I am experiencing connection error since yesterday:
Err http://software.virtualmin.com virtualmin-lucid Release.gpg
Could not connect to software.virtualmin.com:80 (108.60.199.107). - connect (110: Connection timed out)
Err http://software.virtualmin.com/gpl/ubuntu/ virtualmin-lucid/main Translation-en_US
Unable to connect to software.virtualmin.com:http:
Err http://software.virtualmin.com virtualmin-universal Release.gpg
Unable to connect to software.virtualmin.com:http:
Err http://software.virtualmin.com/gpl/ubuntu/ virtualmin-universal/main Translation-en_US
Unable to connect to software.virtualmin.com:http:
Ign http://software.virtualmin.com virtualmin-lucid Release
Ign http://software.virtualmin.com virtualmin-universal Release
Ign http://software.virtualmin.com virtualmin-lucid/main Packages
Ign http://software.virtualmin.com virtualmin-universal/main Packages
Ign http://software.virtualmin.com virtualmin-lucid/main Packages
Ign http://software.virtualmin.com virtualmin-universal/main Packages
Err http://software.virtualmin.com virtualmin-lucid/main Packages
Unable to connect to software.virtualmin.com:http:
Err http://software.virtualmin.com virtualmin-universal/main Packages
Unable to connect to software.virtualmin.com:http:
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-lucid/Release.gpg Could not connect to software.virtualmin.com:80 (108.60.199.107). - connect (110: Connection timed out)
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-lucid/main/i18n/Translation-en_US.bz2 Unable to connect to software.virtualmin.com:http:
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-universal/Release.gpg Unable to connect to software.virtualmin.com:http:
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-universal/main/i18n/Translation-en_US.bz2 Unable to connect to software.virtualmin.com:http:
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-lucid/main/binary-amd64/Packages.gz Unable to connect to software.virtualmin.com:http:
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-universal/main/binary-amd64/Packages.gz Unable to connect to software.virtualmin.com:http:
E: Some index files failed to download, they have been ignored, or old ones used instead.
Howdy,
Hmm, I'm not aware of any problems with the software repository, and I wasn't able to reproduce what you're seeing there...
Are you able to connect here with your web browser:
http://software.virtualmin.com/gpl/
Eric,
First I believed the repository site is experiencing some kind of problems, but after your post I started to troubleshoot the issue and found quite strange behavior of my Ubuntu 10.04 server. If I turn off my firewall (APF), then 'apt-get update && apt-get upgrade' runs with no issues, however with apf turned on packages from all other repositories, but Virtualmin's one, are downloaded.
Common inbound (ingress) TCP portsI have checked deny files and pretty sure 108.60.199.107 is not blocked by my firewall.
The following TCP ports are open on my server:
IG_TCP_CPORTS="21, 25, 53, 80, 110, 143, 443, 465, 587, 953, 993, 995, 1043, 2525, 2812, 8079, 8080, 10000, 11211, 20000"
Common inbound (ingress) UDP portsIG_UDP_CPORTS="21,123,53,80,465,587,953,2525,6277,1043,6081,6082"
What else can be done if it is APF related issue?
However, the fact that my server is capable to download other repository packages with APF turned on gives me an idea that the problem could be related to either download size or download time limitation applied by one of the following scripts, which I am currently trying to setup on my server: Suhosin (comes as patch with Ubuntu 10.04 TLS), APC, Memcached.
I'll repot if I find what was causing this issue.
Howdy,
Well, your config there shows some inbound ports that are open -- are you aware of any outbound ports or IP's that are blocked?
You would only need to be able to access Virtualmin's server on port 80.
How about this -- is there any chance you could attach the output of this command (when your firewall is running):
iptables -L -n
That will output all your firewall rules.
One other idea -- when your firewall is enabled, try accessing the software repository again, and when it fails, run the command "dmesg". Do you see any new output at the end that looks like a blocked firewall entry?
If so, that may indicate which rule is causing the problem... could you paste that in here?
Thanks!
-Eric
Will past dmesg in next comment.
