subject:"\[qmailtoaster\] iptables firewall issue"

Re: [qmailtoaster] iptables firewall issue

2010-11-13 Thread Jake Vickers


On 11/12/2010 09:44 AM, Scott Hughes wrote:

Martin,

The problem turned out to be in the rc.local file. It was loading the 
basic QMT firewall settings instead of firewalll setting in the 
iptables file.  Once I commented out that line in the rc.local file, 
it worked perfect (survived the reboot process).


Unless you specifically changed it, the default firewall was disabled 
and the one in the rc file loaded.



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] iptables firewall issue

2010-11-12 Thread Scott Hughes

Martin,

The problem turned out to be in the rc.local file. It was loading the basic
QMT firewall settings instead of firewalll setting in the iptables file.
Once I commented out that line in the rc.local file, it worked perfect
(survived the reboot process).

I have two QMT boxes that had the same issue. I still have figured out why
it is set up this way.  There is no point in running the firewall.sh script
if it is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch mar...@waschbuesch.de

   Hi Scott,

 The important file for iptables which will be loaded at startup is in
 /etc/sysconfig/iptables

 It is basically the same information you have in the firewall script, but
 in a slightly different syntax. Perhaps you need to check if that file is on
 the system and has valid content?

 It should look something like this:

 # Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [12:1444]
 -A INPUT -i eth0 -f -j DROP
 -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
 -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
 -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
 -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
 -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
 -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
 -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
 -A INPUT -s 255.255.255.255 -i ! lo -j DROP
 -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
 -A INPUT -i lo -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
 -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j
 ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 COMMIT
 # Completed on Thu Sep  9 17:00:22 2010

  *From:* Scott Hughes sonicscott9...@gmail.com
 *Sent:* Thursday, November 11, 2010 5:40 PM
 *To:* qmailtoaster-list@qmailtoaster.com
 *Subject:* [qmailtoaster] iptables firewall issue

 All,

 I continue to have strange firewall issues.  The iptables firewall is
 acting normal EXCEPT when the system gets restarted.  Then it is like it
 goes back to some default setting and I have log into the console and
 manually run the firewall.sh script.  The script automatically saves the
 settings with 'service iptables save' and I have run this manually as well.
 Still having the same issue.

 Anyone out there have any ideas that might save my firewall settings though
 restarts/reboots?

 Thanks,
 Scott

Re: [qmailtoaster] iptables firewall issue

2010-11-12 Thread Martin Waschbuesch

Hi Scott,

Perhaps if you still have the install kickstart file for the CentOS 
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...

Martin

From: Scott Hughes 
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue

Martin,

The problem turned out to be in the rc.local file. It was loading the basic QMT 
firewall settings instead of firewalll setting in the iptables file.  Once I 
commented out that line in the rc.local file, it worked perfect (survived the 
reboot process).

I have two QMT boxes that had the same issue. I still have figured out why it 
is set up this way.  There is no point in running the firewall.sh script if it 
is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch mar...@waschbuesch.de

  Hi Scott,

  The important file for iptables which will be loaded at startup is in  
  /etc/sysconfig/iptables

  It is basically the same information you have in the firewall script, but in 
a slightly different syntax. Perhaps you need to check if that file is on the 
system and has valid content?

  It should look something like this:

  # Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT DROP [12:1444]
  -A INPUT -i eth0 -f -j DROP
  -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
  -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 255.255.255.255 -i ! lo -j DROP
  -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
  -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
  -A OUTPUT -o lo -j ACCEPT
  -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  COMMIT
  # Completed on Thu Sep  9 17:00:22 2010

  From: Scott Hughes 
  Sent: Thursday, November 11, 2010 5:40 PM
  To: qmailtoaster-list@qmailtoaster.com 
  Subject: [qmailtoaster] iptables firewall issue

  All, 

  I continue to have strange firewall issues.  The iptables firewall is acting 
normal EXCEPT when the system gets restarted.  Then it is like it goes back to 
some default setting and I have log into the console and manually run the 
firewall.sh script.  The script automatically saves the settings with 'service 
iptables save' and I have run this manually as well. Still having the same 
issue.

  Anyone out there have any ideas that might save my firewall settings though 
restarts/reboots?

  Thanks,
  Scott

RE: [qmailtoaster] iptables firewall issue

2010-11-12 Thread Helmut Fritz

i have the same issue with mine, and the -restore command was in my
rc.local.  i have attached my anaconda-ks.cfg.  i installed from QMT.iso,
not sure if that matters.  maybe this helps.
 
