outbound connections not working when firewall enabled

nori · 01-17-2011, 05:58 PM

I have problem on VPS running opensuse. When I enable firewall outbound connections stop working. I have tried everything I know (not much when it comes to firewall (iptables)) but could not solve this.

Here is my ifconfig:

Code:

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:979 errors:0 dropped:0 overruns:0 frame:0
          TX packets:979 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:126703 (123.7 Kb)  TX bytes:126703 (123.7 Kb)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:143720 errors:0 dropped:0 overruns:0 frame:0
          TX packets:185372 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:24490478 (23.3 Mb)  TX bytes:203816853 (194.3 Mb)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:xxx.xxx.xxx.xxx  P-t-P:xxx.xxx.xxx.xxx  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

I used xxx.xxx.xxx.xxx to hide real address.

Does anyone sees problem or should I post you some more info.

Tnx

Boris

smoothdog · 01-17-2011, 08:50 PM

Can you post the output of the command:

iptables -L -v -n

You will need to be root to access the kernel iptables data.

I assume you're using DHCP to get an address and if you turn the firewall off, you can access the network?

If either of these is untrue then you probably need to look somewhere other than your firewall...?

Try the firewall off with:

iptables -P INPUT ACCEPT
iptables -F

Remember your firewall is down after this command is run, so only leave it down a short time. A reboot will fix it as a coarse measure, or

service network restart
or
service firewall restart

may bring it back up

When the firewall is down, you should be able to freely access your network. If not, look elsewhere....

nori · 01-18-2011, 03:23 AM

Well, I manage to find solution but I still do not know where was the problem. This is virtual host (plesk, virtuozzo) so I think that this problem is some incompatibility between plesk (virtuozzo) and SuSE.

SuSEFirewall iptables settings do not work for some reason. Server is accessable from outside (shh, web server, ...) but no outbound connection is possible. Here are iptables set by SuSEFirewall:

Code:

ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED

Chain forward_ext (0 references)
target     prot opt source               destination

Chain input_ext (2 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
DROP       all  --  anywhere             anywhere

Chain reject_func (0 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable

iptables set by plesk power panel are working but after initial setup it is impossible to change them. Also after reboot they are lost and that was the reason I wanted to try with SuSEFirewall. Here are working iptables:

Code:

Chain INPUT (policy DROP)        
target     prot opt source               destination         
fail2ban-VSFTPD  tcp  --  anywhere             anywhere            tcp dpt:ftp 
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh    
VZ_INPUT   all  --  anywhere             anywhere                              

Chain FORWARD (policy DROP)
target     prot opt source               destination         
VZ_FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination
VZ_OUTPUT  all  --  anywhere             anywhere

Chain VZ_FORWARD (1 references)
target     prot opt source               destination

Chain VZ_INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:filenet-tms:65535
ACCEPT     udp  --  anywhere             anywhere            udp dpts:filenet-tms:65535
ACCEPT     tcp  --  localhost            localhost
ACCEPT     udp  --  localhost            localhost

Chain VZ_OUTPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere
ACCEPT     tcp  --  localhost            localhost
ACCEPT     udp  --  localhost            localhost

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-VSFTPD (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I manage to create (using iptables-save and iptables-restore) boot up script so that now working iptables are restored after rebooting. My problem solved, but as I sead, because of my week knowledge of iptables I still do not know which iptables rules are missing in SuSEFirewall setup.