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 1.0.0.0/8 0.0.0.0/0
DROP all -- 2.0.0.0/8 0.0.0.0/0
DROP all -- 5.0.0.0/8 0.0.0.0/0
DROP all -- 23.0.0.0/8 0.0.0.0/0
DROP all -- 27.0.0.0/8 0.0.0.0/0
DROP all -- 31.0.0.0/8 0.0.0.0/0
DROP all -- 36.0.0.0/8 0.0.0.0/0
DROP all -- 37.0.0.0/8 0.0.0.0/0
DROP all -- 39.0.0.0/8 0.0.0.0/0
DROP all -- 42.0.0.0/8 0.0.0.0/0
DROP all -- 46.0.0.0/8 0.0.0.0/0
DROP all -- 94.0.0.0/8 0.0.0.0/0
DROP all -- 95.0.0.0/8 0.0.0.0/0
DROP all -- 100.0.0.0/8 0.0.0.0/0
DROP all -- 101.0.0.0/8 0.0.0.0/0
DROP all -- 102.0.0.0/8 0.0.0.0/0
DROP all -- 103.0.0.0/8 0.0.0.0/0
DROP all -- 104.0.0.0/8 0.0.0.0/0
DROP all -- 105.0.0.0/8 0.0.0.0/0
DROP all -- 106.0.0.0/8 0.0.0.0/0
DROP all -- 107.0.0.0/8 0.0.0.0/0
DROP all -- 108.0.0.0/8 0.0.0.0/0
DROP all -- 109.0.0.0/8 0.0.0.0/0
DROP all -- 110.0.0.0/8 0.0.0.0/0
DROP all -- 111.0.0.0/8 0.0.0.0/0
DROP all -- 112.0.0.0/8 0.0.0.0/0
DROP all -- 113.0.0.0/8 0.0.0.0/0
DROP all -- 114.0.0.0/8 0.0.0.0/0
DROP all -- 115.0.0.0/8 0.0.0.0/0
DROP all -- 173.0.0.0/8 0.0.0.0/0
DROP all -- 174.0.0.0/8 0.0.0.0/0
DROP all -- 175.0.0.0/8 0.0.0.0/0
DROP all -- 176.0.0.0/8 0.0.0.0/0
DROP all -- 177.0.0.0/8 0.0.0.0/0
DROP all -- 178.0.0.0/8 0.0.0.0/0
DROP all -- 179.0.0.0/8 0.0.0.0/0
DROP all -- 180.0.0.0/8 0.0.0.0/0
DROP all -- 181.0.0.0/8 0.0.0.0/0
DROP all -- 182.0.0.0/8 0.0.0.0/0
DROP all -- 183.0.0.0/8 0.0.0.0/0
DROP all -- 184.0.0.0/8 0.0.0.0/0
DROP all -- 185.0.0.0/8 0.0.0.0/0
DROP all -- 186.0.0.0/8 0.0.0.0/0
DROP all -- 187.0.0.0/8 0.0.0.0/0
DROP all -- 197.0.0.0/8 0.0.0.0/0
DROP all -- 223.0.0.0/8 0.0.0.0/0
DROP all -- 240.0.0.0/8 0.0.0.0/0
DROP all -- 241.0.0.0/8 0.0.0.0/0
DROP all -- 242.0.0.0/8 0.0.0.0/0
DROP all -- 243.0.0.0/8 0.0.0.0/0
DROP all -- 244.0.0.0/8 0.0.0.0/0
DROP all -- 245.0.0.0/8 0.0.0.0/0
DROP all -- 246.0.0.0/8 0.0.0.0/0
DROP all -- 247.0.0.0/8 0.0.0.0/0
DROP all -- 248.0.0.0/8 0.0.0.0/0
DROP all -- 249.0.0.0/8 0.0.0.0/0
DROP all -- 250.0.0.0/8 0.0.0.0/0
DROP all -- 251.0.0.0/8 0.0.0.0/0
DROP all -- 252.0.0.0/8 0.0.0.0/0
DROP all -- 253.0.0.0/8 0.0.0.0/0
DROP all -- 254.0.0.0/8 0.0.0.0/0
DROP all -- 255.0.0.0/8 0.0.0.0/0
TMP_DROP all -- 0.0.0.0/0 0.0.0.0/0
TALLOW all -- 0.0.0.0/0 0.0.0.0/0
TDENY all -- 0.0.0.0/0 0.0.0.0/0
TGALLOW all -- 0.0.0.0/0 0.0.0.0/0
TGDENY all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1234
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1524
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1524
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3127
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3127
IN_SANITY all -- 0.0.0.0/0 0.0.0.0/0
FRAG_UDP all -- 0.0.0.0/0 0.0.0.0/0
PZERO all -- 0.0.0.0/0 0.0.0.0/0
P2P all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1043
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2525
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2812
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8079
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11211
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:19627
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:465
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:587
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:953
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2525
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1043
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6081
