Iptables service stopped after restart VPC HestiaCP Version 1.4.1

I install update version HestiaCP 1.4.1 on VPC Server. All everything is ok except iptables service. When i restart vpc then iptables service stopped then need to start manually by click start or restart button from panel. Also start by this command “/usr/local/hestia/bin/v-update-firewall”

How to solved this problem “iptables service automatic start after reboot vpc”?

1 Like

In command line:

rm /usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks
v-stop-firewall 

And then a reboot

There is an bug in 1.4.1 and we will release a new version with the fix soon.

1 Like

For what reason iptables lays down apache2 and nginx on reboot if iptables autostart?

The file /usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks has to be removed before running v-stop-firewall

To restart the firewall run v-update-firewall after reboot.

PS: Previous comment was missing the rm cmd

2 Likes

Hello eris,

for your information:

Apache and Nginx don’t start either.

Beste regards

Tom

I was helped by reinstalling iptables removing all rules

Hello glonin.kz,

I didn´t use iptables with Hestia CP. I have got my own ruleset.

Best regards

Tom

Again provide more information. I am not able to debug a server without any information / root access.

Hello eris,

it´s a clean and fresh Debian 10.9 installation. 2 weeks old with the Hestia-script 1.3.5.

  1. Clean Debian installation with ssh
  2. apt update & apt upgrade
  3. HestiaCP script without iptables / firewall-modul
  4. Standard incoming ports 20,21,25,53 (TCP/UDP),110,143,220,443,587,993,995 + 2 non-standard-ports ssh/hestia +eth0

After the next Debian-upgrade APACHE and NGINX doesn´t start. It´s possible to start it by hand.

Best regards

Tom

Any error logs regarding Apache2 / Nginx?

2021/05/15 23:54:44 [crit] 5317#5317: *32 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 192.241.221.108, server: 10.255.255.248:443
2021/05/16 00:50:37 [warn] 694#694: “ssl_stapling” ignored, host not found in OCSP responder “r3.o.lencr.org” in the certificate “/home/admin/conf/web/domainname/ssl/domainname.pem”
2021/05/16 00:50:37 [emerg] 694#694: bind() to 10.255.255.248:80 failed (99: Cannot assign requested address)
2021/05/16 01:05:00 [warn] 681#681: “ssl_stapling” ignored, host not found in OCSP responder “r3.o.lencr.org” in the certificate “/home/admin/conf/web/domainname/ssl/domainname.pem”
2021/05/16 01:05:00 [emerg] 681#681: bind() to 10.255.255.248:80 failed (99: Cannot assign requested address)
2021/05/16 01:13:18 [crit] 13721#13721: *78 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.231.234, server: 10.255.255.248:443
2021/05/16 01:13:19 [crit] 13721#13721: *81 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.238.35, server: 10.255.255.248:443
2021/05/16 01:18:42 [crit] 13721#13721: *107 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.144, server: 10.255.255.248:443
2021/05/16 01:18:45 [crit] 13721#13721: *118 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.200.200, server: 10.255.255.248:443

Apache:

[Sun May 16 01:11:19.794162 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:11:19.794390 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
[Sun May 16 01:11:19.794399 2021] [core:notice] [pid 813:tid 140467802911872] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun May 16 01:11:20.056531 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00493: SIGUSR1 received. Doing graceful restart
[Sun May 16 01:11:20.114853 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:11:20.115200 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
[Sun May 16 01:11:20.115215 2021] [core:notice] [pid 813:tid 140467802911872] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun May 16 01:11:20.258505 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00493: SIGUSR1 received. Doing graceful restart
[Sun May 16 01:11:20.316835 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:11:20.317105 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
[Sun May 16 01:11:20.317117 2021] [core:notice] [pid 813:tid 140467802911872] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun May 16 01:12:30.557522 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00493: SIGUSR1 received. Doing graceful restart
[Sun May 16 01:12:30.614001 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:12:30.614236 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations

From stack overflow:

So you need to tell your linux to allow processes to bind to the non-local address. Just add the following line into /etc/sysctl.conf file:

# allow processes to bind to the non-local address
# (necessary for apache/nginx in Amazon EC2)
net.ipv4.ip_nonlocal_bind = 1

and then reload your sysctl.conf by:

$ sysctl -p /etc/sysctl.conf

which will be fine on reboots.

Share

Improve this answer

Follow

Hello eris,

I will try it. Thanx for your support.

[email protected]:~# sysctl -p /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
[email protected]:~#

Best regards and good night

Tom

Hello eris,

it works after reboot.

