We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
(Solved) firewall disables outwards DNS lookup / apt-get
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
(Solved) firewall disables outwards DNS lookup / apt-get
on my fresh Debian 7.3, I have certain ACCEPT/DROP rules one of which I have ACCEPT for 80,43 both for TCP and UDP. However if the Firwall is enabled from VestaCP, the apt-get update doesn't work.... stopping IPTables service makes it work fine.
What may be the problem ? My Guess may be the ORDER of some rules, please advice....
My iptables -L -n shows
What may be the problem ? My Guess may be the ORDER of some rules, please advice....
My iptables -L -n shows
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VESTA tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
fail2ban-MAIL tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525,110,995,143,993
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9562
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306,5432
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9810
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2257
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- x.x.x.x 0.0.0.0/0
ACCEPT all -- y.y.y.y 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-MAIL (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-VESTA (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain vesta (0 references)
target prot opt source destination
Last edited by mehargags on Mon Feb 23, 2015 10:41 am, edited 1 time in total.
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: firewall disables apt-get update
Just bumping this thread as I'm facing this again on 2 of my servers.
I can't ping google.com or resolve anything from my Server when firewall is running. I can't do apt-get update either.
I tired ACCEPT on Port 53 but it didn't work
Can someone please recommend what rules to impliment so that I can use apt-get update ?
I can't ping google.com or resolve anything from my Server when firewall is running. I can't do apt-get update either.
I tired ACCEPT on Port 53 but it didn't work
Can someone please recommend what rules to impliment so that I can use apt-get update ?
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
(SOLVED) firewall disables Outbound DNS Lookups apt-get upd
I acknowledged (probably a missing feature) that there is no way to add OUTPUT rules in VestaCP. The Firewall panel only makes INPUT rule for Accept or Drop
<-- Credits for the solution http://lowendtalk.com/discussion/44292/ ... ns-lookups->
So I added a custom.sh inside
and paste this in custom.sh
Make it executable
Stop/Start your Firewall service from VestaCP
I'd like the VestaCP team seniors to look at this and let me know if this is the right and secure way! also if this can be taken care of in the future releases.
<-- Credits for the solution http://lowendtalk.com/discussion/44292/ ... ns-lookups->
So I added a custom.sh inside
Code: Select all
cd /usr/local/vesta/data/firewall
Code: Select all
nano custom.sh
Code: Select all
#!/bin/bash
IPT="/sbin/iptables"
# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER=$(cat /etc/resolv.conf | grep -v '^#' | grep nameserver | awk '{print $2}')
for ip in $DNS_SERVER
do
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
done
Code: Select all
chmod +x $VESTA/data/firewall/custom.sh
I'd like the VestaCP team seniors to look at this and let me know if this is the right and secure way! also if this can be taken care of in the future releases.
Re: (Solved) firewall disables outwards DNS lookup / apt-get
had same problem, this resolves the issue, thanks!!