Re: [qmailtoaster] iptables firewall issue
On 11/12/2010 09:44 AM, Scott Hughes wrote: Martin, The problem turned out to be in the rc.local file. It was loading the basic QMT firewall settings instead of firewalll setting in the iptables file. Once I commented out that line in the rc.local file, it worked perfect (survived the reboot process). Unless you specifically changed it, the default firewall was disabled and the one in the rc file loaded. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iptables firewall issue
Martin, The problem turned out to be in the rc.local file. It was loading the basic QMT firewall settings instead of firewalll setting in the iptables file. Once I commented out that line in the rc.local file, it worked perfect (survived the reboot process). I have two QMT boxes that had the same issue. I still have figured out why it is set up this way. There is no point in running the firewall.sh script if it is just going to be ignored the next time the system reboots. Scott 2010/11/11 Martin Waschbuesch mar...@waschbuesch.de Hi Scott, The important file for iptables which will be loaded at startup is in /etc/sysconfig/iptables It is basically the same information you have in the firewall script, but in a slightly different syntax. Perhaps you need to check if that file is on the system and has valid content? It should look something like this: # Generated by iptables-save v1.3.5 on Thu Sep 9 17:00:22 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [12:1444] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu Sep 9 17:00:22 2010 *From:* Scott Hughes sonicscott9...@gmail.com *Sent:* Thursday, November 11, 2010 5:40 PM *To:* qmailtoaster-list@qmailtoaster.com *Subject:* [qmailtoaster] iptables firewall issue All, I continue to have strange firewall issues. The iptables firewall is acting normal EXCEPT when the system gets restarted. Then it is like it goes back to some default setting and I have log into the console and manually run the firewall.sh script. The script automatically saves the settings with 'service iptables save' and I have run this manually as well. Still having the same issue. Anyone out there have any ideas that might save my firewall settings though restarts/reboots? Thanks, Scott
Re: [qmailtoaster] iptables firewall issue
Hi Scott, Perhaps if you still have the install kickstart file for the CentOS installation in /root/anaconda-ks.cfg we could compare the settings? If it is running CentOS that is... Martin From: Scott Hughes Sent: Friday, November 12, 2010 3:44 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Martin, The problem turned out to be in the rc.local file. It was loading the basic QMT firewall settings instead of firewalll setting in the iptables file. Once I commented out that line in the rc.local file, it worked perfect (survived the reboot process). I have two QMT boxes that had the same issue. I still have figured out why it is set up this way. There is no point in running the firewall.sh script if it is just going to be ignored the next time the system reboots. Scott 2010/11/11 Martin Waschbuesch mar...@waschbuesch.de Hi Scott, The important file for iptables which will be loaded at startup is in /etc/sysconfig/iptables It is basically the same information you have in the firewall script, but in a slightly different syntax. Perhaps you need to check if that file is on the system and has valid content? It should look something like this: # Generated by iptables-save v1.3.5 on Thu Sep 9 17:00:22 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [12:1444] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu Sep 9 17:00:22 2010 From: Scott Hughes Sent: Thursday, November 11, 2010 5:40 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] iptables firewall issue All, I continue to have strange firewall issues. The iptables firewall is acting normal EXCEPT when the system gets restarted. Then it is like it goes back to some default setting and I have log into the console and manually run the firewall.sh script. The script automatically saves the settings with 'service iptables save' and I have run this manually as well. Still having the same issue. Anyone out there have any ideas that might save my firewall settings though restarts/reboots? Thanks, Scott
RE: [qmailtoaster] iptables firewall issue
i have the same issue with mine, and the -restore command was in my rc.local. i have attached my anaconda-ks.cfg. i installed from QMT.iso, not sure if that matters. maybe this helps. Helmut _ From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] Sent: Friday, November 12, 2010 9:21 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Hi Scott, Perhaps if you still have the install kickstart file for the CentOS installation in /root/anaconda-ks.cfg we could compare the settings? If it is running CentOS that is... Martin From: Scott Hughes mailto:sonicscott9...