No internet after Hestia installation

Hello!

I have an issue with the fresh Hestia installation.
No site is resolved after the Hestia installation.
I tried to reinstall the OS without luck.

Everything worked before installation.
But after that, there is no ping, no resolve.
I cannot install anything else.

I tried with fresh Ubuntu 22.04 and Ubuntu 20.04.

Uh, are you using a ‘Desktop’ version of Ubuntu?

Can you talk about what you mean by ‘reinstall the OS’? Did you format the disk and start from scratch?

What do you mean by ‘I cannot install anything else’? You can’t install ‘other software’? Or you’re forced to use Ubuntu?

I use Debian, for the record, I’ve found it to be MUCH faster than Ubuntu.
My ONLY complaint is that I wish that Debian made a dedicated ‘Server’ release. I don’t care for the ‘netboot’ as much.

As @aaronkempf ask, If you do use the DE version, Please don’t. installing DE on web hosting server is less secure and not good for performance. Give us more information about your interface and DNS. I think ubuntu using netplan those days.

Oh I fully agree. I just don’t know what else they mean by ‘i can’t install any software’.

The “installing software” is probably related to the internet connection issue.

Hello guys!
Thank you all for your replies.

So, a little bit more information:

1. It’s a virtual dedicated server
2. In the control panel I can install an operating system. There are a few options: Debian 10 or 11, Ubuntu 22.04 or 20.04
3. I tried Debian 11 and all Ubuntu’s. I guess it’s not a desktop version. I access there via SSH.

On Debian I have an issue with FTP jail and hestia doesn’t install.
On Ubuntu everything works but after I install Ubuntu, I cannot install anything else because of the issue with the internet connection:

1. Ping just hangs, this is what I have:

root@p756589:~# ping google.com

ping: google.com: Temporary failure in name resolution

2. DNS resolving doesn’t work (even apt-get update fails)

Overall it looks like my system doesn’t have internet access anymore.
But at the same time, I have no issues with connection via SSH. And Hestia itself works.

Thank you all for your time and help!

What happens if you ping to 8.8.8.8? Check your /etc/resolve.conf have a proper DNS server.

ping 8.8.8.8 works normally

Here’s my resolv.conf:

nameserver 127.0.0.53
options edns0 trust-ad
search .

It looks strange and it’s being replaced after rebooting the system.
Where should I edit it?

UPDATE:

I tried to edit resolv.conf, tried other solutions found on internet (including deleting resolv.conf and recreating it). But they didn’t work.
It looks like Hestia installed something which blocks internet access.
I tried several with with fresh OS installation - everything works before installation and no internet after.
But the server is accessible at the same time (via SSH / web interface etc).

The same thing happened to me today after restarting the server. It may be a bug in the last update, but it didn’t take effect until its restart.

Solution: After deleting a user account, nginx stopped restarting - #11 by sahsanu

As you can ping 8.8.8.8 your server can connect to “internet” so seems the problem is not the connection but the DNS resolution.

A couple of options.

Option 1

Try to add new name servers to systemd-resolved:

sudo su -
mkdir -p /etc/systemd/resolved.conf.d
echo -e "[Resolve]\nDNS=76.76.2.0 76.76.10.0\nDomains=~." > /etc/systemd/resolved.conf.d/override.conf
systemctl restart systemd-resolved
dig hestiacp.com +short

Option 2

Disable systemd-resolved and manually add the name servers.

sudo su -
systemctl disable systemd-resolved
systemctl stop systemd-resolved
echo -e "nameserver 76.76.2.0\nnameserver 76.76.10.0" > /etc/resolv.conf.deepslam
ln -sf /etc/resolv.conf.deepslam /etc/resolv.conf
dig hestiacp.com +short

Hello!

Thank you for your solutions but it seems they didn’t help me (((

Here’s what I saw after first solution:

root@p726589:~# mkdir -p /etc/systemd/resolved.conf.d
root@p726589:~# echo -e "[Resolve]\nDNS=76.76.2.0 76.76.10.0\nDomains=~." > /etc/systemd/resolved.conf.d/override.conf
root@p726589:~# systemctl restart systemd-resolved
Failed to restart systemd-resolved.service: Transaction for systemd-resolved.service/restart is destructive (shutdown.target has 'start' job queued, but 'stop' is included in transaction).
See system logs and 'systemctl status systemd-resolved.service' for details.
root@p726589:~# Read from remote host x.x.x.x: Operation timed out
Connection to x.x.x.x closed.
client_loop: send disconnect: Broken pipe

After that connection was terminated and I had to restart the server in control panel.

