Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th November 2011, 17:31
theWeird theWeird is offline
Member
 
Join Date: Nov 2009
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default Trouble after moving openVZ container to new host

Hey there,
the migration of the VE worked great. All systems are back online.
There is only one problem:
Since the migration the VE is not able to resolve DNS names.
There is no problem pinging other servers like 8.8.8.8 by there IP address, but the names cannot be resolved.
Nameserver for this VE is set to 8.8.8.8

The new host node is installed as VE-Server for ISPConfig.
There is no bastille firewall installed on this host. Just plain Debian system installed by the HowTo for setting up a openVZ-Server on Debian.

Do you have any Idea how this problem could be solved?
Reply With Quote
Sponsored Links
  #2  
Old 29th November 2011, 17:38
theWeird theWeird is offline
Member
 
Join Date: Nov 2009
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default

Ok, small update.
I noticed that stopping the bastille-firewall inside the container solves the problem
But I don't want to run the webserver with stopped bastille.
After starting it resolving of names is not possible.
How can I fix this problem with bastille?
Reply With Quote
  #3  
Old 29th November 2011, 20:41
theWeird theWeird is offline
Member
 
Join Date: Nov 2009
Posts: 70
Thanks: 11
Thanked 6 Times in 5 Posts
Default Error in Bastile iptables-Rules?

These are the Firewall rules as they are used after starting bastille.
Can you see any error there that could be blocking outgoing DNS-requests?

Code:
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  224.0.0.0/4          anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (7 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http-alt
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:tproxy
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Reply With Quote
  #4  
Old 2nd December 2011, 22:40
evg-krsk evg-krsk is offline
Junior Member
 
Join Date: Dec 2011
Posts: 2
Thanks: 0
Thanked 1 Time in 1 Post
Default

I hitted this probled, too, after installing ispconfig3 on OpenVZ
container and turning on basic firewall.

2 theWeird: please look closely (-nvL) at rules in your INPUT chain.

for me, this rule looked like this:
#iptables -nvL INPUT|head -4
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

I considered that DNS replies doesn't match by this rule (and seems
like there in no other accepting rule to match replies to server's
queries), so I just tried this:

#iptables -I INPUT 2 -p udp -m udp --sport 53 -j ACCEPT

after that I tried "host google.com" (succesfully!) and saw:

#iptables -nvL INPUT|head -4
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
56 9284 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

seems like this is problem with Ovz container itself, because in host
system iptables counters for RELATED/ESTABLISHED is constantly
increasing.

I tried to restart container, but this has no effect and now I just
stucked :-\
Reply With Quote
  #5  
Old 6th December 2011, 17:51
evg-krsk evg-krsk is offline
Junior Member
 
Join Date: Dec 2011
Posts: 2
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Ok, answer is simple: you need to add ipt_state and ipt_conntrack modules to VE config or in global OVZ config, just like described there: http://forum.openvz.org/index.php?t=...2893&#msg_2893
Reply With Quote
The Following User Says Thank You to evg-krsk For This Useful Post:
falko (7th December 2011)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
My Server Is Sending Spam. How Do I Block This? LordJ Server Operation 1 7th July 2011 20:34
Postfix queue problem? murunix Server Operation 7 2nd May 2011 02:55
smtp is error!!! fhawk Installation/Configuration 2 7th April 2009 14:17
Postfix problem: lost connection after CONNECT from unknown fernando_torrez Server Operation 5 30th November 2007 15:17
This is %#@*&^$# embarrassing! domino Smalltalk 34 5th February 2007 22:57


All times are GMT +2. The time now is 06:30.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.