@gmail.com Sent: Friday, November 12, 2010 3:44 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Martin, The problem turned out to be in the rc.local file. It was loading the basic QMT firewall settings instead of firewalll setting in the iptables file. Once I commented out that line in the rc.local file, it worked perfect (survived the reboot process). I have two QMT boxes that had the same issue. I still have figured out why it is set up this way. There is no point in running the firewall.sh script if it is just going to be ignored the next time the system reboots. Scott 2010/11/11 Martin Waschbuesch mar...@waschbuesch.de Hi Scott, The important file for iptables which will be loaded at startup is in /etc/sysconfig/iptables It is basically the same information you have in the firewall script, but in a slightly different syntax. Perhaps you need to check if that file is on the system and has valid content? It should look something like this: # Generated by iptables-save v1.3.5 on Thu Sep 9 17:00:22 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [12:1444] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu Sep 9 17:00:22 2010 From: Scott Hughes mailto:sonicscott9...@gmail.com Sent: Thursday, November 11, 2010 5:40 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] iptables firewall issue All, I continue to have strange firewall issues. The iptables firewall is acting normal EXCEPT when the system gets restarted. Then it is like it goes back to some default setting and I have log into the console and manually run the firewall.sh script. The script automatically saves the settings with 'service iptables save' and I have run this manually as well. Still having the same issue. Anyone out there have any ideas that might save my firewall settings though restarts/reboots? Thanks, Scott anaconda-ks.cfg Description: Binary data - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iptables firewall issue
Hi Helmut, I wonder if it has something to do with the way that CentOS was installed: The ISO starts out with the firewall being disabled and in addition to the configuration options that the firewall.sh script adds, I am not sure what method is used to enable the service to run at startup (though it is as easy as using ‘service iptables start’ to start it once and using ‘chkconfig iptables on’ to enable it to run on startup). My iptables config had been installed during initial setup and though that is just a hunch, I believe that there may be a difference between having the system installed with the firewall enabled and enabling it afterwards (though that should not be the case?). Also, the latest ISO is not using the latest CentOS – did you do any yum update stuff to bring it up to date? If so, did you have those problems before and after or just after the update? I am sure we’ll get to the bottom of this eventually. I never used the ISO and I never had firewall trouble (other than when I configured it the wrong way myself). Steve, did you use the ISO or install using the wiki instructions? I am sort of hoping you used the ISO so that we might have something to focus our research on! Martin From: Helmut Fritz Sent: Friday, November 12, 2010 6:55 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] iptables firewall issue i have the same issue with mine, and the -restore command was in my rc.local. i have attached my anaconda-ks.cfg. i installed from QMT.iso, not sure if that matters. maybe this helps. Helmut From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] Sent: Friday, November 12, 2010 9:21 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Hi Scott, Perhaps if you still have the install kickstart file for the CentOS installation in /root/anaconda-ks.cfg we could compare the settings? If it is running CentOS that is... Martin From: Scott Hughes Sent: Friday, November 12, 2010 3:44 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Martin, The problem turned out to be in the rc.local file. It was loading the basic QMT firewall settings instead of firewalll setting in the iptables file. Once I commented out that line in the rc.local file, it worked perfect (survived the reboot process). I have two QMT boxes that had the same issue. I still have figured out why it is set up this way. There is no point in running the firewall.sh script if it is just going to be ignored the next time the system reboots. Scott 2010/11/11 Martin Waschbuesch mar...@waschbuesch.de Hi Scott, The important file for iptables which will be loaded at startup is in /etc/sysconfig/iptables It is basically the same information you have in the firewall script, but in a slightly different syntax. Perhaps you need to check if that file is on the system and has valid content? It should look something like this: # Generated by iptables-save v1.3.5 on Thu Sep 9 17:00:22 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [12:1444] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state
RE: [qmailtoaster] iptables firewall issue
