After edit firewall systems block outgoing

[Vincent W.]

Dear,

After a fresh install and updating to the lastest plesk i got the folowing issue:

I have edited the plesk firewall by the console, to block the 3306 port. ( there is no reason for 3306 to be open in my case)
But afther applying the changes the system cannot connect to the plesk auto update, or resolving any DNS requests.

If i stop and start the iptables service the system is working fine... I don`t have changed any outgoing rules ony the mysql server rule.


Did someone has the same issue and can help me out? I`m using the lastest release of plesk 11.5 update 2

Thanks for the time and afford.

 

[IgorG]

BTW, according to this article http://kb.parallels.com/391 port 3306 shouldn't be firewalled.

 

[Vincent W.]

Hi,

I my configuration is mysql firewalled, i use the unlimited edition of plesk.
Maby my ISP has customized the firewall.

But i got it working, i have denied the outgoing and re allowed . Now its working bu its very wierd that this happend.

My DEFAULT firewall rules i have edited it for security (SAMBA MYSQL)

Parallels Customer & Business Manager payment gateways Allow incoming from all
Parallels Single Sign-On Allow incoming from all
Parallels Products Installer Allow incoming from all
Plesk administrative interface Allow incoming from all
WWW server Allow incoming from all
FTP server Allow incoming from all
SSH (secure shell) server Allow incoming from all
SMTP (submission port) server Allow incoming from all
SMTP (mail sending) server Allow incoming from all
POP3 (mail retrieval) server Allow incoming from all
IMAP (mail retrieval) server Allow incoming from all
Mail password change service Allow incoming from all
MySQL server Deny incoming from all
PostgreSQL server Allow incoming from all
Tomcat administrative interface Allow incoming from all
Samba (file sharing in Windows networks) Deny incoming from all
Plesk VPN Allow incoming from all
Domain name server Allow incoming from all
IPv6 Neighbor Discovery Allow incoming from all
Ping service Allow incoming from all
System policy for incoming traffic Deny all other incoming traffic
System policy for outgoing traffic Allow all other outgoing traffic
System policy for forwarding of traffic Deny forwarding of all other traffic

 

[paulieG]

Hi,

Now its working bu its very wierd that this happend.

Hi Vincent,

Your not mad, this happened to me. The firewall rules in the db are used to create a script here :

/usr/local/psa/var/modules/firewall/firewall-active.sh

When I checked that script after I had the problem you had I found the following lines were missing :

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP


So I inserted them manually and got things working again...

I then started to write a ticket to Parallels in my usual shouty fashion but decided to try to replicate this on other servers... I haven't been able to replicate it since but I've only been able to test on upgraded servers rather than clean installs (and I can't mess with the original as thats been handed to a customer).

Given that Plesk 11 introduced a firewall bug whereby the rules for IPv6 neighbour discovery performed global allow or global denys across IPv4 I'd assume that there is a bug in there somewhere....

I'm working on two clean installs this afternoon so I will see if I can replicate it there,

Paul.

 

[paulieG]

BTW, according to this article http://kb.parallels.com/391 port 3306 shouldn't be firewalled.

That list is wrong, its missing ports 7080 and 7081.

Paul.

 

[Vincent W.]

Hi Pual,


I have tested it today when i installing two new VPS systems. My IPS provide my the 10.x software. When i upgrade to the last version it happens over and over...

I`m 99% sure that this is a bug in the newest version.

Debugging update!

I have added a simple rule to the firewall and it`s refusing outgoing connections again... Mail is not working and rebooting has no effect

 

[Nikolay.]

Care to post your files from /usr/local/psa/var/modules/firewall/ and your added rules?

 

[Vincent W.]

Care to post your files from /usr/local/psa/var/modules/firewall/ and your added rules?

Sorry I forgot!

From the web interface:

Teamspeak Allow incoming from all on port 9987/udp <-- Last edit

Parallels Customer & Business Manager payment gateways Allow incoming from all
Parallels Single Sign-On Allow incoming from all
Parallels Products Installer Allow incoming from all
Plesk administrative interface Allow incoming from all
WWW server Allow incoming from all
FTP server Allow incoming from all
SSH (secure shell) server Allow incoming from all
SMTP (submission port) server Allow incoming from all
SMTP (mail sending) server Allow incoming from all
POP3 (mail retrieval) server Allow incoming from all
IMAP (mail retrieval) server Allow incoming from all
Mail password change service Allow incoming from all
MySQL server Deny incoming from all
PostgreSQL server Allow incoming from all
Tomcat administrative interface Allow incoming from all
Samba (file sharing in Windows networks) Deny incoming from all
Plesk VPN Allow incoming from all
Domain name server Allow incoming from all
IPv6 Neighbor Discovery Allow incoming from all
Ping service Allow incoming from all
System policy for incoming traffic Deny all other incoming traffic
System policy for outgoing traffic Allow all other outgoing traffic
System policy for forwarding of traffic Deny forwarding of all other traffic

