I install update version HestiaCP 1.4.1 on VPC Server. All everything is ok except iptables service. When i restart vpc then iptables service stopped then need to start manually by click start or restart button from panel. Also start by this command “/usr/local/hestia/bin/v-update-firewall”
How to solved this problem “iptables service automatic start after reboot vpc”?
In command line:
rm /usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks
v-stop-firewall
And then a reboot
There is an bug in 1.4.1 and we will release a new version with the fix soon.
For what reason iptables lays down apache2 and nginx on reboot if iptables autostart?
The file /usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks has to be removed before running v-stop-firewall
To restart the firewall run v-update-firewall after reboot.
PS: Previous comment was missing the rm cmd
Hello eris,
for your information:
Apache and Nginx don’t start either.
Beste regards
Tom
I was helped by reinstalling iptables removing all rules
Hello glonin.kz,
I didn´t use iptables with Hestia CP. I have got my own ruleset.
Best regards
Tom
Again provide more information. I am not able to debug a server without any information / root access.
Hello eris,
it´s a clean and fresh Debian 10.9 installation. 2 weeks old with the Hestia-script 1.3.5.
After the next Debian-upgrade APACHE and NGINX doesn´t start. It´s possible to start it by hand.
Best regards
Tom
Any error logs regarding Apache2 / Nginx?
2021/05/15 23:54:44 [crit] 5317#5317: *32 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 192.241.221.108, server: 10.255.255.248:443
2021/05/16 00:50:37 [warn] 694#694: “ssl_stapling” ignored, host not found in OCSP responder “r3.o.lencr.org” in the certificate “/home/admin/conf/web/domainname/ssl/domainname.pem”
2021/05/16 00:50:37 [emerg] 694#694: bind() to 10.255.255.248:80 failed (99: Cannot assign requested address)
2021/05/16 01:05:00 [warn] 681#681: “ssl_stapling” ignored, host not found in OCSP responder “r3.o.lencr.org” in the certificate “/home/admin/conf/web/domainname/ssl/domainname.pem”
2021/05/16 01:05:00 [emerg] 681#681: bind() to 10.255.255.248:80 failed (99: Cannot assign requested address)
2021/05/16 01:13:18 [crit] 13721#13721: *78 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.231.234, server: 10.255.255.248:443
2021/05/16 01:13:19 [crit] 13721#13721: *81 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.238.35, server: 10.255.255.248:443
2021/05/16 01:18:42 [crit] 13721#13721: *107 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.144, server: 10.255.255.248:443
2021/05/16 01:18:45 [crit] 13721#13721: *118 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.200.200, server: 10.255.255.248:443
Apache:
[Sun May 16 01:11:19.794162 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:11:19.794390 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
[Sun May 16 01:11:19.794399 2021] [core:notice] [pid 813:tid 140467802911872] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun May 16 01:11:20.056531 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00493: SIGUSR1 received. Doing graceful restart
[Sun May 16 01:11:20.114853 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:11:20.115200 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
[Sun May 16 01:11:20.115215 2021] [core:notice] [pid 813:tid 140467802911872] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun May 16 01:11:20.258505 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00493: SIGUSR1 received. Doing graceful restart
[Sun May 16 01:11:20.316835 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:11:20.317105 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
[Sun May 16 01:11:20.317117 2021] [core:notice] [pid 813:tid 140467802911872] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun May 16 01:12:30.557522 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00493: SIGUSR1 received. Doing graceful restart
[Sun May 16 01:12:30.614001 2021] [ssl:warn] [pid 813:tid 140467802911872] AH01909: 10.255.255.248:443:0 server certificate does NOT include an ID which matches the server name
[Sun May 16 01:12:30.614236 2021] [mpm_event:notice] [pid 813:tid 140467802911872] AH00489: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1d configured – resuming normal operations
From stack overflow:
So you need to tell your linux to allow processes to bind to the non-local address. Just add the following line into
/etc/sysctl.conffile:# allow processes to bind to the non-local address # (necessary for apache/nginx in Amazon EC2) net.ipv4.ip_nonlocal_bind = 1and then reload your sysctl.conf by:
$ sysctl -p /etc/sysctl.confwhich will be fine on reboots.
Follow
Hello eris,
I will try it. Thanx for your support.
root@mx40:~# sysctl -p /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
root@mx40:~#
Best regards and good night
Tom
Hello eris,
it works after reboot.
