The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Empty APF still blocking web site?

Discussion in 'General Discussion' started by acenetryan, Sep 16, 2009.

  1. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
    This is one of the weirder issues I've come across.

    We have a dedicated IP on our system that we recently assigned to a client's domain. We have APF enabled on our system and when you visit the site's IP in a browser it fails to load. Firefox gives:

    So we disable APF:

    Code:
    root@X [~]# service apf stop
    Stopping APF:                                              [  OK  ]
    root@X [~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    as a test and the site loads fine. Obviously, something in APF is preventing this site from loading. So, we went through the standard config options in conf.apf, disabling the PHP list, P2P list, Spamhaus list, clearing deny_host.rules, basically stripping APF down to block as little as possible. No change.

    We next tried to flush iptables after starting APF and this is what our iptables looks like afterwards:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain DSHIELD (0 references)
    target     prot opt source               destination
    
    Chain FRAG_UDP (0 references)
    target     prot opt source               destination
    
    Chain IN_SANITY (0 references)
    target     prot opt source               destination
    
    Chain OUT_SANITY (0 references)
    target     prot opt source               destination
    
    Chain P2P (0 references)
    target     prot opt source               destination
    
    Chain PHP (0 references)
    target     prot opt source               destination
    
    Chain PROHIBIT (0 references)
    target     prot opt source               destination
    
    Chain PZERO (0 references)
    target     prot opt source               destination
    
    Chain RESET (0 references)
    target     prot opt source               destination
    
    Chain SDROP (0 references)
    target     prot opt source               destination
    
    Chain TALLOW (0 references)
    target     prot opt source               destination
    
    Chain TDENY (0 references)
    target     prot opt source               destination
    
    Chain TGALLOW (0 references)
    target     prot opt source               destination
    
    Chain TGDENY (0 references)
    target     prot opt source               destination
    
    Chain TMP_DROP (0 references)
    target     prot opt source               destination
    
    Chain acctboth (0 references)
    target     prot opt source               destination
    
    Even with no rules in iptables, the IP is still failing to load. So what's the difference? Well, I guess there are bunch of chains defined so let's get rid of those as well:

    Code:
    root@X [~]# iptables -X acctboth
    root@X [~]# iptables -X TMP_DROP
    root@X [~]# iptables -X TGDENY
    root@X [~]# iptables -X TGALLOW
    root@X [~]# iptables -X TDENY
    root@X [~]# iptables -X TALLOW
    root@X [~]# iptables -X SDROP
    root@X [~]# iptables -X RESET
    root@X [~]# iptables -X PZERO
    root@X [~]# iptables -X PROHIBIT
    root@X [~]# iptables -X PHP
    root@X [~]# iptables -X P2P
    root@X [~]# iptables -X OUT_SANITY
    root@X [~]# iptables -X IN_SANITY
    root@X [~]# iptables -X FRAG_UDP
    root@X [~]# iptables -X DSHIELD
    
    And now our iptables looks like this:

    Code:
    root@X [~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    But the IP still fails to load!

    At this point, if I run:

    Code:
    root@X [~]# service apf stop
    Stopping APF:                                              [  OK  ]
    root@X [~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    the site loads fine. I am 100% baffled by this issue. How can two identical iptables listings have different behavior?
     
  2. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
Loading...

Share This Page