Network connectivity problems

LinuxUser · May 19, 2020, 4:00pm

My yunohost installation seems to work, however I can not install new apps. Upon digging for the root of the problem, I found out that ping is not working (time out, 100% loss), I can not update (or install) packages from Debian-repos.

My server is perfectly well reachable from outside. However, a few days ago ping stopped working at all and I could not download any files with wget. Turned out there was a problem with dns names resolutions. I allowed port 53 in my security group (vps on OpenStack), which solved the problem with dns names resolutions, I can download files with wget, but fetching packages does not work (time out). As far as I understand, the problem may be with the /etc/resolv.conf file, but this is constantly overwritten by yunohost. That is where I’ve got stuck.

My machine is a vps on OpenStack. There was a major disruption on the whole cluster recently, so may well be related, but I’m not 100% sure.

Output of less /etc/resolv.conf:

nameserver 127.0.0.1
search openstacklocal

Output of ifconfig -a

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet XXX.XX.XX.XXX  netmask 255.255.240.0  broadcast XXXXXXXXXXXXXXXX
        inet6 YYYYYYYYY  prefixlen 64  scopeid 0x20<link>
        ether ZZZZZZZZ  txqueuelen 1000  (Ethernet)
        RX packets 194669057  bytes 11708725664 (10.9 GiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 412705  bytes 123125411 (117.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 150233  bytes 31116860 (29.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 150233  bytes 31116860 (29.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Update: I’ve got ping to work by opening ICMP for engres (is this secure?), however fetching packages still does not work.

Here is the output of apt update:
Hit:1 https://packages.sury.org/php stretch InRelease
Err:2 http://forge.yunohost.org/debian stretch InRelease
Cannot initiate the connection to forge.yunohost.org:80 (2001:910:1410::1). - connect (101: Network is unreachable) [IP: 2001:910:1410::1 80]

Hardware: VPS bought online
YunoHost version: 3.7.1
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Aleks · May 19, 2020, 4:28pm

Well then, what happens when you try ?

LinuxUser · May 19, 2020, 4:30pm

Just updated the initial post. Thanks for quick reply!

Aleks · May 19, 2020, 4:32pm

Hmokay … That one

Sounds like it’s not able to connect through IPv6 …? Could it be that you have other agressive firewall issues filtering outgoign traffic …?

Otherwise try disabling IPv6 entirely but meh…

LinuxUser · May 19, 2020, 4:38pm

Yes, there is another firewall and I was already suspecting IPv6 problems, but I’m not sure how can I test this. Tried to force IPv4 with
apt -o Acquire::ForceIPv4=true update
with the same result:
Err:2 http://forge.yunohost.org/debian stretch InRelease
Could not connect to forge.yunohost.org:80 (80.67.172.144), connection timed out

Aleks · May 19, 2020, 4:39pm

Trying to work around the symptoms ain’t gonna fix the issue that your firewall seems way too aggressive for outgoing traffic … It just seems weird that your firewall filters outgoing traffic for web requests … Can’t you just relax the firewall rules ?

LinuxUser · May 19, 2020, 4:40pm

I guess I can, but not sure how to do this. Allow all ports for outgoing connections?

Aleks · May 19, 2020, 4:41pm

Yes…?

LinuxUser · May 19, 2020, 4:47pm

Fantastic! This did work. Many thanks, appreciate very much!

Maybe you could still answer the remaining questions, if you dont mind:

Is it safe to leave all ports open for outgoing connections?
How could this problem possibly appear - everything worked just fine (I’m puzzled)?

Aleks · May 19, 2020, 4:53pm

Forbidding your guests to go out of your house once they’re in doesn’t make your house safer from thiefs trying to break in to your house … Maybe with advanced security concerns you could end upt wanting to restrict some very specific outgoing connections to increase security but you need to know what you’re doing and for 99.9% of cases that’s just not necessary. One typical case is preventing machines to send spam, which is why some providers enforce a block on port 25 to forbid any outgoing email traffic, but in the context of self-hosting that restriction is usually more of a nuisance than a security feature (since you usually do want to be able to send emails with your server)

You should be more concerned about incoming traffic (and even then, just having a port opened doesn’t mean your server is automatically compromised)

Well uh I don’t know, it seems like a firewall external to Yunohost and specific to your internet provider or hosting provider so I can’t really help with that

LinuxUser · May 19, 2020, 4:57pm

Aleks, thanks a lot for your help. You saved me a lot of time.

system · June 3, 2020, 4:57pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.