Thanks
Is it possible to combine usage plesk firewall and asl?
Is it possible to combine usage plesk firewall and asl?
Is it possible to use plesk firewall at same time than ASL? Dont know if this is a stuped question.
Thanks
Thanks
)I'm unsure about that "totaly safe" ??.. in my server i'm using plesk firewall , and i found that after activating firewall, after a while, ASL resets the "ipatables" configuration, and makes its own.
I mean, right after i activate the config thru plesk CP, from SSH shell i issue the command:
/sbin/iptables -L
to see the actual iptables configuration, but if i go like, 3 to 4 days after (no reboots made...!) and i issue the same command , I get the following:
As you see, my plesk firewall config has been cleaned and substituted by ASL's one...
I mean, right after i activate the config thru plesk CP, from SSH shell i issue the command:
/sbin/iptables -L
Code: Select all
[root@s1 ]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST, ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:8880
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:poppassd
DROP tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:postgres
DROP tcp -- anywhere anywhere tcp dpt:9008
DROP tcp -- anywhere anywhere tcp dpt:9080
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-d s
DROP udp -- anywhere anywhere udp dpt:1194
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST, ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST, ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Code: Select all
[root@s1 ]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 222.241.211.162 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 222.241.211.162
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Hmm, ASL doesn't have any kind of "clear" function. It uses a 1 to 1 add/delete script based on the IP address, it sends:
iptables -I INPUT -s <IP> -j DROP
or
iptables -D INPUT -s <IP> -j DROP
As you can see the logic is very simple (ditto for FORWARD), its purely used for blocking. It doesn't even touch the OUTPUT table.
I suspect you've got something else going on there. To achieve that kind of reset event youd have to run /etc/init.d/iptables stop, or iptables -t <tablename> -F. You might want to put a wrapper around iptables to see what is calling it.
iptables -I INPUT -s <IP> -j DROP
or
iptables -D INPUT -s <IP> -j DROP
As you can see the logic is very simple (ditto for FORWARD), its purely used for blocking. It doesn't even touch the OUTPUT table.
I suspect you've got something else going on there. To achieve that kind of reset event youd have to run /etc/init.d/iptables stop, or iptables -t <tablename> -F. You might want to put a wrapper around iptables to see what is calling it.
Yep, i would like to know what's going on... but i dont know how to put a wrapper to iptables... is it very dificult? Where should I start looking?
Also it might be the "whatchdog" ? i use plesk watchdog i have it activated for all services...
The thing is that this only happens since i have ASL... ¿?
Also it might be the "whatchdog" ? i use plesk watchdog i have it activated for all services...
The thing is that this only happens since i have ASL... ¿?
-
breun
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
You should now a thing or two about shell scripting. The basic idea is to rename the iptables binary to something else (e.g. iptables.orig) and then create a script that for instance logs its arguments to a file or sends them to you by e-mail and finally calls the real iptables (iptables.orig).benji wrote:Yep, i would like to know what's going on... but i dont know how to put a wrapper to iptables... is it very dificult? Where should I start looking?
We have no problems with ASL and firewalls.
Lemonbit Internet Dedicated Server Management