Trouble after moving openVZ container to new host

Discussion in 'Server Operation' started by theWeird, Nov 29, 2011.

  1. theWeird

    theWeird Member

    Hey there,
    the migration of the VE worked great. All systems are back online.
    There is only one problem:
    Since the migration the VE is not able to resolve DNS names.
    There is no problem pinging other servers like 8.8.8.8 by there IP address, but the names cannot be resolved.
    Nameserver for this VE is set to 8.8.8.8

    The new host node is installed as VE-Server for ISPConfig.
    There is no bastille firewall installed on this host. Just plain Debian system installed by the HowTo for setting up a openVZ-Server on Debian.

    Do you have any Idea how this problem could be solved?
     
  2. theWeird

    theWeird Member

    Ok, small update.
    I noticed that stopping the bastille-firewall inside the container solves the problem
    But I don't want to run the webserver with stopped bastille.
    After starting it resolving of names is not possible.
    How can I fix this problem with bastille?
     
  3. theWeird

    theWeird Member

    Error in Bastile iptables-Rules?

    These are the Firewall rules as they are used after starting bastille.
    Can you see any error there that could be blocking outgoing DNS-requests?

    Code:
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       tcp  --  anywhere             loopback/8
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  224.0.0.0/4          anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    
    Chain INT_IN (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PAROLE (7 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http-alt
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:tproxy
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql
    DROP       icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    
     
  4. evg-krsk

    evg-krsk New Member

    I hitted this probled, too, after installing ispconfig3 on OpenVZ
    container and turning on basic firewall.

    2 theWeird: please look closely (-nvL) at rules in your INPUT chain.

    for me, this rule looked like this:
    #iptables -nvL INPUT|head -4
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

    I considered that DNS replies doesn't match by this rule (and seems
    like there in no other accepting rule to match replies to server's
    queries), so I just tried this:

    #iptables -I INPUT 2 -p udp -m udp --sport 53 -j ACCEPT

    after that I tried "host google.com" (succesfully!) and saw:

    #iptables -nvL INPUT|head -4
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
    56 9284 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

    seems like this is problem with Ovz container itself, because in host
    system iptables counters for RELATED/ESTABLISHED is constantly
    increasing.

    I tried to restart container, but this has no effect and now I just
    stucked :-\
     
  5. evg-krsk

    evg-krsk New Member

Share This Page