vesta icon indicating copy to clipboard operation
vesta copied to clipboard

Published 20 hours ago verified publisher icon serghey-rodin

Problems with firewall

Open mushketer888 opened this issue 7 years ago • 3 comments

Operating System (OS/VERSION):

Ubuntu 16.04 VPS: almost minimal specs. 1GB RAM 1 CPU

VestaCP Version:

0.9.8-17

Installed Software (what you got with the installer):

apache, nginx, mysql, exim4, dovecot...

Steps to Reproduce:

Problems with firewall. Firstly I even couldn't dig, ping, nslookup etc. I couldn't use nameservers at my VPS server. After adding custom.sh script I resolved problems with DNS. (anyway it is strange bug and bad to have in Vesta!) Before installing VestaCP all was fine with DNS etc !! But anyway... Exim cant send emails! It CAN receive emails, but cant send them! When "iptables" is turned on in VestaCP "Server" tab Exim => cant send mail. When iptables is off in VestaCP Server tab - Exim works correctly and can send email successfully.

When iptables is ON: DIG - works (only after adding custom.sh script) PING - works EXIM - doesn't send but receive

When iptables is OFF: DIG - works PING - works EXIM - successfully send emails

As I understand by disabling iptables, fail2ban is useless and wont ban bots, which is bad.

Related Issues/Forum Threads:

It is old bug as I know. Because i found custom.sh script to add DNS chains to iptables: /usr/local/vesta/data/firewall/custom.sh:

#!/bin/bash
IPT="/sbin/iptables"

# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER=$(cat /etc/resolv.conf  | grep -v '^#' | grep nameserver | awk '{print $2}')

for ip in $DNS_SERVER
do
        echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
        $IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
        $IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
done

This script helped to resolve problem with DNS and nameservers. But what to do with Exim I dont know...

Log files and examples

Tried to send email to GMail while iptables is Enabled.

Exim log file

2017-07-22 21:28:33 1dYz6g-0002Lg-1D H=gmail-smtp-in.l.google.com [74.125.71.26] Connection timed out
2017-07-22 21:30:40 1dYz6g-0002Lg-1D H=alt1.gmail-smtp-in.l.google.com [64.233.162.26] Connection timed out
2017-07-22 21:32:48 1dYz6g-0002Lg-1D H=alt2.gmail-smtp-in.l.google.com [74.125.200.27] Connection timed out
2017-07-22 21:34:55 1dYz6g-0002Lg-1D H=alt3.gmail-smtp-in.l.google.com [64.233.188.26] Connection timed out
2017-07-22 21:37:02 1dYz6g-0002Lg-1D H=alt4.gmail-smtp-in.l.google.com [74.125.28.26] Connection timed out

Telnet 25 port

nc gmail-smtp-in.l.google.com 25
220 mx.google.com ESMTP z4si4426647wrb.275 - gsmtp
HELO mx.google.com
250 mx.google.com at your service
QUIT
221 2.0.0 closing connection z4si4426647wrb.275 - gsmtp

Ping gmail server

PING gmail-smtp-in.l.google.com (74.125.71.27) 56(84) bytes of data.
64 bytes from wn-in-f27.1e100.net (74.125.71.27): icmp_seq=1 ttl=49 time=39.0 ms
64 bytes from wn-in-f27.1e100.net (74.125.71.27): icmp_seq=2 ttl=49 time=38.9 ms

As you can see all looks fine, but Exim doesn't send email with error: connection timeout.

When iptables is OFF

2017-07-22 21:47:32 1dYzR6-0002hv-FT <= info@... U=admin P=local S=580 id=76196e7a1305d9516630368c9e90dc50@...
2017-07-22 21:47:39 1dYzR6-0002hv-FT => [email protected] R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.71.27] X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=yes C="250 2.0.0 OK 1500749258 w3si6140176wra.413 - gsmtp"
2017-07-22 21:47:39 1dYzR6-0002hv-FT Completed

iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-VESTA  tcp  --  anywhere             anywhere             tcp dpt:8083
fail2ban-MAIL  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,2525,pop3,pop3s,imap2,imaps
fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  ...             anywhere
ACCEPT     all  --  localhost            anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ftp,12000:12100
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,2525
ACCEPT     tcp  --  anywhere             anywhere             multiport dports pop3,pop3s
ACCEPT     tcp  --  anywhere             anywhere             multiport dports imap2,imaps
ACCEPT     tcp  --  anywhere             anywhere             multiport dports mysql,postgresql
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8083
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain state ESTABLISHED
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain state ESTABLISHED
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp spt:domain state ESTABLISHED
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp spt:domain state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com  tcp dpt:domain state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             google-public-dns-b.google.com  udp dpt:domain state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             google-public-dns-b.google.com  tcp dpt:domain state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission


Chain f2b-apache-badbots (0 references)
target     prot opt source               destination

Chain f2b-apache-nohome (0 references)
target     prot opt source               destination

Chain f2b-apache-noscript (0 references)
target     prot opt source               destination

Chain f2b-apache-overflows (0 references)
target     prot opt source               destination

Chain f2b-sshd (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-MAIL (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-VESTA (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain vesta (0 references)
target     prot opt source               destination

Other Notes:

P.S. I wouldn't write about this issue if I weren't sick of this bug. I lost too much time searching and trying.

mushketer888 avatar Jul 22 '17 18:07 mushketer888

I have the same problem

ghost avatar Aug 01 '18 10:08 ghost

Same Here ..

madhifallah avatar Nov 27 '18 14:11 madhifallah

Same problem here with outgoing connections with exim4. Any news on how to solve this issue?

Vasco39 avatar Nov 09 '21 19:11 Vasco39