I think this was just a dodgy install of CentOS.
Reinstalled CentOS and it works OK.
Thanks
On 11 February 2015 at 17:46, Steve Allen <[email protected]> wrote:
> Hi Fabrice
>
> As requested please see below:
>
> [root@packetfence01 ~]# iptables-restore <
> /usr/local/pf/var/conf/iptables.conf
> iptables-restore: line 101 failed
> [root@packetfence01 ~]#
> [root@packetfence01 ~]#
> [root@packetfence01 ~]# sudo iptables-restore <
> /usr/local/pf/var/conf/iptables.conf
> iptables-restore: line 101 failed
> [root@packetfence01 ~]#
>
>
> Kind regards,
>
> On 11 February 2015 at 14:02, Fabrice DURAND <[email protected]> wrote:
>
>> Hi Steve,
>>
>> it looks ok, what happen if you do that:
>> iptables-restore < /usr/local/pf/var/conf/iptables.conf
>>
>> Regards
>> Fabrice
>>
>> Le 2015-02-11 03:15, Steve Allen a écrit :
>> > Hi
>> >
>> > Please see below:
>> >
>> > [root@packetfence01 ~]# cat /usr/local/pf/var/conf/iptables.conf
>> > # This file is generated from a template at
>> > /usr/local/pf/conf/iptables.conf
>> > # Any changes made to this file will be lost on restart
>> >
>> > # iptables template
>> > # This file is manipulated on PacketFence's startup before being given
>> > to iptables
>> > *filter
>> >
>> > ### INPUT ###
>> > :INPUT DROP [0:0]
>> > # accept loopback stuff
>> > -A INPUT --in-interface lo --jump ACCEPT
>> > # accept anything related
>> > -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
>> > # Accept Ping (easier troubleshooting)
>> > -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
>> >
>> > :input-management-if - [0:0]
>> > # SSH
>> > -A input-management-if --match state --state NEW --match tcp
>> > --protocol tcp --dport 22 --jump ACCEPT
>> > # Web Admin
>> > -A input-management-if --protocol tcp --match tcp --dport 1443 --jump
>> > ACCEPT
>> > # Webservices
>> > -A input-management-if --protocol tcp --match tcp --dport 9090 --jump
>> > ACCEPT
>> > # AAA
>> > -A input-management-if --protocol tcp --match tcp --dport 7070 --jump
>> > ACCEPT
>> > # RADIUS
>> > -A input-management-if --protocol tcp --match tcp --dport 1812 --jump
>> > ACCEPT
>> > -A input-management-if --protocol udp --match udp --dport 1812 --jump
>> > ACCEPT
>> > -A input-management-if --protocol tcp --match tcp --dport 1813 --jump
>> > ACCEPT
>> > -A input-management-if --protocol udp --match udp --dport 1813 --jump
>> > ACCEPT
>> > # SNMP Traps
>> > -A input-management-if --protocol udp --match udp --dport 162 --jump
>> > ACCEPT
>> > # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
>> > -A input-management-if --protocol udp --match udp --dport 67 --jump
>> > ACCEPT
>> > -A input-management-if --protocol tcp --match tcp --dport 67 --jump
>> > ACCEPT
>> > # OpenVAS Administration Interface
>> > -A input-management-if --protocol tcp --match tcp --dport 9392 --jump
>> > ACCEPT
>> > # Nessus Administration Interface
>> > -A input-management-if --protocol tcp --match tcp --dport 8834 --jump
>> > ACCEPT
>> > # HTTPS for email confirmation or sponsor activation on the captive
>> > portal (if enabled)
>> >
>> >
>> > :input-internal-vlan-if - [0:0]
>> > # DNS
>> > -A input-internal-vlan-if --protocol udp --match udp --dport 53
>> > --jump ACCEPT
>> > # DHCP
>> > -A input-internal-vlan-if --protocol udp --match udp --dport 67
>> > --jump ACCEPT
>> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 67
>> > --jump ACCEPT
>> > # HTTP (captive-portal)
>> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 80
>> > --jump ACCEPT
>> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 443
>> > --jump ACCEPT
>> >
>> >
>> > :input-internal-inline-if - [0:0]
>> > # DHCP
>> > -A input-internal-inline-if --protocol udp --match udp --dport 67
>> > --jump ACCEPT
>> > -A input-internal-inline-if --protocol tcp --match tcp --dport 67
>> > --jump ACCEPT
>> > # DNS
>> > # allow unregistered users and isolated users to reach it for DNAT
>> > purposes but prevent registered ones
>> > -A input-internal-inline-if --protocol tcp --match tcp --dport 53
>> > --match mark --mark 0x3 --jump ACCEPT
>> > -A input-internal-inline-if --protocol udp --match udp --dport 53
>> > --match mark --mark 0x3 --jump ACCEPT
>> > -A input-internal-inline-if --protocol tcp --match tcp --dport 53
>> > --match mark --mark 0x2 --jump ACCEPT
>> > -A input-internal-inline-if --protocol udp --match udp --dport 53
>> > --match mark --mark 0x2 --jump ACCEPT
>> > -A input-internal-inline-if --protocol tcp --match tcp --dport 53
>> > --match mark --mark 0x1 --jump DROP
>> > -A input-internal-inline-if --protocol udp --match udp --dport 53
>> > --match mark --mark 0x1 --jump DROP
>> > # HTTP (captive-portal)
>> > # prevent registered users from reaching it
>> > # TODO: Must work in dispatcher and Catalyst to redirect registered
>> > client out of the portal
>> > #-A input-internal-inline-if --protocol tcp --match tcp --dport 80
>> > --match mark --mark 0x1 --jump DROP
>> > #-A input-internal-inline-if --protocol tcp --match tcp --dport 443
>> > --match mark --mark 0x1 --jump DROP
>> > # allow everyone else behind inline interface (not registered,
>> > isolated, etc.)