Best regards
Tom
I have same problem as original poster. Iptables being disabled after reboot. I will wait for fix to be applied, but what i realized in meantime is that if i enable iptables from administration, i can not update my system:
sudo apt-get update
Err:1 mirror - MvA focal InRelease
Temporary failure resolving ‘mirror.mva-n.net’
Err:2 MongoDB Repositories bionic/mongodb-org/4.0 InRelease
Temporary failure resolving ‘repo.mongodb.org’
Err:3 Index of /packages/mainline/ubuntu/ focal InRelease
Temporary failure resolving ‘nginx.org’
Err:4 https://repos.insights.digitalocean.com/apt/do-agent main InRelease
Temporary failure resolving ‘repos.insights.digitalocean.com’
Err:5 https://apt.hestiacp.com focal InRelease
Temporary failure resolving ‘apt.hestiacp.com’
Err:6 https://deb.nodesource.com/node_14.x focal InRelease
Temporary failure resolving ‘deb.nodesource.com’
Err:7 Index of /ondrej/php/ubuntu focal InRelease
Temporary failure resolving ‘ppa.launchpad.net’
Err:8 Index of /ubuntu/ focal InRelease
Temporary failure resolving ‘mirrors.digitalocean.com’
Err:9 Index of /ubuntu focal-security InRelease
Temporary failure resolving ‘security.ubuntu.com’
Err:10 Index of /ubuntu/ focal-updates InRelease
Temporary failure resolving ‘mirrors.digitalocean.com’
Err:11 Index of /ubuntu/ focal-backports InRelease
Temporary failure resolving ‘mirrors.digitalocean.com’
Reading package lists… Done
W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/focal/InRelease Temporary failure resolving ‘mirrors.digitalocean.com’
W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/focal-updates/InRelease Temporary failure resolving ‘mirrors.digitalocean.com’
W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/focal-backports/InRelease Temporary failure resolving ‘mirrors.digitalocean.com’
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease Temporary failure resolving ‘security.ubuntu.com’
W: Failed to fetch https://repos.insights.digitalocean.com/apt/do-agent/dists/main/InRelease Temporary failure resolving ‘repos.insights.digitalocean.com’
W: Failed to fetch https://apt.hestiacp.com/dists/focal/InRelease Temporary failure resolving ‘apt.hestiacp.com’
W: Failed to fetch https://mirror.mva-n.net/mariadb/repo/10.5/ubuntu/dists/focal/InRelease Temporary failure resolving ‘mirror.mva-n.net’
W: Failed to fetch https://repo.mongodb.org/apt/ubuntu/dists/bionic/mongodb-org/4.0/InRelease Temporary failure resolving ‘repo.mongodb.org’
W: Failed to fetch https://nginx.org/packages/mainline/ubuntu/dists/focal/InRelease Temporary failure resolving ‘nginx.org’
W: Failed to fetch https://deb.nodesource.com/node_14.x/dists/focal/InRelease Temporary failure resolving ‘deb.nodesource.com’
W: Failed to fetch http://ppa.launchpad.net/ondrej/php/ubuntu/dists/focal/InRelease Temporary failure resolving ‘ppa.launchpad.net’
W: Some index files failed to download. They have been ignored, or old ones used instead.
When iptables is disabled, i can update system.
We will soon fix an bug fix for the issue…
Cool. Just wanted to give additional info. Server is almost empty (it’s new) so no harm done on my part.
I hope it is OK to reply to this (older) thread, but my issue is identical with the OP (iptables seems stopped in Web UI - I can start it from UI but after a reboot of the server it’s stopped again).
In my case, I have a fresh install of Hestia v1.4.3, on Ubuntu 20.04, in an OpenVZ VPS, that is having the issue. The thing is, this installation does not have the directories mentioned:
/usr/lib/networkd-dispatcher/
nor
/usr/lib/networkd-dispatcher/routable.d.
I tried creating these directories and copying the file 10-hestia-iptables I found on another installation (a KVM VM if that matters). I also changed the contents of the 10-hestia-iptables file from:
if [ "$IFACE" = "eth0" ] to if [ "$IFACE" = "venet0" ] to match the name of the interface and also the line:
[ -x "/usr/sbin/ipset" ] to [ -x "/sbin/ipset" ] to match the location of the ipset executable.
Please note that I can temporarily start iptables, either from the UI or by running the command v-update-firewall
Unfortunately, I had no luck correcting the issue. Does anyone have any other ideas I can try?
Can you check where the ifup folder is located?