Best regards

Tom

I have same problem as original poster. Iptables being disabled after reboot. I will wait for fix to be applied, but what i realized in meantime is that if i enable iptables from administration, i can not update my system:

sudo apt-get update

Err:1 https://mirror.mva-n.net/mariadb/repo/10.5/ubuntu focal InRelease
Temporary failure resolving ‘mirror.mva-n.net
Err:2 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 InRelease
Temporary failure resolving ‘repo.mongodb.org
Err:3 https://nginx.org/packages/mainline/ubuntu focal InRelease
Temporary failure resolving ‘nginx.org
Err:4 https://repos.insights.digitalocean.com/apt/do-agent main InRelease
Temporary failure resolving ‘repos.insights.digitalocean.com
Err:5 https://apt.hestiacp.com focal InRelease
Temporary failure resolving ‘apt.hestiacp.com
Err:6 https://deb.nodesource.com/node_14.x focal InRelease
Temporary failure resolving ‘deb.nodesource.com
Err:7 http://ppa.launchpad.net/ondrej/php/ubuntu focal InRelease
Temporary failure resolving ‘ppa.launchpad.net
Err:8 http://mirrors.digitalocean.com/ubuntu focal InRelease
Temporary failure resolving ‘mirrors.digitalocean.com
Err:9 http://security.ubuntu.com/ubuntu focal-security InRelease
Temporary failure resolving ‘security.ubuntu.com
Err:10 http://mirrors.digitalocean.com/ubuntu focal-updates InRelease
Temporary failure resolving ‘mirrors.digitalocean.com
Err:11 http://mirrors.digitalocean.com/ubuntu focal-backports InRelease
Temporary failure resolving ‘mirrors.digitalocean.com
Reading package lists… Done
W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/focal/InRelease Temporary failure resolving ‘mirrors.digitalocean.com
W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/focal-updates/InRelease Temporary failure resolving ‘mirrors.digitalocean.com
W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/focal-backports/InRelease Temporary failure resolving ‘mirrors.digitalocean.com
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease Temporary failure resolving ‘security.ubuntu.com
W: Failed to fetch https://repos.insights.digitalocean.com/apt/do-agent/dists/main/InRelease Temporary failure resolving ‘repos.insights.digitalocean.com
W: Failed to fetch https://apt.hestiacp.com/dists/focal/InRelease Temporary failure resolving ‘apt.hestiacp.com
W: Failed to fetch https://mirror.mva-n.net/mariadb/repo/10.5/ubuntu/dists/focal/InRelease Temporary failure resolving ‘mirror.mva-n.net
W: Failed to fetch https://repo.mongodb.org/apt/ubuntu/dists/bionic/mongodb-org/4.0/InRelease Temporary failure resolving ‘repo.mongodb.org
W: Failed to fetch https://nginx.org/packages/mainline/ubuntu/dists/focal/InRelease Temporary failure resolving ‘nginx.org
W: Failed to fetch https://deb.nodesource.com/node_14.x/dists/focal/InRelease Temporary failure resolving ‘deb.nodesource.com
W: Failed to fetch http://ppa.launchpad.net/ondrej/php/ubuntu/dists/focal/InRelease Temporary failure resolving ‘ppa.launchpad.net
W: Some index files failed to download. They have been ignored, or old ones used instead.

When iptables is disabled, i can update system.

We will soon fix an bug fix for the issue…

Cool. Just wanted to give additional info. Server is almost empty (it’s new) so no harm done on my part.

I hope it is OK to reply to this (older) thread, but my issue is identical with the OP (iptables seems stopped in Web UI - I can start it from UI but after a reboot of the server it’s stopped again).

In my case, I have a fresh install of Hestia v1.4.3, on Ubuntu 20.04, in an OpenVZ VPS, that is having the issue. The thing is, this installation does not have the directories mentioned:

/usr/lib/networkd-dispatcher/
nor
/usr/lib/networkd-dispatcher/routable.d.

I tried creating these directories and copying the file 10-hestia-iptables I found on another installation (a KVM VM if that matters). I also changed the contents of the 10-hestia-iptables file from:
if [ "$IFACE" = "eth0" ] to if [ "$IFACE" = "venet0" ] to match the name of the interface and also the line:
[ -x "/usr/sbin/ipset" ] to [ -x "/sbin/ipset" ] to match the location of the ipset executable.

Please note that I can temporarily start iptables, either from the UI or by running the command v-update-firewall

Unfortunately, I had no luck correcting the issue. Does anyone have any other ideas I can try?

Can you check where the ifup folder is located?