Firewall locks all traffic
Firewall locks all traffic
I've been trying out Vesta and it is pretty great.
I've got an issue where if I start the firewall or create a rule all network traffic seems to be stopped. (web/ssh/vesta)
Using my host's VPS console I can stop the firewall with and traffic resumes acting normally.
I tried to explicitly create a rule allowing ports 80,443,22 for all IPs (0.0.0.0/0) to no avail.
Has anyone experienced any similar issue? Or can anyone point me to what I have done incorrectly?
Thanks in advance
I've got an issue where if I start the firewall or create a rule all network traffic seems to be stopped. (web/ssh/vesta)
Using my host's VPS console I can stop the firewall with
Code: Select all
v-stop-firewallI tried to explicitly create a rule allowing ports 80,443,22 for all IPs (0.0.0.0/0) to no avail.
Has anyone experienced any similar issue? Or can anyone point me to what I have done incorrectly?
Thanks in advance
Re: Firewall locks all traffic
I think I worked i out.
I stupidly tried to use comma separated port numbers instead of one at a time
I've guessed that 0.0.0.0/0 in the address field is a permissive as it gets but I'm not sure if this is the originating address or the address of our server.
Now the big issue is getting DNS queries and outgoing mail to work from our server. Which stopped with the firewall
I stupidly tried to use comma separated port numbers instead of one at a time
I've guessed that 0.0.0.0/0 in the address field is a permissive as it gets but I'm not sure if this is the originating address or the address of our server.
Now the big issue is getting DNS queries and outgoing mail to work from our server. Which stopped with the firewall
Re: Firewall locks all traffic
So this post http://www.lowendguide.com/3/networking ... s-lookups/ got our server talking DNS again
Essentially create the file $VESTA/data/firewall/custom.sh
with this neat script to pull the DNS servers from resolve.conf and add them to the firewall's rules
v-update-firewall complained that $VESTA/data/firewall/ports.conf didn't exist but creating that file placated it.
Essentially create the file $VESTA/data/firewall/custom.sh
with this neat script to pull the DNS servers from resolve.conf and add them to the firewall's rules
Code: Select all
#!/bin/bash
IPT="/sbin/iptables"
# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER=$(cat /etc/resolv.conf | grep -v '^#' | grep nameserver | awk '{print $2}')
for ip in $DNS_SERVER
do
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
doneRe: Firewall locks all traffic
Thanks for mentioning my website, will try to add more interesting things about VestaCP as I like the project.
One issue with the script that i posted (and re-posted here) is if you have IPv6 addresses in /etc/resolv.conf it will generate an error but script still works.
It's on my TODO-list. :)
One issue with the script that i posted (and re-posted here) is if you have IPv6 addresses in /etc/resolv.conf it will generate an error but script still works.
It's on my TODO-list. :)