>> > -A input-internal-inline-if --protocol tcp --match tcp --dport 80
>> > --jump ACCEPT
>> > -A input-internal-inline-if --protocol tcp --match tcp --dport 443
>> > --jump ACCEPT
>> >
>> >
>> > :input-highavailability-if - [0:0]
>> > #SSH
>> > -A input-highavailability-if --match state --state NEW --match tcp
>> > --protocol tcp --dport 22 --jump ACCEPT
>> > # Corosync
>> > -A input-highavailability-if --protocol udp --match udp --dport 5405
>> > --jump ACCEPT
>> > -A input-highavailability-if --protocol udp --match udp --dport 5407
>> > --jump ACCEPT
>> > #DRBD
>> > -A input-highavailability-if --protocol tcp --match tcp --dport 7788
>> > --jump ACCEPT
>> >
>> > ### FORWARD ###
>> > :FORWARD DROP [0:0]
>> > :forward-internal-vlan-if - [0:0]
>> >
>> >
>> > :forward-internal-inline-if - [0:0]
>> >
>> >
>> > :OUTPUT ACCEPT [0:0]
>> >
>> > # These will redirect to the proper chains based on conf/pf.conf's
>> > configuration
>> > -A INPUT --in-interface eth1 -d 10.22.3.1 --jump input-internal-vlan-if
>> > -A INPUT --in-interface eth1 -d 255.255.255.255 --jump
>> > input-internal-vlan-if
>> > -A INPUT --in-interface eth2 -d 10.22.5.1 --jump input-internal-vlan-if
>> > -A INPUT --in-interface eth2 -d 255.255.255.255 --jump
>> > input-internal-vlan-if
>> > -A INPUT --in-interface eth0 --jump input-management-if
>> > COMMIT
>> >
>> > *mangle
>> > :PREROUTING ACCEPT [0:0]
>> > :prerouting-int-inline-if - [0:0]
>> >
>> > :INPUT ACCEPT [0:0]
>> > :FORWARD ACCEPT [0:0]
>> > :OUTPUT ACCEPT [0:0]
>> > :POSTROUTING ACCEPT [0:0]
>> > # These will redirect to the proper chains based on conf/pf.conf's
>> > configuration
>> >
>> > COMMIT
>> >
>> > *nat
>> > :PREROUTING ACCEPT [0:0]
>> > :prerouting-int-inline-if - [0:0]
>> > :postrouting-inline-routed - [0:0]
>> > :postrouting-int-inline-if - [0:0]
>> > :prerouting-int-vlan-if - [0:0]
>> >
>> >
>> >
>> >
>> > :OUTPUT ACCEPT [0:0]
>> > # These will redirect to the proper chains based on conf/pf.conf's
>> > configuration
>> > -A PREROUTING --in-interface eth1 --jump prerouting-int-vlan-if
>> > -A PREROUTING --in-interface eth2 --jump prerouting-int-vlan-if
>> >
>> >
>> > :POSTROUTING ACCEPT [0:0]
>> >
>> >
>> >
>> > #
>> > # Chain to enable routing instead of NAT
>> > #
>> >
>> >
>> > #
>> > # NAT out (PAT actually)
>> > #
>> > # If you want to do your own thing regarding NAT like for example:
>> > # - allowing through instead of doing NAT (make sure you have the
>> > proper return route)
>> > # - traffic out on some interface other than management
>> > # - overloading on multiple IP addresses
>> > # Comment the next two lines and do it here on the POSTROUTING chain.
>> > # Make sure to adjust the FORWARD rules also to allow traffic back-in.
