Linode Forum

[Stan 2.0]

I've just setup my first Linode (using Ubuntu 11.04) and everything is working fine so far, except for one thing. I've configured ufw to deny everything except 80/tcp, 443/tcp and 22/tcp. This seems to work as it should.

Problem is: now I can't use apt-get anymore, because it can't reach the server: Code: Temporary failure resolving 'us.archive.ubuntu.com'

I was under the impression that APT uses port 80, isn't that correct?

If I turn ufw off, everything works fine. Of course that's not really an option.

The server seems to be much slower (writing to disk etc.) when ufw is on, I suppose it shouldn't be that way, too?

Thanks for any help.

[mnordhoff]

I don't know what port apt uses, but it says the error is in resolving it, not connecting to the server. Sounds like DNS is broken. Try 'dig www.linode.com' or 'host www.linode.com' from the command line. What happens? If it is broken, does it work when ufw is disabled? If not, what does your /etc/resolv.conf say, and which data center are you in?

[Stan 2.0]

With ufw on:

Code: ; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; connection timed out; no servers could be reached

With ufw off:

Code: ; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49422
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;www.linode.com.         IN   A

;; ANSWER SECTION:
www.linode.com.      86323   IN   A   69.164.200.202
www.linode.com.      86323   IN   A   72.14.180.202
www.linode.com.      86323   IN   A   72.14.191.202

;; AUTHORITY SECTION:
linode.com.      56421   IN   NS   ns2.linode.com.
linode.com.      56421   IN   NS   ns5.linode.com.
linode.com.      56421   IN   NS   ns4.linode.com.
linode.com.      56421   IN   NS   ns3.linode.com.
linode.com.      56421   IN   NS   ns1.linode.com.

;; ADDITIONAL SECTION:
ns1.linode.com.      12921   IN   A   69.93.127.10
ns2.linode.com.      12921   IN   A   65.19.178.10
ns3.linode.com.      12915   IN   A   75.127.96.10
ns4.linode.com.      12915   IN   A   207.192.70.10
ns5.linode.com.      12915   IN   A   109.74.194.10

;; Query time: 1 msec
;; SERVER: 109.74.192.20#53(109.74.192.20)
;; WHEN: Sat May 28 11:37:20 2011
;; MSG SIZE  rcvd: 250


My /etc/resolv.conf:

Code: # Generated by dhcpcd for interface eth0
search members.linode.com
nameserver 109.74.192.20
nameserver 109.74.193.20
nameserver 109.74.194.20


I'm in the London data center.

Thanks! :)

[mnordhoff]

OK, so your DNS setup is fine, but ufw is blocking it. Nice.

I don't have much else to say to help debug it. It looks like ufw bug 713788 covers the same issue, with a comment summarizing everything I could say.

[obs]

You probably have ufw blocking traffic going out, run Code: ufw default allow outgoing

[Stan 2.0]

obs wrote: You probably have ufw blocking traffic going out, run Code: ufw default allow outgoing

OK, stuff feels much more responsive now. APT still doesn't want to play with me though, when I run
Code: sudo apt-get update
it will output

Code: Err http://us.archive.ubuntu.com natty InRelease                           
 
Err http://security.ubuntu.com natty-security InRelease                     
 
Err http://us.archive.ubuntu.com natty-updates InRelease                   
 
Err http://security.ubuntu.com natty-security Release.gpg                   
  Temporary failure resolving 'security.ubuntu.com'
Err http://us.archive.ubuntu.com natty Release.gpg
  Temporary failure resolving 'us.archive.ubuntu.com'
Err http://us.archive.ubuntu.com natty-updates Release.gpg
  Temporary failure resolving 'us.archive.ubuntu.com'
Reading package lists... Done           
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/InRelease 

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/InRelease 

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/InRelease 

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/Release.gpg  Temporary failure resolving 'us.archive.ubuntu.com'

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/Release.gpg  Temporary failure resolving 'security.ubuntu.com'

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/Release.gpg  Temporary failure resolving 'us.archive.ubuntu.com'

W: Some index files failed to download. They have been ignored, or old ones used instead.


Works fine when I disable ufw.

Verbose ufw status looks like this now:

Code: Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere

[obs]

Odd, try specifically allowing port 53 outgoing

[Stan 2.0]

No change, unfortunately.

Verbose status is now:

Code: Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere

53/tcp                     ALLOW OUT   Anywhere


Still shows the "Temporary failure resolving ..." error.

Edit: tried adding 53/udp as well, didn't help :(

[Stan 2.0]

Looks like it's working now. Out of sheer frustration I've just removed the whole ufw package and installed it again.

Anyway, thanks for your help guys!

[obs]

You might want to investigate shorewall it's a darn sight easier to get your head around once you know how the configuration files work, in my opinion it's less complicated than ufw (uncomplicated firewall)

[paulengstler]

When I activated ufw it destroyed my iptables restore file. Man, I wish it would be always this uncomplicated to do such stuff. :wink:

[rsk]

Well, I don't know if it's available in the distro... but I really like the ultrasimple firewall described here:

http://library.linode.com/security/firewalls/arno-iptables-debian-5-lenny

One of the nice parts is that is has a custom rules file so I could drop in that one "special" iptables line into it without hacking into rc.local. ;)

[hoopycat]

Code:
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -P OUTPUT ACCEPT


It's really not that hard to just use iptables itself, you know.

[Stan 2.0]

Well, turned out that ufw went back to its deny-all state after a reboot. So I've removed it and use shorewall instead now, which works great.

I know I could use iptables directly, but it's just way more convenient to use a frontend (yes, I am lazy).

[derfy]

Quote: iptables -m state --state RELATED,ESTABLISHED -j ACCEPT

$10 says that was the issue.

Edit: not having it, that is.