This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Other modules / Re: HTTP proxy won't start with transparent proxy enabled
« on: May 24, 2023, 04:29:13 am »
Any luck with this? I've got the same exact problem. I even tried changing the port. Did no good.
But after kicking it around. I had to enable ip6 in the sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
Then I found out it is working up until I make use of Domain Categories in Filter Profiles and denied one category and assign it to an access rule.. That's when Transparent Proxy stops working.
Everything else works. Domains, Extensions and MIME.
You can test using squid -k check
Also I had tried removing the module but for some reason the zentyal-squid-SERVER was not removed. It then would not configure properly when reinstalling. I was able to over come this by removing the object from samba with samba-tool group removemembers 'Domain Admins' zentyal-squid-MYSERVERNAME.
If you get errors dealing with ports look into /etc/e2guardian.conf
Hope this helps.
But after kicking it around. I had to enable ip6 in the sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
Then I found out it is working up until I make use of Domain Categories in Filter Profiles and denied one category and assign it to an access rule.. That's when Transparent Proxy stops working.
Everything else works. Domains, Extensions and MIME.
You can test using squid -k check
Also I had tried removing the module but for some reason the zentyal-squid-SERVER was not removed. It then would not configure properly when reinstalling. I was able to over come this by removing the object from samba with samba-tool group removemembers 'Domain Admins' zentyal-squid-MYSERVERNAME.
If you get errors dealing with ports look into /etc/e2guardian.conf
Hope this helps.
2
Other modules / Zentyal 7.0 site-to-site to RouterOS (Mikrotik)
« on: July 21, 2022, 05:31:10 pm »
Hello
We would like to do a site-to-site with Zentyal 7.0x and a Mikrotik Router using OpenVPN. So far we keep getting a CN 18 0 error when we import the Mikrotik certificates.
We would like to do a site-to-site with Zentyal 7.0x and a Mikrotik Router using OpenVPN. So far we keep getting a CN 18 0 error when we import the Mikrotik certificates.
3
Directory and Authentication / Reverse PDC to BDC and BDC to PDC
« on: May 17, 2022, 06:59:27 pm »
Hello
I have 2 6.2 Zentyal Server. 1 (older) is the Primary DC and the other (Newer) is an Additional DC. I would like the New to be our primary and remove the old server.
sudo ./ad-migrate ran just fine.
But Roaming Profiles and and associated data remain with the old server. If i change the users default server all I get are temporary profiles on the workstations.
Thanks
I have 2 6.2 Zentyal Server. 1 (older) is the Primary DC and the other (Newer) is an Additional DC. I would like the New to be our primary and remove the old server.
sudo ./ad-migrate ran just fine.
But Roaming Profiles and and associated data remain with the old server. If i change the users default server all I get are temporary profiles on the workstations.
Thanks
4
Directory and Authentication / Re: Domain roaming profile data migration. How to made that ?
« on: April 07, 2021, 01:54:50 pm »
How did it go?
Were you able to move all of your users?
What about shared folders?
Gracias
Were you able to move all of your users?
What about shared folders?
Gracias
5
Other modules / Cannot start VM from Virt Manager
« on: February 29, 2020, 01:25:55 am »
I can define a VM but I cannot start it.
I checked the log file and this is what I found
mkdir -p /var/lib/zentyal/tmp/libvirt-networks
cp /etc/libvirt/qemu/networks/*.xml /var/lib/zentyal/tmp/libvirt-networks/
chmod 644 /var/lib/zentyal/tmp/libvirt-networks/*.xml failed.
Error output: cp: cannot stat '/etc/libvirt/qemu/networks/*.xml': No such file or directory
Thanks
I checked the log file and this is what I found
mkdir -p /var/lib/zentyal/tmp/libvirt-networks
cp /etc/libvirt/qemu/networks/*.xml /var/lib/zentyal/tmp/libvirt-networks/
chmod 644 /var/lib/zentyal/tmp/libvirt-networks/*.xml failed.