Helmut

  _  

From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Scott,
 
Perhaps if you still have the install kickstart file for the CentOS
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...
 
Martin
 
From: Scott Hughes mailto:sonicscott9...@gmail.com  
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue
 
Martin,

The problem turned out to be in the rc.local file. It was loading the basic
QMT firewall settings instead of firewalll setting in the iptables file.
Once I commented out that line in the rc.local file, it worked perfect
(survived the reboot process).

I have two QMT boxes that had the same issue. I still have figured out why
it is set up this way.  There is no point in running the firewall.sh script
if it is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch mar...@waschbuesch.de


Hi Scott,
 
The important file for iptables which will be loaded at startup is in  
/etc/sysconfig/iptables
 
It is basically the same information you have in the firewall script, but in
a slightly different syntax. Perhaps you need to check if that file is on
the system and has valid content?
 
It should look something like this:
 
# Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1444]
-A INPUT -i eth0 -f -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 255.255.255.255 -i ! lo -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j
ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Sep  9 17:00:22 2010
 
From: Scott Hughes mailto:sonicscott9...@gmail.com  
Sent: Thursday, November 11, 2010 5:40 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: [qmailtoaster] iptables firewall issue
 
All, 
 
I continue to have strange firewall issues.  The iptables firewall is acting
normal EXCEPT when the system gets restarted.  Then it is like it goes back
to some default setting and I have log into the console and manually run the
firewall.sh script.  The script automatically saves the settings with
'service iptables save' and I have run this manually as well. Still having
the same issue.
 
Anyone out there have any ideas that might save my firewall settings though
restarts/reboots?
 
Thanks,
Scott
 

 


anaconda-ks.cfg
Description: Binary data
-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] iptables firewall issue

2010-11-12 Thread Martin Waschbuesch

Hi Helmut,

I wonder if it has something to do with the way that CentOS was installed: The 
ISO starts out with the firewall being disabled and in addition to the 
configuration options that the firewall.sh script adds, I am not sure what 
method is used to enable the service to run at startup (though it is as easy as 
using ‘service iptables start’ to start it once and using ‘chkconfig iptables 
on’ to enable it to run on startup).
My iptables config had been installed during initial setup and though that is 
just a hunch, I believe that there may be a difference between having the 
system installed with the firewall enabled and enabling it afterwards (though 
that should not be the case?).
Also, the latest ISO is not using the latest CentOS – did you do any yum update 
stuff to bring it up to date? If so, did you have those problems before and 
after or just after the update?
I am sure we’ll get to the bottom of this eventually. I never used the ISO and 
I never had firewall trouble (other than when I configured it the wrong way  
myself).
Steve, did you use the ISO or install using the wiki instructions?

I am sort of hoping you used the ISO so that we might have something to focus 
our research on!

Martin
From: Helmut Fritz 
Sent: Friday, November 12, 2010 6:55 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: RE: [qmailtoaster] iptables firewall issue

i have the same issue with mine, and the -restore command was in my rc.local.  
i have attached my anaconda-ks.cfg.  i installed from QMT.iso, not sure if that 
matters.  maybe this helps.

Helmut



From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Scott,

Perhaps if you still have the install kickstart file for the CentOS 
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...

Martin

From: Scott Hughes 
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue

Martin,

The problem turned out to be in the rc.local file. It was loading the basic QMT 
firewall settings instead of firewalll setting in the iptables file.  Once I 
commented out that line in the rc.local file, it worked perfect (survived the 
reboot process).

I have two QMT boxes that had the same issue. I still have figured out why it 
is set up this way.  There is no point in running the firewall.sh script if it 
is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch mar...@waschbuesch.de

  Hi Scott,

  The important file for iptables which will be loaded at startup is in  
  /etc/sysconfig/iptables

  It is basically the same information you have in the firewall script, but in 
a slightly different syntax. Perhaps you need to check if that file is on the 
system and has valid content?

  It should look something like this:

  # Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT DROP [12:1444]
  -A INPUT -i eth0 -f -j DROP
  -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
  -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 255.255.255.255 -i ! lo -j DROP
  -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
  -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
  -A OUTPUT -o lo -j ACCEPT
  -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p icmp -m state

RE: [qmailtoaster] iptables firewall issue

2010-11-12 Thread Helmut Fritz

 
i used cmt-iso-1.4.1 to install.  i am actually not sure if the firewall is
enabled in that version or not.
 
yes, i tend to update my systems with yum if i hear about a security or
application issue or every 6 months or so.
 
i do use webmin to manage a large portion of my systems and that is how i
implemented my firewall (went from behind a firewall appliance to direct on
the internet).
 
