All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[SOLVED] Server with VestaCP and Firewall enabled blocks DNS lookups
Hello fellow members of LET.
Yesterday, right before bedtime I installed a new VPS with VestaCP and decided to enable the firewall using the GUI in VestaCP.
First I locked myself out because the firewall started by itself after I added my first rule (which wasn't for my SSH port) but thats another story.
After the installation and I had added the needed rules I tried to install snmpd using apt-get and the server failed to install because of it couldn't resolve the IP for the repository.
Tried to ping google.com and it failed. Disabled the firewall and everything worked as expected, DNS lookups were successful. Enabled the firewall again and everything blocked.
So, I googled for like 30 minutes before I fell asleep but couldn't find a solution for my problem.
Have enyone in this community experienced the same thing and what did you do to solve it?
Comments
Hmm you ever got the 3000+ emails saying hostname lookup failed?
nope, I set proper rDNS and hostname on my installations
Odd. So did I nvm
INPUT/OUTPUT for ports 53/953 open?
iptables -A INPUT -i eth0 -j REJECT included?
there is no way to add OUTPUT rules in VestaCP, only INPUT.
I did try to add (manually) TCP/UPD 53 OUTPUT rules, no change.
REJECT is empty.
edit: wrong os
running Debian so
yum: command not found
yea, noticed apt-get..........
This enables it, not sure if this is the best way when running VestaCP, will have to investigate more.
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d 0.0.0.0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0.0.0.0/0 --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0.0.0.0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 0.0.0.0/0 --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
somewhat similar with kloxo, requires both tcp/udp port 53 available......
routing is default?
when reading the iptables rules above, I guess the error was that the returning answer was dropped. Basicly I could ask the question but didn't listen to the answer.
You would think given that DNS is a critical feature and the FW is controlled via vesta they would have considered that, things like that make me want to kill people.
Using the VestaCP GUI you can only add "basic" INPUT rules, trying to figure out how to add this so it is still there after a reboot
Lets be honest, you should not have to spend time on stupid shit like that
Perfect wednesday night work nah, you're right... should be doing something useful instead.
Have you seen those videos of people making starwars themed pancakes?.... man that is a worthwhile Wednesday pursuit
No i have not but I've read A LOT of VestaCP code and I finally got around to something that will work even after a reboot.
In short you can create an executable file named custom.sh in the vesta/data/firewall directory where you can put your own rules that should apply to the server.
So i made this little custom script to start with.
steps to make it work:
1. Follow the instructions posted on bitbucket
I will mark this thread as [SOLVED] !!! Yeah for me.
Well a simple step should be --
The first foremost step when setting up FW rules in Vesta CP is to make an :
ACCEPT RULE for Vesta CP port (8083 default, you can setup a diff. port to)
This will ensure you atleast have VESTACP accessible and don't lock yourself out.
Rest if the rules can be easily tried and tested afterwards
In my defence I never expected the firewall service to start by itself.
I wrote about the story and the solution on Lowendguide.com for your amusement to read.
the documentation on VestaCP is lacking to say the least. Perhaps I should dig deeper and find more hidden gems?
@Mikho,
I tried myself and I experienced the same problem here... I opened a new thread (pardon) in haste.
but your solution Worked good.
one small mistake I'd want to point out in your readme
chown +x $VESTA/data/firewall/custom.sh
should be
chmod +x $VESTA/data/firewall/custom.sh
Thanks for the solution though!! hats off
I'd like to have VestaCP configure outbound rules as well...
Thanks, i'll update the readme