From the script:

#!/bin/sh
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/ip6tables -F
/sbin/ip6tables -X
/sbin/ip6tables -Z
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
/sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/ip6tables -t mangle -F
/sbin/ip6tables -t mangle -X
/sbin/ip6tables -t mangle -Z
/sbin/ip6tables -t mangle -P PREROUTING ACCEPT
/sbin/ip6tables -t mangle -P OUTPUT ACCEPT
/sbin/ip6tables -t mangle -P INPUT ACCEPT
/sbin/ip6tables -t mangle -P FORWARD ACCEPT
/sbin/ip6tables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -A INPUT -p udp --dport 9987 -j ACCEPT
/sbin/ip6tables -A INPUT -p udp --dport 9987 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 12443 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 12443 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 11443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 11444 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 11443 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 11444 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 8447 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 995 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 106 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 3306 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 9008 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 9080 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 137 -j DROP
/sbin/iptables -A INPUT -p udp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
/sbin/ip6tables -A INPUT -p udp --dport 137 -j DROP
/sbin/ip6tables -A INPUT -p udp --dport 138 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 139 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 445 -j DROP

/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

/sbin/iptables -A INPUT -j DROP
/sbin/ip6tables -A INPUT -j DROP

/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/ip6tables -A OUTPUT -j ACCEPT

/sbin/iptables -A FORWARD -j DROP
/sbin/ip6tables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
#
# End of script
#

 

[Nikolay.]

At first glance rules look OK.

Can you verify that the same rules are currently applied:

1) check that rules match using # iptables -L and # ip6tables -L ;

2) run this script manually and check whether problem persists.


Also please describe how do you check that outgoing connections are blocked.


Do you have any other files in this directory? I think just their names would suffice for now.

 

[Vincent W.]

I seems that the rules are applyes successful, but if I disable the psa-firewall i have outgoing traffic.

Iptables -L

iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:dsm-scm-target
ACCEPT tcp -- anywhere anywhere tcp dpt:12443
ACCEPT tcp -- anywhere anywhere tcp dpt:11443
ACCEPT tcp -- anywhere anywhere tcp dpt:11444
ACCEPT tcp -- anywhere anywhere tcp dpt:8447
ACCEPT tcp -- anywhere anywhere tcp dptcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dptop3
ACCEPT tcp -- anywhere anywhere tcp dptop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dptoppassd
DROP tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dptostgres
ACCEPT tcp -- anywhere anywhere tcp dptgs-server
ACCEPT tcp -- anywhere anywhere tcp dpt:glrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dptpenvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

ip6Tables

ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT udp anywhere anywhere udp dpt:dsm-scm-target
ACCEPT tcp anywhere anywhere tcp dpt:12443
ACCEPT tcp anywhere anywhere tcp dpt:11443
ACCEPT tcp anywhere anywhere tcp dpt:11444
ACCEPT tcp anywhere anywhere tcp dpt:8447
ACCEPT tcp anywhere anywhere tcp dptcsync-https
ACCEPT tcp anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp anywhere anywhere tcp dpt:http
ACCEPT tcp anywhere anywhere tcp dpt:https
ACCEPT tcp anywhere anywhere tcp dpt:ftp
ACCEPT tcp anywhere anywhere tcp dpt:ssh
ACCEPT tcp anywhere anywhere tcp dpt:submission
ACCEPT tcp anywhere anywhere tcp dpt:smtp
ACCEPT tcp anywhere anywhere tcp dpt:urd
ACCEPT tcp anywhere anywhere tcp dptop3
ACCEPT tcp anywhere anywhere tcp dptop3s
ACCEPT tcp anywhere anywhere tcp dpt:imap
ACCEPT tcp anywhere anywhere tcp dpt:imaps
ACCEPT tcp anywhere anywhere tcp dptoppassd
DROP tcp anywhere anywhere tcp dpt:mysql
ACCEPT tcp anywhere anywhere tcp dptostgres
ACCEPT tcp anywhere anywhere tcp dptgs-server
ACCEPT tcp anywhere anywhere tcp dpt:glrpc
DROP udp anywhere anywhere udp dpt:netbios-ns
DROP udp anywhere anywhere udp dpt:netbios-dgm
DROP tcp anywhere anywhere tcp dpt:netbios-ssn
DROP tcp anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp anywhere anywhere udp dptpenvpn
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:domain
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 134 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 135 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 136 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 137 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 128 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 129 code 0
DROP all anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere
DROP all anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere

2) if i run the script manualy the same problem presists.

Directory content

active.flag firewall-active.sh firewall-emergency.sh ip_forward.active rollback.flag

 

[Nikolay.]

Also please describe how do you check that outgoing connections are blocked.

