Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking
  Print view Previous topic | Next topic 
Author Message
Stan 2.0
 Post subject: Which port is APT using?
PostPosted: Sat May 28, 2011 4:46 am 
Offline
Senior Newbie

Joined: Sat May 28, 2011 4:37 am
Posts: 12
I've just setup my first Linode (using Ubuntu 11.04) and everything is working fine so far, except for one thing. I've configured ufw to deny everything except 80/tcp, 443/tcp and 22/tcp. This seems to work as it should.

Problem is: now I can't use apt-get anymore, because it can't reach the server:
Code:
Temporary failure resolving 'us.archive.ubuntu.com'


I was under the impression that APT uses port 80, isn't that correct?

If I turn ufw off, everything works fine. Of course that's not really an option.

The server seems to be much slower (writing to disk etc.) when ufw is on, I suppose it shouldn't be that way, too?

Thanks for any help.


Last edited by Stan 2.0 on Sun May 29, 2011 3:26 pm, edited 1 time in total.

Top
   
Reply with quote  
mnordhoff
 Post subject:
PostPosted: Sat May 28, 2011 4:49 am 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 569
Website: http://www.mattnordhoff.com/
I don't know what port apt uses, but it says the error is in resolving it, not connecting to the server. Sounds like DNS is broken. Try 'dig www.linode.com' or 'host www.linode.com' from the command line. What happens? If it is broken, does it work when ufw is disabled? If not, what does your /etc/resolv.conf say, and which data center are you in?

_________________
Matt Nordhoff (aka Peng on IRC)
Top
   
Reply with quote  
Stan 2.0
 Post subject:
PostPosted: Sat May 28, 2011 5:39 am 
Offline
Senior Newbie

Joined: Sat May 28, 2011 4:37 am
Posts: 12
With ufw on:

Code:
; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; connection timed out; no servers could be reached


With ufw off:

Code:
; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49422
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;www.linode.com.         IN   A

;; ANSWER SECTION:
www.linode.com.      86323   IN   A   69.164.200.202
www.linode.com.      86323   IN   A   72.14.180.202
www.linode.com.      86323   IN   A   72.14.191.202

;; AUTHORITY SECTION:
linode.com.      56421   IN   NS   ns2.linode.com.
linode.com.      56421   IN   NS   ns5.linode.com.
linode.com.      56421   IN   NS   ns4.linode.com.
linode.com.      56421   IN   NS   ns3.linode.com.
linode.com.      56421   IN   NS   ns1.linode.com.

;; ADDITIONAL SECTION:
ns1.linode.com.      12921   IN   A   69.93.127.10
ns2.linode.com.      12921   IN   A   65.19.178.10
ns3.linode.com.      12915   IN   A   75.127.96.10
ns4.linode.com.      12915   IN   A   207.192.70.10
ns5.linode.com.      12915   IN   A   109.74.194.10

;; Query time: 1 msec
;; SERVER: 109.74.192.20#53(109.74.192.20)
;; WHEN: Sat May 28 11:37:20 2011
;; MSG SIZE  rcvd: 250


My /etc/resolv.conf:

Code:
# Generated by dhcpcd for interface eth0
search members.linode.com
nameserver 109.74.192.20
nameserver 109.74.193.20
nameserver 109.74.194.20


I'm in the London data center.

Thanks! :)
Top
   
Reply with quote  
mnordhoff
 Post subject:
PostPosted: Sat May 28, 2011 5:56 am 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 569
Website: http://www.mattnordhoff.com/
OK, so your DNS setup is fine, but ufw is blocking it. Nice.

I don't have much else to say to help debug it. It looks like ufw bug 713788 covers the same issue, with a comment summarizing everything I could say.

_________________
Matt Nordhoff (aka Peng on IRC)
Top
   
Reply with quote  
obs
 Post subject:
PostPosted: Sat May 28, 2011 7:50 am 
Offline
Senior Member

Joined: Sun Mar 07, 2010 7:47 pm
Posts: 1970
Website: http://www.rwky.net
Location: Earth
You probably have ufw blocking traffic going out, run
Code:
ufw default allow outgoing

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue
Top
   
Reply with quote  
Stan 2.0
 Post subject:
PostPosted: Sat May 28, 2011 8:46 am 
Offline
Senior Newbie

Joined: Sat May 28, 2011 4:37 am
Posts: 12
obs wrote:
You probably have ufw blocking traffic going out, run
Code:
ufw default allow outgoing