And here’s solution #2:

root@p726589:~systemctl disable systemd-resolveded
Removed /etc/systemd/system/multi-user.target.wants/systemd-resolved.service.
Removed /etc/systemd/system/dbus-org.freedesktop.resolve1.service.
root@p726589:~# systemctl stop systemd-resolved
root@p726589:~# echo -e "nameserver 76.76.2.0\nnameserver 76.76.10.0" > /etc/resolv.conf.deepslam
root@p726589:~# ln -sf /etc/resolv.conf.deepslam /etc/resolv.conf
root@p756589:~# dig hestiacp.com +short
;; communications error to 76.76.2.0#53: timed out
;; communications error to 76.76.2.0#53: timed out
^Croot@p726589:~# ping google.com
ping: google.com: Temporary failure in name resolution

Thank you so much for your help and your patience!

Is it a firewall maybe?

UPDATE:

Yep!
That’s a firewall.
I found a command:

v-stop-firewall

And after that ping and everything else works as expected!
But I’d be glad if anyone help me with correct settings with the firewall.
As far as I understood, Hestia uses iptables and I have to open ports 43 and 53, right?

Hestia doesn’t add by default firewall rules to block outbound connections.

Did you check whether ufw (Ubuntu Firewall) is enabled?

ufw status

You need to learn how to manage your OS. Disable the firewall is not a solution and for sure not good for security. Without firewall fail2ban will not work also.

There wasn’t ufw, only iptables.
I’m going to install and setup it I think

If ufw is not installed, don’t install it.

You should show the output of these commands to know what’s going on when you can’t resolve domains:

iptables -S
iptables -t nat -S
v-list-firewall

Here’s my output:

root@p726589:~# iptables -S
# Warning: iptables-legacy tables present, use iptables-legacy to see them
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-FTP
-N fail2ban-HESTIA
-N fail2ban-MAIL
-N fail2ban-RECIDIVE
-N fail2ban-SSH
-N fail2ban-WEB
-N hestia
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-HESTIA
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -s 93.182.224.85/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-MAIL -j RETURN
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN
root@p726589:~# iptables -t nat -S
# Warning: iptables-legacy tables present, use iptables-legacy to see them
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
root@p726589:~# v-list-firewall
RULE  ACTION  PROTO  PORT            IP         SPND  DATE
----  ------  -----  ----            --         ----  ----
1     ACCEPT  ICMP   0               0.0.0.0/0  no    2014-09-16
2     ACCEPT  TCP    8083            0.0.0.0/0  no    2014-05-25
3     ACCEPT  TCP    143,993         0.0.0.0/0  no    2014-05-25
4     ACCEPT  TCP    110,995         0.0.0.0/0  no    2014-05-25
5     ACCEPT  TCP    25,465,587      0.0.0.0/0  no    2018-11-07
6     ACCEPT  TCP    53              0.0.0.0/0  no    2014-05-25
7     ACCEPT  UDP    53              0.0.0.0/0  no    2014-05-25
8     ACCEPT  TCP    21,12000-12100  0.0.0.0/0  no    2014-05-25
9     ACCEPT  TCP    80,443          0.0.0.0/0  no    2014-09-24
10    ACCEPT  TCP    22              0.0.0.0/0  no    2014-09-16

Seems your system is using nftables instead of iptables:

lsb_release -a 2>/dev/null
update-alternatives --query iptables
iptables-legacy -S

Oh, thank you again for your time.
But it didn’t help either.
I’m also trying to google some help and figure out the answer.
Here’s what I see with these commands:

root@p726589:~/tmp# lsb_release -a 2>/dev/null
update-alternatives --query iptables
iptables-legacy -S
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.5 LTS
Release:	22.04
Codename:	jammy
Name: iptables
Link: /usr/sbin/iptables
Slaves:
 iptables-restore /usr/sbin/iptables-restore
 iptables-save /usr/sbin/iptables-save
Status: auto
Best: /usr/sbin/iptables-nft
Value: /usr/sbin/iptables-nft

Alternative: /usr/sbin/iptables-nft
Priority: 20
Slaves:
 iptables-restore /usr/sbin/iptables-nft-restore
 iptables-save /usr/sbin/iptables-nft-save
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

The commands weren’t meant to fix it, just to get more information.

Well, checking the rules, there is a missing rule (a critical one):

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Just add it:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

And try again.

I’m just wondering what happened because that rule must be there.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables v1.8.7 (nf_tables): Couldn't load match `state':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

I think we’re getting closer )))

P.S. The same thing with conntrack (I googled how to fix it)