iptables reinstall shuts down all services

[hedge@]

My hosting service suggested that we reinstall the iptables. Well that doesn't seem to such a great idea now. With iptables running all the web, mail and ftp connections are refused. Appears that plesk and iptables are not working together any longer. Does plesk add entries to the iptables or does changing the iptables from ssh break plesk? This is very frustrating can someone please give me a clue as to how we can enable iptables and not break the server services with the reinstalled iptables. And enable passive ProFtpd functionality??

software installed: Plesk 7.5 Reloaded Fedora Core2

Thanks in advance

hedge

 

[ShadowMan@]

Plesk and iptables coexist quite nicely together. What you need to do is find out what configuration is currently set for iptables.

If you do not have the Plesk firewall module (just a GUI/mysql frontend for iptables), then check /etc/iptables.

If you do have the Plesk firewall module installed, then check in the Plesk GUI what is configured there.

All of our RH servers run Plesk with IPTABLES and we have never had any problems. We do NOT NOWAY EVER use the Plesk firewall module.

 

[rvdmeer]

If you are flushing the tables .. all services are reachable again?
If you are busy with iptables keeping everything online has most priority.

I would advise you to create some cronjobs who are restarting SSH every 15 minuten and FLUSH iptables with for example the script noticed below:

#!/bin/bash

# This script will flush all the rules. Doing this will erase any
# iptables policy! Including stuff like Forwards (NAT for example)

echo -n "Clearing firewall policy ... "
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
echo "[done]"

 

[hedge@]

Shadowman,

What we seem to be having a problem with ,is the iptables after reinstalling via yum when started blocks everything. Is this possibly because the plesk module having not being used to activate the firewall causing some conflict? And would you suggest just disabling the plesk firewall module and activating the iptables manually??

thanks

hedge

 

[ShadowMan@]

We normally make sure the Plesk Firewall module is not installed on the server, and then we use IPTABLES either directly or in combination with APF (another free iptables frontend script that actually works well, though not a GUI) and BFD (brute force detection addon to APF).

This is what we do and recommend to others.

You still should check the iptables config file /etc/iptables to make sure it has not been locked down too severely, thus preventing normal services to be accessed. Since someone else prepped the server for you, there is no telling what they may have done to the default iptables config, never assume, always verify for yourself!

 

[hedge@]

Shadowman,

You still should check the iptables config file /etc/iptables to make sure it has not been locked down too severely, thus preventing normal services to be accessed. Since someone else prepped the server for you, there is no telling what they may have done to the default iptables config, never assume, always verify for yourself!

That is the perplexing aspect of this situation. The iptables are set to allow all the necessary services with their respective ports. However, when I start iptables it shuts them all off. Even though they are set to accept in the iptables. We do have the firewall module installed and it appears that it has all the appropriate services enabled there too. One thing also, when we reinstalled the iptables, I didn't check the firewall module to see if it had changed the services states, but it now reflects that all those services are enabled. Is it possible that reinstalling the iptables without any attention to the firewall module, causes some breakage in the operation of one or the other? I'm also a lil confused about the opperation of the firewall module itself, does it actually manipulate the iptables or is it a seperate functioning filter?

Thanks again for your responses in this matter I really appreciate your time...

hedge

 

[ShadowMan@]

The Plesk firewall module is a GUI based frontend for IPTABLES. Unfortunately, it stores the 'rules' in a database as blobs. I am not sure if reinstalling IPTABLES would have an adverse effect, but I do know that their module (IMO) is garbage and way too limiting.

It is not a separate firewall of itself.

My recommendation would be to uninstall the Plesk firewall module and see if that improves your situation. It can always be re-installed after you test. Since you cannot 'see' what they have stored in the database blobs, there is no way to verify if there are any errors in their rules... to me, that is a very very bad thing...

 

[hedge@]

Shadowman,

Thanks for your help in this matter, all is well now, well almmost.

It does appear that the iptables upon reinstall does not play nice with the plesk firewall module. Once we used the module it wrote to the iptables via the script that it creates normal opperantion was restored. Unfortunately, the additions to the iptables that we origionally were seeking to implement are gone and we're right back to where we were before.

Seems that the firewall mod doesn't allow the input of port ranges like those needed for ProFtpd to enable passive ftp transfers. Or does it?

thanks again

hedge

 

[ShadowMan@]

Originally posted by hedge
Seems that the firewall mod doesn't allow the input of port ranges like those needed for ProFtpd to enable passive ftp transfers. Or does it?

IIRC that was one reason we opted not to use their module on any servers (too limiting on the input fields). I seem to recall a post in the past where Plesk was supposed to re-vamp that module in a future release, I guess we're still waiting for that release.... and I don't suppose you want to have to enter the range, one IP at a time..... neither would I...

Again, I would uninstall their module and then either go through the /etc/sysconfig/iptables file manually, or install APF (free script) which actually works as a frontend to iptables, but not a GUI. I would rather use the command line and give up a GUI as long as it works.