Error output: cp: cannot stat '/etc/libvirt/qemu/networks/*.xml': No such file or directory
Thanks
6
Other modules / Re: Zentyal 6 - HTTPS packets dropped
« on: November 12, 2019, 07:45:42 pm »
Yes Proxy is Enabled...but not always configured at the workstation but problem is the same.
Please note that AA.BBB.CCC.DDD is not AA.BBB.CCC.DDE
sudo iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postmodules
-N premodules
-A PREROUTING -j premodules
-A POSTROUTING -j postmodules
-A POSTROUTING ! -s AA.BBB.CCC.DDE/32 -o eth0 -j SNAT --to-source AA.BBB.CCC.DDE
-A premodules ! -d 192.168.1.2/32 -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.1.2/32 -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.2.1/32 -i eth2 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.2.1/32 -i eth2 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.3.1/32 -i eth3 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.3.1/32 -i eth3 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.4.1/32 -i eth4 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.4.1/32 -i eth4 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.5.1/32 -i eth5 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.5.1/32 -i eth5 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
==================================================================
sudo iptables -t mangle --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N CHECKIP-TEST
-N FAILOVER-TEST
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m mark --mark 0x0/0xff -m mac --mac-source 00:C1:64:25:26:1F -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -m mark --mark 0x0/0xff -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -m mark --mark 0x0/0xff -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j FAILOVER-TEST
-A OUTPUT -j CHECKIP-TEST
==================================================================
sudo iptables -t filter --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N drop
-N faccept
-N fdns
-N fdrop
-N ffwdrules
-N fglobal
-N fmodules
-N fnoexternal
-N fnospoof
-N fnospoofmodules
-N fredirects
-N ftoexternalonly
-N iaccept
-N idrop
-N iexternal
-N iexternalmodules
-N iglobal
-N imodules
-N inoexternal
-N inointernal
-N inospoof
-N inospoofmodules
-N log
-N oaccept
-N odrop
-N oglobal
-N ointernal
-N omodules
-N preforward
-N preinput
-N preoutput
-A INPUT -i lo -j ACCEPT
-A INPUT -j preinput
-A INPUT -m state --state INVALID -j idrop
-A INPUT -m state --state RELATED,ESTABLISHED -j iaccept
-A INPUT -j inospoof
-A INPUT -j iexternalmodules
-A INPUT -j iexternal
-A INPUT -j inoexternal
-A INPUT -j imodules
-A INPUT -j iglobal
-A INPUT -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j iaccept
-A INPUT -j idrop
-A FORWARD -j preforward
-A FORWARD -m state --state INVALID -j fdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j faccept
-A FORWARD -j fnospoof
-A FORWARD -j fredirects
-A FORWARD -j fmodules
-A FORWARD -j ffwdrules
-A FORWARD -j fnoexternal
-A FORWARD -j fdns
-A FORWARD -j fglobal
-A FORWARD -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j faccept
-A FORWARD -j fdrop
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j preoutput
-A OUTPUT -m state --state INVALID -j odrop
-A OUTPUT -m state --state RELATED,ESTABLISHED -j oaccept
-A OUTPUT -j ointernal
-A OUTPUT -j omodules
-A OUTPUT -j oglobal
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j oaccept
-A OUTPUT -j odrop
-A drop -m limit --limit 50/min --limit-burst 10 -j LOG --log-prefix "zentyal-firewall drop " --log-level 7
-A drop -j DROP
-A faccept -i eth0 -j NFQUEUE --queue-num 0
-A faccept -j ACCEPT
-A fdrop -j drop
-A ffwdrules -i eth1 -j RETURN
-A ffwdrules -i eth2 -j RETURN
-A ffwdrules -i eth3 -j RETURN
-A ffwdrules -i eth4 -j RETURN
-A ffwdrules -i eth5 -j RETURN
-A fglobal -j faccept
-A fnoexternal -i eth0 -m state --state NEW -j fdrop
-A fnospoof -j fnospoofmodules
-A fnospoof -s 192.168.2.211/32 -m mac ! --mac-source 10:60:4B:14:25:50 -j fdrop
-A fnospoof -s 192.168.2.210/32 -m mac ! --mac-source 00:20:78:0E:F8:53 -j fdrop
-A fnospoof -s AA.BBB.CCC.DDD/30 ! -i eth0 -j fdrop
-A fnospoof -s 192.168.1.0/24 ! -i eth1 -j fdrop
-A fnospoof -s 192.168.2.0/24 ! -i eth2 -j fdrop
-A fnospoof -s 192.168.3.0/24 ! -i eth3 -j fdrop
-A fnospoof -s 192.168.4.0/24 ! -i eth4 -j fdrop
-A fnospoof -s 192.168.5.0/24 ! -i eth5 -j fdrop
-A ftoexternalonly -o eth0 -j faccept
-A ftoexternalonly -j fdrop
-A iaccept -i eth0 -j NFQUEUE --queue-num 0
-A iaccept -j ACCEPT
-A idrop -j drop
-A iexternal -i eth1 -j RETURN
-A iexternal -i eth2 -j RETURN
-A iexternal -i eth3 -j RETURN
-A iexternal -i eth4 -j RETURN
-A iexternal -i eth5 -j RETURN
-A iexternal -p udp -m udp --sport 631 --dport 631 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --sport 631 --dport 631 -m state --state NEW -j iaccept
