Which firewall: LAMP & Basic Firewall StackScript

I set up a server using the LAMP & Basic Firewall StackScript, but now I need to change which incoming ports are blocked by the firewall, but I cannot determine which firewall is set up by the StackScript.

iptables does not seem to be set up to block or allow specific ports. ufw is not installed (the ufw command is not found).

The full output from iptables –list is:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
DROP       all  --  zabbix.masterhost.by  anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I use a non-standard port for SSH and somehow it works, but it seems that port 25 is blocked and I cannot find any way to unblock it. I can telnet to localhost port 25 from the local machine but I cannot reach that port from other computers. Some other mechanism seems to be in play, but I don't know what it is.

4 Replies

Your iptables (firewall) rules are only blocking (DROP) connections from 'zabbix.masterhost.by'. The other rules are a waste since the policies for each chain is set to ACCEPT. Thus this host is wide open to the world except for IP connections from whatever 'zabbix.masterhost.by' resolves to.

Travis

@randymized:

… I can telnet to localhost port 25 from the local machine but I cannot reach that port from other computers. …
If those "other computers" are in your house, your ISP is probably blocking all outbound port 25 traffic as an anti-spam measure. Try a connection you're sure is unfiltered.

It's also possible that your mail server is configured to listen on localhost only. This is common for send-only mail servers, because having a mail server listen on public IPs is a waste of resources and a potential security issue when all you need is for PHP's mail() function to work. Some stackscripts will configure this automatically.

I had hoped that the LAMP & Basic Firewall StackScript would have set up a firewall that would survive a reboot, but apparently not. While I did verify that a couple of ports were blocked as expected when the server first came up, I should have repeated that verification after reboot.

The StackScript did store the firewall configuration in /etc/firewall.conf, but apparently did not assure reloading.

I added the following two lines to /etc/network/interfaces in the eth0 section:

post-up iptables-restore < /etc/firewall.conf
post-down iptables-save > /etc/firewall.conf

I also ran iptables-restore and that appears to have reestablished the original rules.

I don't know of a mechanism for contributing patches to a StackScript, but the post-up and post-down lines seem to be an essential part of what the StackScript should do.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct