed on a VPS I did last month also. So FreeBSD is excluded, I will change my post to prevent confusion when people find it via Google.
But I was correct in the first place.

I found it by accident, they implemented it about 1,5 -2 months ago as far as I now, so it's a fairly new addition, but not announced if I remember correctly.
 
Back
Top