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6082
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 limit: avg 30/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 limit: avg 30/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 limit: avg 30/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 30/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 30 limit: avg 30/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 30/sec burst 5
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 216.217.196.2 0.0.0.0/0 udp spt:53 dpts:1023:65535
ACCEPT tcp -- 216.217.196.2 0.0.0.0/0 tcp spt:53 dpts:1023:65535
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1023:65535
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1023:65535 dpt:21 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:513:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 flags:0x17/0x02 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534
DROP tcp -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
DROP all -- 0.0.0.0/0 1.0.0.0/8
DROP all -- 0.0.0.0/0 2.0.0.0/8
DROP all -- 0.0.0.0/0 5.0.0.0/8
DROP all -- 0.0.0.0/0 23.0.0.0/8
DROP all -- 0.0.0.0/0 27.0.0.0/8
DROP all -- 0.0.0.0/0 31.0.0.0/8
DROP all -- 0.0.0.0/0 36.0.0.0/8
DROP all -- 0.0.0.0/0 37.0.0.0/8
DROP all -- 0.0.0.0/0 39.0.0.0/8
DROP all -- 0.0.0.0/0 42.0.0.0/8
DROP all -- 0.0.0.0/0 46.0.0.0/8
DROP all -- 0.0.0.0/0 94.0.0.0/8
DROP all -- 0.0.0.0/0 95.0.0.0/8
DROP all -- 0.0.0.0/0 100.0.0.0/8
DROP all -- 0.0.0.0/0 101.0.0.0/8
DROP all -- 0.0.0.0/0 102.0.0.0/8
DROP all -- 0.0.0.0/0 103.0.0.0/8
DROP all -- 0.0.0.0/0 104.0.0.0/8
DROP all -- 0.0.0.0/0 105.0.0.0/8
DROP all -- 0.0.0.0/0 106.0.0.0/8
DROP all -- 0.0.0.0/0 107.0.0.0/8
DROP all -- 0.0.0.0/0 108.0.0.0/8
DROP all -- 0.0.0.0/0 109.0.0.0/8
DROP all -- 0.0.0.0/0 110.0.0.0/8
DROP all -- 0.0.0.0/0 111.0.0.0/8
DROP all -- 0.0.0.0/0 112.0.0.0/8
DROP all -- 0.0.0.0/0 113.0.0.0/8
DROP all -- 0.0.0.0/0 114.0.0.0/8
DROP all -- 0.0.0.0/0 115.0.0.0/8
DROP all -- 0.0.0.0/0 173.0.0.0/8
DROP all -- 0.0.0.0/0 174.0.0.0/8
DROP all -- 0.0.0.0/0 175.0.0.0/8
DROP all -- 0.0.0.0/0 176.0.0.0/8
DROP all -- 0.0.0.0/0 177.0.0.0/8
DROP all -- 0.0.0.0/0 178.0.0.0/8
DROP all -- 0.0.0.0/0 179.0.0.0/8
DROP all -- 0.0.0.0/0 180.0.0.0/8
DROP all -- 0.0.0.0/0 181.0.0.0/8
DROP all -- 0.0.0.0/0 182.0.0.0/8
DROP all -- 0.0.0.0/0 183.0.0.0/8
DROP all -- 0.0.0.0/0 184.0.0.0/8
DROP all -- 0.0.0.0/0 185.0.0.0/8
DROP all -- 0.0.0.0/0 186.0.0.0/8
DROP all -- 0.0.0.0/0 187.0.0.0/8
DROP all -- 0.0.0.0/0 197.0.0.0/8
DROP all -- 0.0.0.0/0 223.0.0.0/8
DROP all -- 0.0.0.0/0 240.0.0.0/8
DROP all -- 0.0.0.0/0 241.0.0.0/8
DROP all -- 0.0.0.0/0 242.0.0.0/8
DROP all -- 0.0.0.0/0 243.0.0.0/8
DROP all -- 0.0.0.0/0 244.0.0.0/8
DROP all -- 0.0.0.0/0 245.0.0.0/8
DROP all -- 0.0.0.0/0 246.0.0.0/8
DROP all -- 0.0.0.0/0 247.0.0.0/8
DROP all -- 0.0.0.0/0 248.0.0.0/8
DROP all -- 0.0.0.0/0 249.0.0.0/8
DROP all -- 0.0.0.0/0 250.0.0.0/8
DROP all -- 0.0.0.0/0 251.0.0.0/8
DROP all -- 0.0.0.0/0 252.0.0.0/8
DROP all -- 0.0.0.0/0 253.0.0.0/8
DROP all -- 0.0.0.0/0 254.0.0.0/8
DROP all -- 0.0.0.0/0 255.0.0.0/8
TMP_DROP all -- 0.0.0.0/0 0.0.0.0/0
TALLOW all -- 0.0.0.0/0 0.0.0.0/0
TDENY all -- 0.0.0.0/0 0.0.0.0/0
TGALLOW all -- 0.0.0.0/0 0.0.0.0/0
TGDENY all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1234
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1524
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1524