-A iexternal -p udp -m udp --dport 4000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 4000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 22 -m state --state NEW -j iaccept
-A iexternal -p udp -m udp --dport 10000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 10000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 8443 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 587 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 110 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 143 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 993 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 995 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 4190 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 25 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 465 -m state --state NEW -j drop
-A iexternal -p udp -m udp --dport 1812 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 5222 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 5223 -m state --state NEW -j drop
-A iexternalmodules -i eth1 -j RETURN
-A iexternalmodules -i eth2 -j RETURN
-A iexternalmodules -i eth3 -j RETURN
-A iexternalmodules -i eth4 -j RETURN
-A iexternalmodules -i eth5 -j RETURN
-A iglobal -p tcp -m tcp --dport 80 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 10000 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 10000 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 587 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 110 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 143 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 993 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 995 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 4190 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 25 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 465 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 1812 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 5222 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 5223 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 88 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 88 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 135 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 137 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 138 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 139 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 389 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 389 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 445 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 464 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 464 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 636 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 3268 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 3269 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 49152:65535 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 53 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 53 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 123 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --sport 67:68 --dport 67:68 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 69 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 22 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 8443 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 20 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 21 -m state --state NEW -j iaccept
-A imodules -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth2 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth3 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth4 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth5 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -p tcp -m state --state NEW -m tcp --dport 3129 -j DROP
-A inoexternal -i eth0 -m state --state NEW -j idrop
-A inospoof -j inospoofmodules
-A inospoof -s 192.168.2.211/32 -m mac ! --mac-source 10:60:4B:14:25:50 -j idrop
-A inospoof -s 192.168.2.210/32 -m mac ! --mac-source 00:20:78:0E:F8:53 -j idrop
-A inospoof -s AA.BBB.CCC.DDD/30 ! -i eth0 -j idrop
-A inospoof -s 192.168.1.0/24 ! -i eth1 -j idrop
-A inospoof -s 192.168.2.0/24 ! -i eth2 -j idrop
-A inospoof -s 192.168.3.0/24 ! -i eth3 -j idrop
-A inospoof -s 192.168.4.0/24 ! -i eth4 -j idrop
-A inospoof -s 192.168.5.0/24 ! -i eth5 -j idrop
-A log -m limit --limit 50/min --limit-burst 10 -j LOG --log-prefix "zentyal-firewall log " --log-level 7
-A log -j RETURN
-A oaccept -j ACCEPT
-A odrop -j drop
-A oglobal -m state --state NEW -j oaccept
-A omodules -p tcp -m tcp --dport 80 -j oaccept
-A omodules -p udp -m udp --dport 53 -j oaccept
-A omodules -p tcp -m tcp --dport 53 -j oaccept
-A omodules -p tcp -m tcp --dport 80 -j oaccept
-A omodules -p tcp -m state --state NEW -m tcp --dport 80 -j oaccept
