Default iptables settings

D

Dids

New member
Joined
Feb 10, 2009
Messages
3
Hey everyone,

tried to set my own rules with Firewall Builder last night.
Unfortunately, it didn't quite go as planned.

While I didn't take a backup of the original iptables rules provided by DirectAdmin, I did wget this -> files.directadmin.com/services/all/iptables

Thing is, although some of my services work (I can access ssh and :2222), not all do.

Is iptables enabled by default? I'm wondering this because I can't run irc clients on the box (can't connect), don't think my nameservers are responding, mail server can't be accessed, etc.

Thanks in advance.
 
Just to add to this:

I'm running two nameservers on this box (two IP's), and after rebooting it, the nameservers aren't still responding.

Waiting for DNS to propagate I guess, but I'm still not sure if the iptables script I downloaded is the right one? Or if by default it's blocking the NS ports and what not.

I know it's blocking ports that it wasn't blocking before, so..

Just wish someone would tell me a) is iptables enabled by default when it's installed (CentOS here), and b) is the one I downloaded the newest/default one?
 
when CentOS is installed, IPtables are installed by default. Their rules are defined in /etc/sysconfig/iptables

it sounds like you really need to flush your IPtables and start again

# iptables -F
 
Thank you for the reply!

I still have a feeling that iptables wasn't enabled by default. If it was, I wonder what the rules were, as it allowed all port traffic to irc ports, DirectAdmin ports, etc.

Does DirectAdmin provide any extra rules/modifications to iptables during install?
 
Dids said:
Thank you for the reply!

I still have a feeling that iptables wasn't enabled by default. If it was, I wonder what the rules were, as it allowed all port traffic to irc ports, DirectAdmin ports, etc.

Does DirectAdmin provide any extra rules/modifications to iptables during install?
Click to expand...

iptables, in Cent - is always on by default. You can see the default rules in the file I quoted above /etc/sysconfig/iptables. You can also list the iptable current rules with

Code: 
# iptables -L



Directadmin doesn't play any role in rules or modifications to iptables. DA is a control panel for web hosting accounts, iptables is a system level install.
 
This information is CentOS specific as of the last time I did a CentOS install:

CentOS will install an iptables firewall during OS installation if you want it to; the default rules are as you set during the OS install. DirectAdmin doesn't touch the install because it doesn't know what you want.

I and others have modified both KISS and APF+BFD to work with DirectAdmin; they modify iptables.

My suggestion is that you install the firewall during CentOS installation to make sure it's set up and that the Kernel includes all you need.

Then install KISS from here.

Note that this version of KISS will work with multiple control panels; you may want to change some of the open ports.

Jeff
 
I too would like a little more understanding with iptables. I like to modify the iptables myself and not use other software.

I know that I need some ports open.

So should I set up a default policy to DROP like

:INPUT DROP [0:0]

and then open the ports I need like

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 
Last edited:
A good start to understanding iptables might be had by running KISS once, then dumping the commands to a file with:
Code: 
# iptables -L > ~/iptables.list

then study ~/iptables.list

Jeff
 
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
Click to expand...

What am I missing?
 
The version of kiss you ran isn't compatible with your server. Check the code to see what they're called, and rename them according to what your server calls them.

These are kernel modules, and their extensions change occasionally. I've posted two versions of Kiss, one of which should run on most recent Linux distributions. However you may need to modify them.

Obviously ip_tables and ipt_state are important, the former being missing probably means you're looking for the one with an incorrect extension. (ip_state is important for ftp to be able to open it's own firewall ports) I don't know if ipt_multiport is important or not, you may be able to just comment out the lines calling it. But if you can figure out the first two, you can probably figure out the last two as well.

Presuming that your firewall works, you don't have to test with KISS at all; you can figure out yourself what the commands should look like and in what order to put them.

Jeff
 
You must log in or register to reply here.
Back
Top