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3127
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3127
OUT_SANITY all -- 0.0.0.0/0 0.0.0.0/0
FRAG_UDP all -- 0.0.0.0/0 0.0.0.0/0
PZERO all -- 0.0.0.0/0 0.0.0.0/0
P2P all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 216.217.196.2 udp spts:1023:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 216.217.196.2 tcp spts:1023:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 216.217.196.2 udp spts:1023:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 216.217.196.2 tcp spts:1023:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FRAG_UDP (2 references)
target prot opt source destination
DROP udp -f 0.0.0.0/0 0.0.0.0/0
Chain IN_SANITY (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
Chain OUT_SANITY (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
Chain P2P (2 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:1214 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:1214 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:1214 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2323 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:2323 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:2323 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:2323 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65534 dpts:4660:4678 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:4660:4678 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpts:4660:4678 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:4660:4678 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6257 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6257 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6699 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6699 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6346 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6347 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:6347 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6347 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6347 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6346 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7778 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:7778 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:7778 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:7778 dpts:1024:65534 reject-with icmp-port-unreachable
Chain PROHIBIT (0 references)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain PZERO (2 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:0
Chain RESET (0 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain TALLOW (2 references)
target prot opt source destination
Chain TDENY (2 references)
target prot opt source destination
Chain TGALLOW (2 references)
target prot opt source destination
Chain TGDENY (2 references)
target prot opt source destination
Chain TMP_DROP (2 references)
target prot opt source destination
Well, dmesg contains lots of errors, but doesn't change with trying to reach the Virtualmins' repository. The last lines:
[62930.689858] php5-cgi[21209]: segfault at 7fffa6027ff0 ip 0000000000645b0d sp 00007fffa6027fe0 error 6 in php5-cgi[400000+70c000] [82746.837829] php5-cgi[8356]: segfault at 7fff2d932fe0 ip 0000000000645b0d sp 00007fff2d932fd0 error 6 in php5-cgi[400000+70c000] [87544.044747] php5-cgi[20853]: segfault at 7fff46b45ff0 ip 0000000000645b0d sp 00007fff46b45fe0 error 6 in php5-cgi[400000+70c000] [91049.804148] php5-cgi[30065]: segfault at 7fff0d654ff0 ip 0000000000645b0d sp 00007fff0d654fe0 error 6 in php5-cgi[400000+70c000] [92986.695218] php5-cgi[1685]: segfault at 7fffa8d0cff8 ip 0000000000645b11 sp 00007fffa8d0d000 error 6 in php5-cgi[400000+70c000] [93567.002476] php5-cgi[4215]: segfault at 7fffcc3bbfe8 ip 0000000000645b11 sp 00007fffcc3bbff0 error 6 in php5-cgi[400000+70c000] [93604.350544] php5-cgi[4907]: segfault at 7fff0078fff8 ip 0000000000645b11 sp 00007fff00790000 error 6 in php5-cgi[400000+70c000] [93933.186617] php5-cgi[5777]: segfault at 7fffc3610ff8 ip 0000000000645b11 sp 00007fffc3611000 error 6 in php5-cgi[400000+70c000] [93939.819901] php5-cgi[5787]: segfault at 7fff56978ff0 ip 0000000000645b0d sp 00007fff56978fe0 error 6 in php5-cgi[400000+70c000] [93987.475188] php5-cgi[5935]: segfault at 7fff87098ff0 ip 0000000000645b0d sp 00007fff87098fe0 error 6 in php5-cgi[400000+70c000]
Ahh, there it is -- look in the table named "OUTPUT", there's an entry that looks like this:
DROP all -- 0.0.0.0/0 108.0.0.0/8That will drop any outgoing packet destined for a host with an IP address that begins with 108, which including the Virtualmin software repository.
The Virtualmin server has had this same IP for nearly a year. That may suggest something changed in the firewall rules there recently.
-Eric
Interesting enough that if you install APF via Ubuntu's aptitude then 'reserved.networks' file contains the following:
# Unassigned/reserved address space# refer to: http://www.iana.org/assignments/ipv4-address-space
#
1.0.0.0/8
2.0.0.0/8
5.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/8
37.0.0.0/8
39.0.0.0/8
42.0.0.0/8
46.0.0.0/8
94.0.0.0/8
95.0.0.0/8
100.0.0.0/8
101.0.0.0/8
102.0.0.0/8
103.0.0.0/8
104.0.0.0/8
105.0.0.0/8
106.0.0.0/8
107.0.0.0/8
108.0.0.0/8
109.0.0.0/8
110.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
173.0.0.0/8
174.0.0.0/8
175.0.0.0/8
176.0.0.0/8
177.0.0.0/8
178.0.0.0/8
179.0.0.0/8
180.0.0.0/8
181.0.0.0/8
182.0.0.0/8
183.0.0.0/8
184.0.0.0/8
185.0.0.0/8
186.0.0.0/8
187.0.0.0/8
197.0.0.0/8
223.0.0.0/8
240.0.0.0/8
241.0.0.0/8
242.0.0.0/8
243.0.0.0/8
244.0.0.0/8
245.0.0.0/8
246.0.0.0/8
247.0.0.0/8
248.0.0.0/8
249.0.0.0/8
250.0.0.0/8
251.0.0.0/8
252.0.0.0/8
253.0.0.0/8
254.0.0.0/8
255.0.0.0/8
However, if you install from source then it contains:
# Unassigned/reserved address space# refer to: http://www.iana.org/assignments/ipv4-address-space
#
0.0.0.0/8
127.0.0.0/8
169.254.0.0/16
192.0.0.0/24
192.0.2.0/24
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
If you go to http://www.iana.org/assignments/ipv4-address-space, which is redirected to http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml then indeed 108/8 range is allocated by ARIN:
108/8 ARIN 2008-12 whois.arin.net ALLOCATED
Does 108.60.199.107 fall under range of 108/8? If yes how come it is attributed to Virtualmin and at the same time reserved by ARIN?
Nevertheless, these are confusing questions, I have replaced the reserved.networks file and now my box can connect to Virtualmin's repository without any problems. Thank you and kudos for pinpointing the source of issue!
Seems this problem had already been reported in the upstream project: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627157, however for some reason the firewall still ships with outdated reserver networks file on Ubuntu 10.04 LTS.