-A omodules -p tcp -m state --state NEW -m tcp --dport 443 -j oaccept
Please note that AA.BBB.CCC.DDD is not AA.BBB.CCC.DDE
sudo iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postmodules
-N premodules
-A PREROUTING -j premodules
-A POSTROUTING -j postmodules
-A POSTROUTING ! -s AA.BBB.CCC.DDE/32 -o eth0 -j SNAT --to-source AA.BBB.CCC.DDE
-A premodules ! -d 192.168.1.2/32 -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.1.2/32 -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.2.1/32 -i eth2 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.2.1/32 -i eth2 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.3.1/32 -i eth3 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.3.1/32 -i eth3 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.4.1/32 -i eth4 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.4.1/32 -i eth4 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.5.1/32 -i eth5 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.5.1/32 -i eth5 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
==================================================================
sudo iptables -t mangle --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N CHECKIP-TEST
-N FAILOVER-TEST
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m mark --mark 0x0/0xff -m mac --mac-source 00:C1:64:25:26:1F -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -m mark --mark 0x0/0xff -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -m mark --mark 0x0/0xff -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j FAILOVER-TEST
-A OUTPUT -j CHECKIP-TEST
==================================================================
sudo iptables -t filter --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N drop
-N faccept
-N fdns
-N fdrop
-N ffwdrules
-N fglobal
-N fmodules
-N fnoexternal
-N fnospoof
-N fnospoofmodules
-N fredirects
-N ftoexternalonly
-N iaccept
-N idrop
-N iexternal
-N iexternalmodules
-N iglobal
-N imodules
-N inoexternal
-N inointernal
-N inospoof
-N inospoofmodules
-N log
-N oaccept
-N odrop
-N oglobal
-N ointernal
-N omodules
-N preforward
-N preinput
-N preoutput
-A INPUT -i lo -j ACCEPT
-A INPUT -j preinput
-A INPUT -m state --state INVALID -j idrop
-A INPUT -m state --state RELATED,ESTABLISHED -j iaccept
-A INPUT -j inospoof
-A INPUT -j iexternalmodules
-A INPUT -j iexternal
-A INPUT -j inoexternal
-A INPUT -j imodules
-A INPUT -j iglobal
-A INPUT -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j iaccept
-A INPUT -j idrop
-A FORWARD -j preforward
-A FORWARD -m state --state INVALID -j fdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j faccept
-A FORWARD -j fnospoof
-A FORWARD -j fredirects
-A FORWARD -j fmodules
-A FORWARD -j ffwdrules
-A FORWARD -j fnoexternal
-A FORWARD -j fdns
-A FORWARD -j fglobal
-A FORWARD -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j faccept
-A FORWARD -j fdrop
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j preoutput
-A OUTPUT -m state --state INVALID -j odrop
-A OUTPUT -m state --state RELATED,ESTABLISHED -j oaccept
-A OUTPUT -j ointernal
-A OUTPUT -j omodules
-A OUTPUT -j oglobal
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j oaccept
-A OUTPUT -j odrop
-A drop -m limit --limit 50/min --limit-burst 10 -j LOG --log-prefix "zentyal-firewall drop " --log-level 7
-A drop -j DROP
-A faccept -i eth0 -j NFQUEUE --queue-num 0
-A faccept -j ACCEPT
-A fdrop -j drop
-A ffwdrules -i eth1 -j RETURN
-A ffwdrules -i eth2 -j RETURN
-A ffwdrules -i eth3 -j RETURN
-A ffwdrules -i eth4 -j RETURN
-A ffwdrules -i eth5 -j RETURN
-A fglobal -j faccept
-A fnoexternal -i eth0 -m state --state NEW -j fdrop
-A fnospoof -j fnospoofmodules
-A fnospoof -s 192.168.2.211/32 -m mac ! --mac-source 10:60:4B:14:25:50 -j fdrop
-A fnospoof -s 192.168.2.210/32 -m mac ! --mac-source 00:20:78:0E:F8:53 -j fdrop
-A fnospoof -s AA.BBB.CCC.DDD/30 ! -i eth0 -j fdrop
-A fnospoof -s 192.168.1.0/24 ! -i eth1 -j fdrop
-A fnospoof -s 192.168.2.0/24 ! -i eth2 -j fdrop
-A fnospoof -s 192.168.3.0/24 ! -i eth3 -j fdrop
-A fnospoof -s 192.168.4.0/24 ! -i eth4 -j fdrop
-A fnospoof -s 192.168.5.0/24 ! -i eth5 -j fdrop
-A ftoexternalonly -o eth0 -j faccept
-A ftoexternalonly -j fdrop
-A iaccept -i eth0 -j NFQUEUE --queue-num 0
-A iaccept -j ACCEPT
-A idrop -j drop
-A iexternal -i eth1 -j RETURN
-A iexternal -i eth2 -j RETURN
-A iexternal -i eth3 -j RETURN
-A iexternal -i eth4 -j RETURN
-A iexternal -i eth5 -j RETURN
-A iexternal -p udp -m udp --sport 631 --dport 631 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --sport 631 --dport 631 -m state --state NEW -j iaccept
-A iexternal -p udp -m udp --dport 4000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 4000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 22 -m state --state NEW -j iaccept
