Hi
Please see below:
[root@packetfence01 ~]# cat /usr/local/pf/var/conf/iptables.conf
# This file is generated from a template at /usr/local/pf/conf/iptables.conf
# Any changes made to this file will be lost on restart
# iptables template
# This file is manipulated on PacketFence's startup before being given to
iptables
*filter
### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp --protocol tcp
--dport 22 --jump ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport 1443 --jump ACCEPT
# Webservices
-A input-management-if --protocol tcp --match tcp --dport 9090 --jump ACCEPT
# AAA
-A input-management-if --protocol tcp --match tcp --dport 7070 --jump ACCEPT
# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT
# Nessus Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT
# HTTPS for email confirmation or sponsor activation on the captive portal
(if enabled)
:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump
ACCEPT
# DHCP
-A input-internal-vlan-if --protocol udp --match udp --dport 67 --jump
ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 67 --jump
ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump
ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump
ACCEPT
:input-internal-inline-if - [0:0]
# DHCP
-A input-internal-inline-if --protocol udp --match udp --dport 67 --jump
ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 67 --jump
ACCEPT
# DNS
# allow unregistered users and isolated users to reach it for DNAT purposes
but prevent registered ones
-A input-internal-inline-if --protocol tcp --match tcp --dport 53 --match
mark --mark 0x3 --jump ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53 --match
mark --mark 0x3 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 53 --match
mark --mark 0x2 --jump ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53 --match
mark --mark 0x2 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 53 --match
mark --mark 0x1 --jump DROP
-A input-internal-inline-if --protocol udp --match udp --dport 53 --match
mark --mark 0x1 --jump DROP
# HTTP (captive-portal)
# prevent registered users from reaching it
# TODO: Must work in dispatcher and Catalyst to redirect registered client
out of the portal
#-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match
mark --mark 0x1 --jump DROP
#-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match
mark --mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered, isolated,
etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump
ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump
ACCEPT
:input-highavailability-if - [0:0]
#SSH
-A input-highavailability-if --match state --state NEW --match tcp
--protocol tcp --dport 22 --jump ACCEPT
# Corosync
-A input-highavailability-if --protocol udp --match udp --dport 5405 --jump
ACCEPT
-A input-highavailability-if --protocol udp --match udp --dport 5407 --jump
ACCEPT
#DRBD
-A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump
ACCEPT
### FORWARD ###
:FORWARD DROP [0:0]
:forward-internal-vlan-if - [0:0]
:forward-internal-inline-if - [0:0]
:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
-A INPUT --in-interface eth1 -d 10.22.3.1 --jump input-internal-vlan-if
-A INPUT --in-interface eth1 -d 255.255.255.255 --jump
input-internal-vlan-if
-A INPUT --in-interface eth2 -d 10.22.5.1 --jump input-internal-vlan-if
-A INPUT --in-interface eth2 -d 255.255.255.255 --jump
input-internal-vlan-if
-A INPUT --in-interface eth0 --jump input-management-if
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:postrouting-inline-routed - [0:0]
:postrouting-int-inline-if - [0:0]
:prerouting-int-vlan-if - [0:0]
:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
-A PREROUTING --in-interface eth1 --jump prerouting-int-vlan-if
-A PREROUTING --in-interface eth2 --jump prerouting-int-vlan-if
:POSTROUTING ACCEPT [0:0]
#
# Chain to enable routing instead of NAT
#
#
# NAT out (PAT actually)
#
# If you want to do your own thing regarding NAT like for example:
# - allowing through instead of doing NAT (make sure you have the proper
return route)
# - traffic out on some interface other than management
# - overloading on multiple IP addresses
# Comment the next two lines and do it here on the POSTROUTING chain.
# Make sure to adjust the FORWARD rules also to allow traffic back-in.
COMMIT
[root@packetfence01 ~]#
On 10 February 2015 at 23:46, Durand fabrice <[email protected]> wrote:
> Hi Steve,
>
> can you paste /usr/local/pf/var/conf/iptables.conf ?
>
> Regards
> Fabrice
>
> Le 2015-02-10 10:50, Steve Allen a écrit :
>
> Hi
>
> I have recently installing PF server.
>
> Do I have a problem with iptables?
>
> ###########################
> [root@packetfence01 ssl]# /etc/init.d/packetfence restart
> Restarting PacketFence...service|command
> dhcpd|stop
> httpd.aaa|stop
> httpd.admin|stop
> httpd.portal|stop
> httpd.proxy|already stopped
> httpd.webservices|stop
> iptables|already stopped
> pfbandwidthd|already stopped
> pfdetect|already stopped
> pfdhcplistener_eth1|stop
> pfdhcplistener_eth2|stop
> pfdhcplistener_eth0|stop
> pfdns|stop
> pfmon|stop
> pfsetvlan|stop
> radiusd|stop
> snmptrapd|stop
> snort|already stopped
> suricata|already stopped
> memcached|stop
> memcached|start
> httpd.admin|start
> Checking configuration sanity...
> Internet Systems Consortium DHCP Server 4.1.1-P1
> Copyright 2004-2010 Internet Systems Consortium.
> All rights reserved.
> For info, please visit https://www.isc.org/software/dhcp/
> Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not
> specified in the config file
> Wrote 0 leases to leases file.
> Listening on LPF/eth2/8a:45:0a:5f:4f:c5/10.22.5.0/24
> Sending on LPF/eth2/8a:45:0a:5f:4f:c5/10.22.5.0/24
> Listening on LPF/eth1/52:a8:61:87:c4:0f/10.22.3.0/24
> Sending on LPF/eth1/52:a8:61:87:c4:0f/10.22.3.0/24
>
> Sending on Socket/fallback/fallback-net
> dhcpd|start
> httpd.aaa|start
> httpd.portal|start
> httpd.webservices|start
> *FATAL: Module ip_tables not found.*
> *iptables-save v1.4.7: Cannot initialize: Table does not exist (do you need
> to insmod?)*
>
> *ipset v6.11: Kernel error received: Operation not permitted*
> *iptables-restore: line 101 failed*
> *iptables|start*
> pfdhcplistener_eth1|start
> pfdhcplistener_eth2|start
> pfdhcplistener_eth0|start
> pfdns|start
> pfmon|start
> snmptrapd|start
> pfsetvlan|start
> radiusd|start
> ###########################
>
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Regards,
Steve Allen
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