Exact steps, please. The simpler, the better.

 

[Vincent W.]

Exact steps, please. The simpler, the better.

What I do is the following;

I test with logging on the the SSH, if its spow i know there is somthing wrong.
I go to the plesk page https://mydomian:8443, and try to start the update process. This gives the following error.

Failed to read product information from the file : Can't process products.inf3: Failed to download the package http://autoinstall.plesk.com/products.inf3: Couldn't resolve host 'autoinstall.plesk.com' Can't process versions.inf3: Failed to download the package http://autoinstall.plesk.com/versions.inf3: Couldn't resolve host 'autoinstall.plesk.com'

I login to the console and login as ROOT to check if i can ping or wget that file; if thats not working i try to open it on my own system 10/10 times that works.
i try to ping the google DNS and an other server, this gives a Time-out. and try a DIG lookup.

If that all done i know that the firewall is flickering again..

 

[Vincent W.]

Trying it again last post disapeared...;


If my ssh is slow or the emails stys queued for a long time, then I know somthing bad is happening.

I do the following:

0. Connect to a console and verify i have a running system;
1. ping the gateway ( time-out);
2. ping an other ip ( no gateway access so this failed to);

Check the last changes what i have done, and thats the firewall.
0. I apply the emergency script, and try to ping (SUCCESS)
2. dig to a domain (SUCCESS)
3. try to apply a system update ( no error that tells me that: "Couldn't resolve host 'autoinstall.plesk.com' Can't process versions.inf3: Failed to download the package http://autoinstall.plesk.com/versions.inf3: Couldn't resolve host 'autoinstall.plesk.com'" )
4. Rerun the firewall-active.sh script and the things i have described above is happing again.

I hope this is enough information, if you need more let me know

Thanks for your time patience and afford

 

[Vincent W.]

Exact steps, please. The simpler, the better.

Trying it again last post disapeared...;


If my ssh is slow or the emails stys queued for a long time, then I know somthing bad is happening.

I do the following:

0. Connect to a console and verify i have a running system;
1. ping the gateway ( time-out);
2. ping an other ip ( no gateway access so this failed to);

Check the last changes what i have done, and thats the firewall.
0. I apply the emergency script, and try to ping (SUCCESS)
2. dig to a domain (SUCCESS)
3. try to apply a system update ( no error that tells me that: "Couldn't resolve host 'autoinstall.plesk.com' Can't process versions.inf3: Failed to download the package http://autoinstall.plesk.com/versions.inf3: Couldn't resolve host 'autoinstall.plesk.com'" )
4. Rerun the firewall-active.sh script and the things i have described above is happing again.

I hope this is enough information, if you need more let me know

Thanks for your time patience and afford

 

[Thomas Wilhelmi]

Hello,

I do have the absolut same issue here on my System. Fresh install openSuse 12.3 and Plesk 11.5.30 and Update #2. So if I can assist to find a solution feel free to ask for Infos.

 

[Nikolay.]

Hello,

I do have the absolut same issue here on my System. Fresh install openSuse 12.3 and Plesk 11.5.30 and Update #2. So if I can assist to find a solution feel free to ask for Infos.

Nice! Reproduced.

 

[Vincent W.]

Hello,

I do have the absolut same issue here on my System. Fresh install openSuse 12.3 and Plesk 11.5.30 and Update #2. So if I can assist to find a solution feel free to ask for Infos.

Hi Thomas,

do you have a tip to get the connection in to out back? So that users can use the application menu and te e-mail is getting delivered properly?
I have activated for now the emergancy script, so that the mail will get delivered. I cannot find any logs, that contains useful information

 

[Thomas Wilhelmi]

Hi Thomas,

do you have a tip to get the connection in to out back? So that users can use the application menu and te e-mail is getting delivered properly?
I have activated for now the emergancy script, so that the mail will get delivered. I cannot find any logs, that contains useful information

Hi Vincent,

unfortunately not. I made an emergency script as well and deinstalled the Firewall-module. Currently I'm stuck and have no idea how to proceed.

 

[Nikolay.]

For now my advice is disabling firewall module or allowing all incoming connections (yeah, that kinda defeats the purpose, but nonetheless).

Guys, could you please post the output of:

# cat /proc/net/ip_tables_matches
# cat /proc/net/ip6_tables_matches
# cat /proc/net/ip_tables_names
# cat /proc/net/ip6_tables_names

Also post your machine virtualization type.

 

[Vincent W.]

# cat /proc/net/ip_tables_matches

icmp
udplite
udp
tcp

# cat /proc/net/ip6_tables_matches

icmp6
udplite
udp
tcp

# cat /proc/net/ip_tables_names

nat
mangle
filter

# cat /proc/net/ip6_tables_names

mangle
filter

# Virtualisation type

Blade VPS - KVM
Centos 6.4 (with Lastest updates)