Firewall issues

blaszlo · Sep 16, 2009

Hello all:

I am having the same problem as listed here http://www.directadmin.com/forum/showthread.php?t=32805. When the firewall is turned on, I can only access :2222 DA administration. I can connect to the server through SSH when the firewall is on, but as soon as I type my password it does nothing, so I assume that is being blocked too.

If I VPN into the local network or if I shut the firewall off I can access all resources perfectly, but as soon as I disconnect from the VPN, no resources are available.

I installed CSF and still no joy. Below listed is the rules in place. Any help is greatly appreciated!

PHP:

[root@host ~]# service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    LOCALINPUT  all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     udp  --  209.244.0.4          0.0.0.0/0           udp spts:1024:65535 dpt:53
4    ACCEPT     tcp  --  209.244.0.4          0.0.0.0/0           tcp spts:1024:65535 dpt:53
5    ACCEPT     udp  --  209.244.0.4          0.0.0.0/0           udp spt:53 dpts:1024:65535
6    ACCEPT     tcp  --  209.244.0.4          0.0.0.0/0           tcp spt:53 dpts:1024:65535
7    ACCEPT     udp  --  209.244.0.4          0.0.0.0/0           udp spt:53 dpt:53
8    ACCEPT     udp  --  209.244.0.3          0.0.0.0/0           udp spts:1024:65535 dpt:53
9    ACCEPT     tcp  --  209.244.0.3          0.0.0.0/0           tcp spts:1024:65535 dpt:53
10   ACCEPT     udp  --  209.244.0.3          0.0.0.0/0           udp spt:53 dpts:1024:65535
11   ACCEPT     tcp  --  209.244.0.3          0.0.0.0/0           tcp spt:53 dpts:1024:65535
12   ACCEPT     udp  --  209.244.0.3          0.0.0.0/0           udp spt:53 dpt:53
13   INVALID    tcp  --  0.0.0.0/0            0.0.0.0/0
14   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
17   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
18   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
21   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
22   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
23   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
24   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
25   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
26   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
27   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
28   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2222
29   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20
30   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21
31   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
32   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5
33   LOGDROPIN  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination
1    LOCALOUTPUT  all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:53
7    INVALID    tcp  --  0.0.0.0/0            0.0.0.0/0
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:113
17   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
18   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2222
19   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20
20   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21
21   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
22   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:113
23   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123
24   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
25   LOGDROPOUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain INVALID (2 references)
num  target     prot opt source               destination
1    INVDROP    all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
2    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
3    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
4    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
5    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
6    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05
7    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01
8    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08
9    INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20
10   INVDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW

Chain INVDROP (10 references)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LOCALINPUT (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  72.236.153.249       0.0.0.0/0

Chain LOCALOUTPUT (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            72.236.153.249

Chain LOGDROPIN (1 references)
num  target     prot opt source               destination
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67
2    DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:68
4    DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:68
5    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:111
6    DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:111
7    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113
8    DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:113
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139
10   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:135:139
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445
12   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445
13   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:513
14   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:513
15   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:520
16   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:520
17   LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
18   LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
19   LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
20   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGDROPOUT (1 references)
num  target     prot opt source               destination
1    LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
2    LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
3    LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
4    DROP       all  --  0.0.0.0/0            0.0.0.0/0

blaszlo · Sep 18, 2009

Anybody??? Please

nobaloney · Sep 19, 2009

It appears that no one wants to teach you how to create your own firewall rules. I'm not surprised, while firewalls aren't quite rocket science, creating the proper rules to do what you want to do isn't always a set of obvious steps.

In fact it's complex enough that entire large books have been written on the subject.

I strongly suggest you use the KISS firewall discussed elsewhere in these forums; it's simple, by default it just works, and you can make simple changes which it will automatically put into the right place.

Jeff

Firewall issues

blaszlo

Verified User

blaszlo

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †