Problems with firewall

I

idawgik

Verified User
Joined
Jun 19, 2009
Messages
12
Tonight we had a problem where all websites stopped working on our server.

I got it narrowed down to the firewall. When the firewall is running, nothing loads, including the directadmin control panel.

When I stop the iptables service, everything works again.

I'm pretty new to linux, so any help with this is appreciated.

Here's what I get from service iptables status when it's running:

[root@SSD1 ips]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


I'd rather not leave this box wide open like it is right now. Any suggestions?

Thanks
 
I think massive's recommendation is a good one. You're currently blocking all ports that a normal webserver would use.

SSH in to your server as root and run the following:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Be sure to edit your /etc/csf/csf.conf file to turn testing off.
 
Thanks, I was looking at that CSF last night, was too tired to do anything about it though.

Will that just replace the current firewall on there? It's just the default iptables.

Do I need to enable that service before installing csf? or leave it disabled?

Thanks again
 
You will find a link in : Admin Level -> Extra Feautures -> ConfigServer Firewall&Security
From there you can configure which ports you want to allow.
Just remember to disable test mode.
 
Ok, I ran the install script, turned off testing mode and also started the csf service.

I'm not seeing that link in directadmin to manage it though.

Edit: helps if I'm in the right mode... Found it
 
Last edited:
csf firewall

can that be installed on a server alone an plugin directadmin server in to a router or does direct admin need to have a clean public ip ???


i wonder sorry to ask of this, but if some one know about smooth wall ??

i heart that smoothwall not can be runned with directadmin...


cause if directadmin runned with smooth wall , hardware firewall direct admin will have an ip called 192.0.0.0 example ....

isent there any way to let directadmin know that, smoothwall is the directadmin fast ip ... ?? if any one knows what im talking about i would be happy for any help .... thanks alot
 
wouldent it be something to consider to make available ?

sorry my english ;)

btw looking forward to start my hosting company when buying DA :D
 
It's been requested, but the DirectAdmin licensing system is deeply tied into the IP# the server runs on, and private IP#s do not have to be unique on the 'net.

If you search these forums you'll see how DirectAdmin Staff have responded previously.

Jeff
 
IPTables may have been set to block as default, if so, just add accept rules for the default ports (80, 25, 110, 21, etc)......
 
Linux firewalling is done in the kernel, by a module called netfilter. There's a userspace program called iptables, which interfaces with netfilter.

Your RH firewall (which is very limiting and firewalls off a lot of things you need) is merely an interface to iptables.

There are several firewalls discussed on these forums which also interface with iptables. I use and recommend KISS, because it's simple, and because the version on my website will open all you need for webhosting and close most if the rest, without you having to know anything about it, or having to make any changes.

Look for it on these forums.

Jeff
 
kiss firewall is that to install on a stand alone server or is it installed with da if i chose ?
 
KISS is designed to run on any linux server which include the netfilter module and iptables (installed on most Distributions by default).

You can get my version of KISS here [nobaloney.net].

Jeff
 
Hi, I have installed csf and all looks fine but I don't get the control panel menus mentioned below. Any ideas why please?

massive said:
You will find a link in : Admin Level -> Extra Feautures -> ConfigServer Firewall&Security
From there you can configure which ports you want to allow.
Just remember to disable test mode.
Click to expand...
 
Hi, I have installed csf and all looks fine but I don't get the control panel menus mentioned below. Any ideas why please?
Click to expand...
Did you install with the Directadmin plugin?
If not, go to:
/usr/local/src/csf or wherever you extracted your csf version.
Then run:
./install.directadmin.sh

It should be appearing then.
 
Richard G said:
Did you install with the Directadmin plugin?
If not, go to:
/usr/local/src/csf or wherever you extracted your csf version.
Then run:
./install.directadmin.sh

It should be appearing then.
Click to expand...

Thanks, this sorted it for one server, but not the other.
When I go to the full path https://SERVERIP:2222/CMD_PLUGINS_ADMIN/csf/index.html I can see what I should fine, it is just the link on the admin page that is now not showing.
 
You must log in or register to reply here.
Back
Top