(Solved) firewall disables outwards DNS lookup / apt-get

[mehargags]

on my fresh Debian 7.3, I have certain ACCEPT/DROP rules one of which I have ACCEPT for 80,43 both for TCP and UDP. However if the Firwall is enabled from VestaCP, the apt-get update doesn't work.... stopping IPTables service makes it work fine.

What may be the problem ? My Guess may be the ORDER of some rules, please advice....

My iptables -L -n shows

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VESTA tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
fail2ban-MAIL tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525,110,995,143,993
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9562
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306,5432
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9810
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2257
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- x.x.x.x 0.0.0.0/0
ACCEPT all -- y.y.y.y 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-MAIL (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-VESTA (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain vesta (0 references)
target prot opt source destination

[mehargags]

Just bumping this thread as I'm facing this again on 2 of my servers.

I can't ping google.com or resolve anything from my Server when firewall is running. I can't do apt-get update either.

I tired ACCEPT on Port 53 but it didn't work

Can someone please recommend what rules to impliment so that I can use apt-get update ?

[mehargags]

I acknowledged (probably a missing feature) that there is no way to add OUTPUT rules in VestaCP. The Firewall panel only makes INPUT rule for Accept or Drop

<-- Credits for the solution http://lowendtalk.com/discussion/44292/ ... ns-lookups->

So I added a custom.sh inside

Code: Select all

cd /usr/local/vesta/data/firewall

Code: Select all

nano custom.sh

and paste this in custom.sh

Code: Select all

#!/bin/bash
IPT="/sbin/iptables"

# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER=$(cat /etc/resolv.conf  | grep -v '^#' | grep nameserver | awk '{print $2}')

for ip in $DNS_SERVER
do
        echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
        $IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
        $IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
done

Make it executable

Code: Select all

chmod +x $VESTA/data/firewall/custom.sh

Stop/Start your Firewall service from VestaCP

I'd like the VestaCP team seniors to look at this and let me know if this is the right and secure way! also if this can be taken care of in the future releases.

[sennevb]

had same problem, this resolves the issue, thanks!!