OK, stuff feels much more responsive now. APT still doesn't want to play with me though, when I run
Code:
sudo apt-get update

it will output

Code:
Err http://us.archive.ubuntu.com natty InRelease                            
  
Err http://security.ubuntu.com natty-security InRelease                     
  
Err http://us.archive.ubuntu.com natty-updates InRelease                    
  
Err http://security.ubuntu.com natty-security Release.gpg                   
  Temporary failure resolving 'security.ubuntu.com'
Err http://us.archive.ubuntu.com natty Release.gpg
  Temporary failure resolving 'us.archive.ubuntu.com'
Err http://us.archive.ubuntu.com natty-updates Release.gpg
  Temporary failure resolving 'us.archive.ubuntu.com'
Reading package lists... Done           
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/InRelease  

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/InRelease  

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/InRelease  

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/Release.gpg  Temporary failure resolving 'us.archive.ubuntu.com'

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/Release.gpg  Temporary failure resolving 'security.ubuntu.com'

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/Release.gpg  Temporary failure resolving 'us.archive.ubuntu.com'

W: Some index files failed to download. They have been ignored, or old ones used instead.


Works fine when I disable ufw.

Verbose ufw status looks like this now:

Code:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
Top
   
Reply with quote  
obs
 Post subject:
PostPosted: Sat May 28, 2011 8:54 am 
Offline
Senior Member

Joined: Sun Mar 07, 2010 7:47 pm
Posts: 1970
Website: http://www.rwky.net
Location: Earth
Odd, try specifically allowing port 53 outgoing

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue
Top
   
Reply with quote  
Stan 2.0
 Post subject:
PostPosted: Sat May 28, 2011 9:00 am 
Offline
Senior Newbie

Joined: Sat May 28, 2011 4:37 am
Posts: 12
No change, unfortunately.

Verbose status is now:

Code:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere

53/tcp                     ALLOW OUT   Anywhere


Still shows the "Temporary failure resolving ..." error.

Edit: tried adding 53/udp as well, didn't help :(
Top
   
Reply with quote  
Stan 2.0
 Post subject:
PostPosted: Sat May 28, 2011 12:20 pm 
Offline
Senior Newbie

Joined: Sat May 28, 2011 4:37 am
Posts: 12
Looks like it's working now. Out of sheer frustration I've just removed the whole ufw package and installed it again.

Anyway, thanks for your help guys!
Top
   
Reply with quote  
obs
 Post subject:
PostPosted: Sat May 28, 2011 12:47 pm 
Offline
Senior Member

Joined: Sun Mar 07, 2010 7:47 pm
Posts: 1970
Website: http://www.rwky.net
Location: Earth
You might want to investigate shorewall it's a darn sight easier to get your head around once you know how the configuration files work, in my opinion it's less complicated than ufw (uncomplicated firewall)

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue
Top
   
Reply with quote  
paulengstler
 Post subject:
PostPosted: Sat May 28, 2011 2:38 pm 
Offline
Senior Newbie

Joined: Fri Apr 09, 2010 1:53 pm
Posts: 17
When I activated ufw it destroyed my iptables restore file. Man, I wish it would be always this uncomplicated to do such stuff. :wink:
Top
   
Reply with quote  
rsk
 Post subject:
PostPosted: Sat May 28, 2011 2:55 pm 
Offline
Senior Member
User avatar

Joined: Tue Nov 24, 2009 1:59 pm
Posts: 362
Well, I don't know if it's available in the distro... but I really like the ultrasimple firewall described here:

http://library.linode.com/security/fire ... an-5-lenny

One of the nice parts is that is has a custom rules file so I could drop in that one "special" iptables line into it without hacking into rc.local. ;)

_________________
rsk, providing useless advice on the Internet since 2005.
Top
   
Reply with quote  
hoopycat
 Post subject:
PostPosted: Sat May 28, 2011 3:28 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
Code:
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -P OUTPUT ACCEPT


It's really not that hard to just use iptables itself, you know.

_________________
Code:
/* TODO: need to add signature to posts */
Top
   
Reply with quote  
Stan 2.0
 Post subject:
PostPosted: Sat May 28, 2011 4:03 pm 
Offline
Senior Newbie

Joined: Sat May 28, 2011 4:37 am
Posts: 12
Well, turned out that ufw went back to its deny-all state after a reboot. So I've removed it and use shorewall instead now, which works great.

I know I could use iptables directly, but it's just way more convenient to use a frontend (yes, I am lazy).
Top
   
Reply with quote  
derfy
 Post subject:
PostPosted: Sat May 28, 2011 6:02 pm 
Offline
Senior Member

Joined: Wed Oct 20, 2010 12:11 pm
Posts: 142
Quote:
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT


$10 says that was the issue.

Edit: not having it, that is.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group