Helmut

  _  

From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 12:23 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Helmut,
 
I wonder if it has something to do with the way that CentOS was installed:
The ISO starts out with the firewall being disabled and in addition to the
configuration options that the firewall.sh script adds, I am not sure what
method is used to enable the service to run at startup (though it is as easy
as using 'service iptables start' to start it once and using 'chkconfig
iptables on' to enable it to run on startup).
My iptables config had been installed during initial setup and though that
is just a hunch, I believe that there may be a difference between having the
system installed with the firewall enabled and enabling it afterwards
(though that should not be the case?).
Also, the latest ISO is not using the latest CentOS - did you do any yum
update stuff to bring it up to date? If so, did you have those problems
before and after or just after the update?
I am sure we'll get to the bottom of this eventually. I never used the ISO
and I never had firewall trouble (other than when I configured it the wrong
way Zwinkerndes Smiley myself).
Steve, did you use the ISO or install using the wiki instructions?
 
I am sort of hoping you used the ISO so that we might have something to
focus our research on!
 
Martin
From: Helmut Fritz mailto:hel...@phpwebservices.com  
Sent: Friday, November 12, 2010 6:55 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: RE: [qmailtoaster] iptables firewall issue
 
i have the same issue with mine, and the -restore command was in my
rc.local.  i have attached my anaconda-ks.cfg.  i installed from QMT.iso,
not sure if that matters.  maybe this helps.
 
Helmut
 
  _  

From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Scott,
 
Perhaps if you still have the install kickstart file for the CentOS
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...
 
Martin
 
From: Scott Hughes mailto:sonicscott9...@gmail.com  
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue
 
Martin,

The problem turned out to be in the rc.local file. It was loading the basic
QMT firewall settings instead of firewalll setting in the iptables file.
Once I commented out that line in the rc.local file, it worked perfect
(survived the reboot process).

I have two QMT boxes that had the same issue. I still have figured out why
it is set up this way.  There is no point in running the firewall.sh script
if it is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch mar...@waschbuesch.de


Hi Scott,
 
The important file for iptables which will be loaded at startup is in  
/etc/sysconfig/iptables
 
It is basically the same information you have in the firewall script, but in
a slightly different syntax. Perhaps you need to check if that file is on
the system and has valid content?
 
It should look something like this:
 
# Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1444]
-A INPUT -i eth0 -f -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 255.255.255.255 -i ! lo -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

[qmailtoaster] iptables firewall issue

2010-11-11 Thread Scott Hughes

All,

I continue to have strange firewall issues.  The iptables firewall is acting
normal EXCEPT when the system gets restarted.  Then it is like it goes back
to some default setting and I have log into the console and manually run the
firewall.sh script.  The script automatically saves the settings with
'service iptables save' and I have run this manually as well. Still having
the same issue.

Anyone out there have any ideas that might save my firewall settings though
restarts/reboots?

Thanks,
Scott

Re: [qmailtoaster] iptables firewall issue

2010-11-11 Thread Martin Waschbuesch

Hi Scott,

The important file for iptables which will be loaded at startup is in  
/etc/sysconfig/iptables

It is basically the same information you have in the firewall script, but in a 
slightly different syntax. Perhaps you need to check if that file is on the 
system and has valid content?

It should look something like this:

# Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1444]
-A INPUT -i eth0 -f -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 255.255.255.255 -i ! lo -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Sep  9 17:00:22 2010

From: Scott Hughes 
Sent: Thursday, November 11, 2010 5:40 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: [qmailtoaster] iptables firewall issue

All, 

I continue to have strange firewall issues.  The iptables firewall is acting 
normal EXCEPT when the system gets restarted.  Then it is like it goes back to 
some default setting and I have log into the console and manually run the 
firewall.sh script.  The script automatically saves the settings with 'service 
iptables save' and I have run this manually as well. Still having the same 
issue.

Anyone out there have any ideas that might save my firewall settings though 
restarts/reboots?

Thanks,
Scott

Re: [qmailtoaster] iptables firewall issue

Re: [qmailtoaster] iptables firewall issue

Re: [qmailtoaster] iptables firewall issue

RE: [qmailtoaster] iptables firewall issue

Re: [qmailtoaster] iptables firewall issue

RE: [qmailtoaster] iptables firewall issue

[qmailtoaster] iptables firewall issue

Re: [qmailtoaster] iptables firewall issue

8 matches

Site Navigation

Mail list logo

Footer information