Iptables – Connection tracking not working in a Debian 7 OpenVZ VPS

I have a small VPS instance (used for web hosting) that runs Debian 7, and for a few weeks I have issues with my firewall and connection tracking. I had no issue for months, but without any system modification from my part, the connection tracking tools for iptables stopped working (I suspect a kernel update from my provider, but they cannot find any solution for my problem).

Now, the state related rules in my iptables configuration are not matched anymore. I cannot use the ESTABLISHED, RELATED, or NEW state anymore. There is no error when I create those rules, but no packet seems to match them. Here is my iptables configuration file :

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Log all ESTABLISHED,RELATED
-A INPUT -m state --state ESTABLISHED,RELATED -m limit --limit 20/min -j LOG --log-prefix "iptables: EST,REL: " --log-level 1
-A OUTPUT -m state --state ESTABLISHED,RELATED -m limit --limit 20/min -j LOG --log-prefix "iptables: EST,REL: " --log-level 1

#  Log all UDP
#-A INPUT -p udp -m limit --limit 60/min -j LOG --log-prefix "iptables: UDP IN : " --log-level 1
-A OUTPUT -p udp -m limit --limit 60/min -j LOG --log-prefix "iptables: UDP OUT: " --log-level 1

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
-A INPUT -p tcp --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: DENIED : " --log-level 4

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

I added logging rules that I can uncomment to catch established connections, but they are ineffective, and all the incoming packets are dropped by the last lines of my configuration file.
Here is an example of what happens in my log file when I try a simple ping, requiring a DNS resolution :

Jun 13 09:19:37 vpsname kernel: [4624558.917291] iptables: UDP OUT: IN= OUT=venet0 SRC=**.**.**.** DST=208.67.222.222 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=57693 DF PROTO=UDP SPT=37992 DPT=53 LEN=53
Jun 13 09:19:37 vpsname kernel: [4624558.918373] iptables: DENIED : IN=venet0 OUT= MAC= SRC=208.67.222.222 DST=**.**.**.** LEN=110 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=37992 LEN=90
Jun 13 09:19:42 vpsname kernel: [4624563.927318] iptables: UDP OUT: IN= OUT=venet0 SRC=**.**.**.** DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=62698 DF PROTO=UDP SPT=49607 DPT=53 LEN=53
Jun 13 09:19:42 vpsname kernel: [4624563.928263] iptables: DENIED : IN=venet0 OUT= MAC= SRC=208.67.220.220 DST=**.**.**.** LEN=110 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=49607 LEN=90
Jun 13 09:19:47 vpsname kernel: [4624568.936369] iptables: UDP OUT: IN= OUT=venet0 SRC=**.**.**.** DST=208.67.222.222 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=57694 DF PROTO=UDP SPT=37992 DPT=53 LEN=53
Jun 13 09:19:47 vpsname kernel: [4624568.937441] iptables: DENIED : IN=venet0 OUT= MAC= SRC=208.67.222.222 DST=**.**.**.** LEN=110 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=37992 LEN=90
Jun 13 09:19:52 vpsname kernel: [4624573.946415] iptables: UDP OUT: IN= OUT=venet0 SRC=**.**.**.** DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=62699 DF PROTO=UDP SPT=49607 DPT=53 LEN=53
Jun 13 09:19:52 vpsname kernel: [4624573.947343] iptables: DENIED : IN=venet0 OUT= MAC= SRC=208.67.220.220 DST=**.**.**.** LEN=110 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=49607 LEN=90

Finally, I installed the conntrack command, and when I execute it I see that every packets are marked as invalid.

sudo conntrack -S
entries                 0
searched                0
found                   0
new                     0
invalid                 51181
ignore                  0
delete                  0
delete_list             0
insert                  0
insert_failed           0
drop                    0
early_drop              0
icmp_error              17
expect_new              0
expect_create           0
expect_delete           0

I really don't know what to do, neither my VPS provider. Does any of you have any idea of how to solve this issue ? Currently, I have to open ports in my firewall if I want to download anything from the internet on my VPS. That's not a secured solution.

Thanks in advance for your help.

Best Answer

Do you have access to physical OpenVZ node? If yes, you should enable connection tracking using this command: vzctl set XXX --netfilter stateful --save

And restart container: vzctl restart XXXX

Where XXX is your container ID.

If you don't have any access to physical server, you may send this command to your administrator or hosting provider because without configuration from physical node side you can't use statefull iptables.

Best Answer

Related Solutions

Iptables ESTABLISHED,RELATED chain problems

Iptables: How to read this OPT string

Related Topic