-A iexternal -p udp -m udp --dport 10000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 10000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 8443 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 587 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 110 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 143 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 993 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 995 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 4190 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 25 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 465 -m state --state NEW -j drop
-A iexternal -p udp -m udp --dport 1812 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 5222 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 5223 -m state --state NEW -j drop
-A iexternalmodules -i eth1 -j RETURN
-A iexternalmodules -i eth2 -j RETURN
-A iexternalmodules -i eth3 -j RETURN
-A iexternalmodules -i eth4 -j RETURN
-A iexternalmodules -i eth5 -j RETURN
-A iglobal -p tcp -m tcp --dport 80 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 10000 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 10000 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 587 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 110 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 143 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 993 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 995 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 4190 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 25 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 465 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 1812 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 5222 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 5223 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 88 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 88 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 135 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 137 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 138 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 139 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 389 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 389 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 445 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 464 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 464 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 636 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 3268 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 3269 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 49152:65535 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 53 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 53 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 123 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --sport 67:68 --dport 67:68 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 69 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 22 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 8443 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 20 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 21 -m state --state NEW -j iaccept
-A imodules -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth2 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth3 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth4 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth5 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -p tcp -m state --state NEW -m tcp --dport 3129 -j DROP
-A inoexternal -i eth0 -m state --state NEW -j idrop
-A inospoof -j inospoofmodules
-A inospoof -s 192.168.2.211/32 -m mac ! --mac-source 10:60:4B:14:25:50 -j idrop
-A inospoof -s 192.168.2.210/32 -m mac ! --mac-source 00:20:78:0E:F8:53 -j idrop
-A inospoof -s AA.BBB.CCC.DDD/30 ! -i eth0 -j idrop
-A inospoof -s 192.168.1.0/24 ! -i eth1 -j idrop
-A inospoof -s 192.168.2.0/24 ! -i eth2 -j idrop
-A inospoof -s 192.168.3.0/24 ! -i eth3 -j idrop
-A inospoof -s 192.168.4.0/24 ! -i eth4 -j idrop
-A inospoof -s 192.168.5.0/24 ! -i eth5 -j idrop
-A log -m limit --limit 50/min --limit-burst 10 -j LOG --log-prefix "zentyal-firewall log " --log-level 7
-A log -j RETURN
-A oaccept -j ACCEPT
-A odrop -j drop
-A oglobal -m state --state NEW -j oaccept
-A omodules -p tcp -m tcp --dport 80 -j oaccept
-A omodules -p udp -m udp --dport 53 -j oaccept
-A omodules -p tcp -m tcp --dport 53 -j oaccept
-A omodules -p tcp -m tcp --dport 80 -j oaccept
-A omodules -p tcp -m state --state NEW -m tcp --dport 80 -j oaccept
-A omodules -p tcp -m state --state NEW -m tcp --dport 443 -j oaccept
7
Other modules / Re: Zentyal 6 - HTTPS packets dropped
« on: November 06, 2019, 04:04:40 pm »
Hi
I have notice the same issue.