i used cmt-iso-1.4.1 to install. i am actually not sure if the firewall is enabled in that version or not. yes, i tend to update my systems with yum if i hear about a security or application issue or every 6 months or so. i do use webmin to manage a large portion of my systems and that is how i implemented my firewall (went from behind a firewall appliance to direct on the internet). Helmut _ From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] Sent: Friday, November 12, 2010 12:23 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Hi Helmut, I wonder if it has something to do with the way that CentOS was installed: The ISO starts out with the firewall being disabled and in addition to the configuration options that the firewall.sh script adds, I am not sure what method is used to enable the service to run at startup (though it is as easy as using 'service iptables start' to start it once and using 'chkconfig iptables on' to enable it to run on startup). My iptables config had been installed during initial setup and though that is just a hunch, I believe that there may be a difference between having the system installed with the firewall enabled and enabling it afterwards (though that should not be the case?). Also, the latest ISO is not using the latest CentOS - did you do any yum update stuff to bring it up to date? If so, did you have those problems before and after or just after the update? I am sure we'll get to the bottom of this eventually. I never used the ISO and I never had firewall trouble (other than when I configured it the wrong way Zwinkerndes Smiley myself). Steve, did you use the ISO or install using the wiki instructions? I am sort of hoping you used the ISO so that we might have something to focus our research on! Martin From: Helmut Fritz mailto:hel...@phpwebservices.com Sent: Friday, November 12, 2010 6:55 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] iptables firewall issue i have the same issue with mine, and the -restore command was in my rc.local. i have attached my anaconda-ks.cfg. i installed from QMT.iso, not sure if that matters. maybe this helps. Helmut _ From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] Sent: Friday, November 12, 2010 9:21 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Hi Scott, Perhaps if you still have the install kickstart file for the CentOS installation in /root/anaconda-ks.cfg we could compare the settings? If it is running CentOS that is... Martin From: Scott Hughes mailto:sonicscott9...@gmail.com Sent: Friday, November 12, 2010 3:44 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] iptables firewall issue Martin, The problem turned out to be in the rc.local file. It was loading the basic QMT firewall settings instead of firewalll setting in the iptables file. Once I commented out that line in the rc.local file, it worked perfect (survived the reboot process). I have two QMT boxes that had the same issue. I still have figured out why it is set up this way. There is no point in running the firewall.sh script if it is just going to be ignored the next time the system reboots. Scott 2010/11/11 Martin Waschbuesch mar...@waschbuesch.de Hi Scott, The important file for iptables which will be loaded at startup is in /etc/sysconfig/iptables It is basically the same information you have in the firewall script, but in a slightly different syntax. Perhaps you need to check if that file is on the system and has valid content? It should look something like this: # Generated by iptables-save v1.3.5 on Thu Sep 9 17:00:22 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [12:1444] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[qmailtoaster] iptables firewall issue
All, I continue to have strange firewall issues. The iptables firewall is acting normal EXCEPT when the system gets restarted. Then it is like it goes back to some default setting and I have log into the console and manually run the firewall.sh script. The script automatically saves the settings with 'service iptables save' and I have run this manually as well. Still having the same issue. Anyone out there have any ideas that might save my firewall settings though restarts/reboots? Thanks, Scott
Re: [qmailtoaster] iptables firewall issue
Hi Scott, The important file for iptables which will be loaded at startup is in /etc/sysconfig/iptables It is basically the same information you have in the firewall script, but in a slightly different syntax. Perhaps you need to check if that file is on the system and has valid content? It should look something like this: # Generated by iptables-save v1.3.5 on Thu Sep 9 17:00:22 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [12:1444] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu Sep 9 17:00:22 2010 From: Scott Hughes Sent: Thursday, November 11, 2010 5:40 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] iptables firewall issue All, I continue to have strange firewall issues. The iptables firewall is acting normal EXCEPT when the system gets restarted. Then it is like it goes back to some default setting and I have log into the console and manually run the firewall.sh script. The script automatically saves the settings with 'service iptables save' and I have run this manually as well. Still having the same issue. Anyone out there have any ideas that might save my firewall settings though restarts/reboots? Thanks, Scott