| Author |
Message |
randymized
Joined: 08 Jan 2009
Posts: 6
|
| Posted: Sat Feb 04, 2012 11:08 pm Post subject: Which firewall: LAMP & Basic Firewall StackScript |
|
|
I set up a server using the LAMP & Basic Firewall StackScript, but now I need to change which incoming ports are blocked by the firewall, but I cannot determine which firewall is set up by the StackScript.
iptables does not seem to be set up to block or allow specific ports. ufw is not installed (the ufw command is not found).
The full output from iptables --list is:
Code:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
DROP all -- zabbix.masterhost.by anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I use a non-standard port for SSH and somehow it works, but it seems that port 25 is blocked and I cannot find any way to unblock it. I can telnet to localhost port 25 from the local machine but I cannot reach that port from other computers. Some other mechanism seems to be in play, but I don't know what it is. |
|
| Back to top |
|
otherbbs
Joined: 30 Oct 2005
Posts: 97
Location: 37.274,-97.393 (KEGT)
|
| Posted: Sun Feb 05, 2012 12:07 am Post subject: |
|
|
Your iptables (firewall) rules are only blocking (DROP) connections from 'zabbix.masterhost.by'. The other rules are a waste since the policies for each chain is set to ACCEPT. Thus this host is wide open to the world except for IP connections from whatever 'zabbix.masterhost.by' resolves to.
--
Travis |
|
| Back to top |
|
mnordhoff
Joined: 03 May 2008
Posts: 451
|
| Posted: Sun Feb 05, 2012 1:07 am Post subject: Re: Which firewall: LAMP & Basic Firewall StackScript |
|
|
randymized wrote: ... I can telnet to localhost port 25 from the local machine but I cannot reach that port from other computers. ...
If those "other computers" are in your house, your ISP is probably blocking all outbound port 25 traffic as an anti-spam measure. Try a connection you're sure is unfiltered. |
|
| Back to top |
|
hybinet
Joined: 02 May 2008
Posts: 1058
|
| Posted: Sun Feb 05, 2012 1:59 am Post subject: |
|
|
| It's also possible that your mail server is configured to listen on localhost only. This is common for send-only mail servers, because having a mail server listen on public IPs is a waste of resources and a potential security issue when all you need is for PHP's mail() function to work. Some stackscripts will configure this automatically. |
|
| Back to top |
|
randymized
Joined: 08 Jan 2009
Posts: 6
|
| Posted: Tue Feb 07, 2012 10:59 am Post subject: |
|
|
I had hoped that the LAMP & Basic Firewall StackScript would have set up a firewall that would survive a reboot, but apparently not. While I did verify that a couple of ports were blocked as expected when the server first came up, I should have repeated that verification after reboot.
The StackScript did store the firewall configuration in /etc/firewall.conf, but apparently did not assure reloading.
I added the following two lines to /etc/network/interfaces in the eth0 section:
Code:
post-up iptables-restore < /etc/firewall.conf
post-down iptables-save > /etc/firewall.conf
I also ran iptables-restore and that appears to have reestablished the original rules.
I don't know of a mechanism for contributing patches to a StackScript, but the post-up and post-down lines seem to be an essential part of what the StackScript should do. |
|
| Back to top |
|
| |
