IPTables and VestaCP – OUTPUT rules to allow DNS lookups

This week I’ve been wrestling with an issue on the VestaCP test server I have, don’t want to test stuff in production. 🙂

So I somehow noticed that the firewall service was stopped in Vesta which I found odd. Opened the page for the firewall rules and no rules defined, none at all. That got me thinking, why not add some rules and add another layer of security to the server. Boy, was I in for a surprise when I added the first rule to allow port 80 (http). The server immediately stopped responding. For some unknown reason the firewall was automatically started when I clicked save and with only one ACCEPT rule everything else was DENIED. I had completly locked myself out from my own server.

Fortunately I could access the server using the console provided by the control panel used by my provider. While using the console I decided to add the rest of the rules that I had in mind that way since that probably would be faster.

To edit the rules that you later can see and/or edit in VestaCP you would edit the file rules.conf in your Vesta/data/firewall directory.

This is my default config that I have decided to set on all my Vesta servers, some of the server will of course have more rules added depending on what the server will do.

That will take care of the INPUT rules, opening all needed ports used by Vesta. If you read the above ruleset I have no SSH port open, if you want to open port 22 so you can SSH into the server, add this rule:

This will open port 22 to the entire world, change 0.0.0.0/0 to your own IP if you want to secure it. If you want to add more then one IP that should have access to port 22 you need to increment the RULE number as well.

When all that is done, make iptables read the configuration and apply it by running the command:

At this moment my server decided to high-five me…  with a chair… in the face. Well, not really that brutal but I was in for my second surprise of the night when I tried installing a smnp client used for monitoring the server and the apt-get install command failed since All DNS lookups failed! I could ping an ip address but no domain names would resolve at this point. When examining the situation I found that when adding the rules, iptables blocked the answer from my request which is logic since I only opened certain ports in my firewall.

So how would I solve this with the limited functions available in VestaCP without accepting traffic on all incomming ports? Of course I could do my own IPTABLES rules but how would I be sure that they got loaded on reboot and not overwritten when I decide to change something from the GUI. The thing I love about VestaCP is that it’s open sourced and available on Github so in this case I could read the code, trying to find a solution to my problem.

And there it was, in the file that updates the firewall rule, v-update-firewall, hidden deep inside.

So in the end I would add my firewall rule in this file and it would be executed everytime the firewall was reloaded.

It took a few tries before i ended up with a custom.sh file like this:

The script gets the nameserver defined in /etc/resolv.conf and allows access between the nameservers port 53 and your server.

Save the custom.sh file and update your firewall rules by executing v-update-firewall once more.

You should now be able to resolv domain names again and update incoming rules using the GUI for VestaCP.

 

I have uploaded my custom.sh file to bitbucket, you can find he file by following this link. I will add more content to that repository so save the link to my LowEndGuide Scripts on Bitbucket.

4 comments for “IPTables and VestaCP – OUTPUT rules to allow DNS lookups

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.