>> >
>> >
>> > COMMIT
>> >
>> > [root@packetfence01 ~]#
>> >
>> > On 10 February 2015 at 23:46, Durand fabrice <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > Hi Steve,
>> >
>> > can you paste /usr/local/pf/var/conf/iptables.conf ?
>> >
>> > Regards
>> > Fabrice
>> >
>> > Le 2015-02-10 10:50, Steve Allen a écrit :
>> >> Hi I have recently installing PF server. Do I have a problem with
>> >> iptables? ########################### [root@packetfence01 ssl]#
>> >> /etc/init.d/packetfence restart Restarting
>> >> PacketFence...service|command dhcpd|stop httpd.aaa|stop
>> >> httpd.admin|stop httpd.portal|stop httpd.proxy|already stopped
>> >> httpd.webservices|stop iptables|already stopped
>> >> pfbandwidthd|already stopped pfdetect|already stopped
>> >> pfdhcplistener_eth1|stop pfdhcplistener_eth2|stop
>> >> pfdhcplistener_eth0|stop pfdns|stop pfmon|stop pfsetvlan|stop
>> >> radiusd|stop snmptrapd|stop snort|already stopped
>> >> suricata|already stopped memcached|stop memcached|start
>> >> httpd.admin|start Checking configuration sanity... Internet
>> >> Systems Consortium DHCP Server 4.1.1-P1 Copyright 2004-2010
>> >> Internet Systems Consortium. All rights reserved. For info,
>> >> please visit https://www.isc.org/software/dhcp/ Not searching
>> >> LDAP since ldap-server, ldap-port and ldap-base-dn were not
>> >> specified in the config file Wrote 0 leases to leases file.
>> >> Listening on LPF/eth2/8a:45:0a:5f:4f:c5/10.22.5.0/24
>> >> <http://10.22.5.0/24> Sending on
>> >> LPF/eth2/8a:45:0a:5f:4f:c5/10.22.5.0/24 <http://10.22.5.0/24>
>> >> Listening on LPF/eth1/52:a8:61:87:c4:0f/10.22.3.0/24
>> >> <http://10.22.3.0/24> Sending on
>> >> LPF/eth1/52:a8:61:87:c4:0f/10.22.3.0/24 <http://10.22.3.0/24>
>> >>
>> >> Sending on Socket/fallback/fallback-net
>> >> dhcpd|start
>> >> httpd.aaa|start
>> >> httpd.portal|start
>> >> httpd.webservices|start
>> >> *FATAL: Module ip_tables not found.*
>> >> *iptables-save v1.4.7: Cannot initialize: Table does not exist (do
>> you need
>> >> to insmod?)*
>> >>
>> >> *ipset v6.11: Kernel error received: Operation not permitted*
>> >> *iptables-restore: line 101 failed*
>> >> *iptables|start*
>> >> pfdhcplistener_eth1|start
>> >> pfdhcplistener_eth2|start
>> >> pfdhcplistener_eth0|start
>> >> pfdns|start
>> >> pfmon|start
>> >> snmptrapd|start
>> >> pfsetvlan|start
>> >> radiusd|start
>> >> ###########################
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>> ------------------------------------------------------------------------------
>> >> Dive into the World of Parallel Programming. The Go Parallel
>> Website,
>> >> sponsored by Intel and developed in partnership with Slashdot
>> Media, is your
>> >> hub for all things parallel software development, from weekly
>> thought
>> >> leadership blogs to news, videos, case studies, tutorials and
>> more. Take a
>> >> look and join the conversation now.
>> http://goparallel.sourceforge.net/
>> >>
>> >>
>> >> _______________________________________________
>> >> PacketFence-users mailing list
>> >> [email protected] <mailto:
>> [email protected]>
>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>> >
>>
>> ------------------------------------------------------------------------------
>> > Dive into the World of Parallel Programming. The Go Parallel
>> Website,
>> > sponsored by Intel and developed in partnership with Slashdot
>> > Media, is your
>> > hub for all things parallel software development, from weekly
>> thought
>> > leadership blogs to news, videos, case studies, tutorials and
>> > more. Take a
>> > look and join the conversation now.
>> http://goparallel.sourceforge.net/
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > [email protected]
>> > <mailto:[email protected]>
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Steve Allen
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Dive into the World of Parallel Programming. The Go Parallel Website,
>> > sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> > hub for all things parallel software development, from weekly thought
>> > leadership blogs to news, videos, case studies, tutorials and more.
>> Take a
>> > look and join the conversation now. http://goparallel.sourceforge.net/
>> >
>> >
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice Durand
>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Regards,
>
> Steve Allen
>
>
>
--
Regards,
Steve Allen
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