Have you made any progress?
I have notice the same issue.
Have you made any progress?
8
Other modules / IPTABLE Exception for a Drop
« on: November 06, 2019, 03:38:50 pm »
Hello all
There is a website which the default firewall setup (any/any) keeps dropping after authentication on said site (as per the firewall log).
Step by step:
User goes to website https://TheWebSite.com
Enters Account and Password
Site stops responding
When we verify Firewall logs Site IP and Port are dropped.
How do I setup an exception for this site so that returning traffic is not dropped. FYI: it uses port 443.
Thank You
There is a website which the default firewall setup (any/any) keeps dropping after authentication on said site (as per the firewall log).
Step by step:
User goes to website https://TheWebSite.com
Enters Account and Password
Site stops responding
When we verify Firewall logs Site IP and Port are dropped.
How do I setup an exception for this site so that returning traffic is not dropped. FYI: it uses port 443.
Thank You
9
Other modules / Re: ipsec/l2tp
« on: September 09, 2018, 01:48:18 pm »
I did a short how to here.
Needs extensive testing...
https://forum.zentyal.org/index.php/topic,32171.msg108873.html#msg108873
Needs extensive testing...
https://forum.zentyal.org/index.php/topic,32171.msg108873.html#msg108873
10
Russian / Re: Как подключить L2TP/IPSec в Zentyal 5.1 ?
« on: September 09, 2018, 04:53:58 am »
I was able to install it. Unfortunately it leaves my deb package database with broken state.
1. Go to libreswan website and download deb packages. https://download.libreswan.org/binaries/ubuntu/trusty/
2. dpkg -i libreswan*
3. apt-get -f install
4. apt-get install xl2tpd
5. dpkg --ignore-depends=zentyal-core -i zentyal-ipsec_5.0_all.deb
Once web interface is backup you can go to VPN tab and you will see the IPSec sub-tab.
If someone can recompile to increase the <=zentyal-core 5.1 dependency to =>5.1 I think that may resolve the issue.
or if no solution is available.
edit /var/lib/dpkg/status,
find the package with the broken dependencies
edit the Depends: line to stop the package complaining.
1. Go to libreswan website and download deb packages. https://download.libreswan.org/binaries/ubuntu/trusty/
2. dpkg -i libreswan*
3. apt-get -f install
4. apt-get install xl2tpd
5. dpkg --ignore-depends=zentyal-core -i zentyal-ipsec_5.0_all.deb
Once web interface is backup you can go to VPN tab and you will see the IPSec sub-tab.
If someone can recompile to increase the <=zentyal-core 5.1 dependency to =>5.1 I think that may resolve the issue.
or if no solution is available.
edit /var/lib/dpkg/status,
find the package with the broken dependencies
edit the Depends: line to stop the package complaining.
Pages: [1]