Comment on Godaddy VPS Review by SEO Dave.

Godaddy VPS ReviewI think the new Godaddy VPS hates me.

Figured out why iptables was throwing out an error on line 14 as a freshly built server: I’d made no changes to the server.

The Godaddy Deluxe 4 GB Virtual Private Server which is run under an OpenVZ container (one of the ways a dedicated server is partitioned into multiple VPS servers) starts with all ports closed other than ports 22 (SHH) and port 80 (HTTP).

This means the server is secure, but requires ports opening to use other services like email, MYSQL and a control panel: for example Virtualmin needs amongst other ports, port 10000 and port 20000 open to function.

So a firewall management program should be installed with the server to manage ports.

Iptables is installed and enabled, so should activate at boot, but does not activate due to an error on line 14.
Ip6tables is installed and disabled (turned off).
Firewalld (a more recent firewall sometimes installed with Centos 7) is not installed.

As far as I can tell iptables is the only way to manage ports on the Godaddy VPS running Centos 7.

The line 14 iptables error was caused by Godaddy not enabling multiple iptable kernal modules. These should be installed under the OpenVZ hardware node which Godaddy customers have no access to.

According to https://forum.configserver.com/viewtopic.php?f=6&t=212 the required iptables modules for full iptables support are:

ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ipt_conntrack
ip_conntrack
ip_conntrack_ftp
iptable_mangle

Other iptables modules for additional functionality:

ipt_owner
ipt_recent
iptable_nat
ipt_REDIRECT

I installed ConfigServer Security & Firewall (CSF) for testing and according to the “/etc/csf/csftest.pl” test, the Godaddy VPS Server is missing at least these modules:

ipt_state/xt_state
xt_connlimit
iptable_nat/ipt_REDIRECT
iptable_nat/ipt_DNAT

The earlier forum post about modules required for CSF to function is from 2007, I assume there’s new iptables modules since then.

Anyway, I confirmed the missing iptables modules by trying to add this iptables rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Output:

iptables: No chain/target/match by that name.

Indicates a module is missing, specifically the state module.

I contacted Godaddy support, explained I wanted the iptables modules enabled and Godaddy support enabled them, yeah :-)

Iptables now activated at boot so iptables should work as expected.

Tried installing Virtualmin and guess what, it still didn’t work!!!!

Port 10000 was still closed, port 20000 was open, the same result as before enabling the missing modules!

After a lot of testing with ConfigServer Security & Firewall I was still no closer to figuring this out and was making a bit of a mess, so decided to start from scratch again. I Destroyed and Rebuilt the VPS server AGAIN to start with a fresh Centos 7 installation and now the enabled iptable modules are no longer enabled!!!!

Godaddy Support You Are a bunch of Idiots

I don’t know much about managing OpenVZ, but would assume there’s an option to set the iptables modules to survive a rebuild: if not Godaddy support should have told me the new settings won’t survive a rebuild.

They are a bunch of bloody idiots at Godaddy.
They can’t setup a VPS which works without modifying the server: the support person I dealt with said he has to deal with the missing iptables modules roughly twice a week!
Most of Godaddy support don’t have a clue, you’d have better support asking your pet cat how to fix an issue.

After all this hassle I’m still not sure why port 10000 (and others) won’t open, but port 20000 (and others) will via iptables.

Just to make things more interesting. With the fresh Centos 7 server I disabled and masked iptables/ip6tables so there wouldn’t be any program managing firewall rules. That’s the theory anyway.

Here’s the output for the relevant commands:

# sudo systemctl is-enabled iptables
masked

# sudo systemctl is-enabled ip6tables
masked

# sudo systemctl is-enabled firewalld
Failed to get unit file state for firewalld.service: No such file or directory

With a fresh server ports 22 and 80 are still open all other ports I’ve tested are listed as closed.

Testing ports via: http://ports.my-addr.com/check-all-open-ports-online.php
Ports Tested :20,21,22,25,53,80,110,111,143,443,465,587,993,995,2222,2525,3306,10000,10001,10002,10003,10004,10005,20000

Fresh server with iptables/ip6tables disabled/masked: no control panel installed.

20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp closed smtp
53/tcp closed domain
80/tcp open http
110/tcp closed pop3
111/tcp closed rpcbind
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
2222/tcp closed EtherNet/IP-1
2525/tcp closed ms-v-worlds
3306/tcp closed mysql
10000/tcp closed snet-sensor-mgmt
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10005/tcp closed stel
20000/tcp closed dnp

The above is as expected.

After installing Virtualmin before a reboot:

20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
110/tcp closed pop3
111/tcp open rpcbind
143/tcp closed imap
443/tcp open https
465/tcp closed smtps
587/tcp open submission
993/tcp closed imaps
995/tcp closed pop3s
2222/tcp closed EtherNet/IP-1
2525/tcp closed ms-v-worlds
3306/tcp open mysql
10000/tcp closed snet-sensor-mgmt
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10005/tcp closed stel
20000/tcp closed dnp

Either before or after a reboot I think all these ports should be open.

After installing Virtualmin after a reboot:

20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp closed http
110/tcp closed pop3
111/tcp open rpcbind
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp open submission
993/tcp closed imaps
995/tcp closed pop3s
2222/tcp closed EtherNet/IP-1
2525/tcp closed ms-v-worlds
3306/tcp closed mysql
10000/tcp closed snet-sensor-mgmt
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10005/tcp closed stel
20000/tcp open dnp

Why has MYSQL closed? Port 20000 (Usermin) is open, port 10000 (Webmin) is closed!!!

From the Virtualmin log file:

Configuring firewall rules
  Allowing traffic on TCP port: ssh
  Allowing traffic on TCP port: smtp
  Allowing traffic on TCP port: submission
  Allowing traffic on TCP port: domain
  Allowing traffic on TCP port: ftp
  Allowing traffic on TCP port: ftp-data
  Allowing traffic on TCP port: pop3
  Allowing traffic on TCP port: pop3s
  Allowing traffic on TCP port: imap
  Allowing traffic on TCP port: imaps
  Allowing traffic on TCP port: http
  Allowing traffic on TCP port: https
  Allowing traffic on TCP port: 2222
  Allowing traffic on TCP port: 10000
  Allowing traffic on TCP port: 10001
  Allowing traffic on TCP port: 10002
  Allowing traffic on TCP port: 10003
  Allowing traffic on TCP port: 10004
  Allowing traffic on TCP port: 10005
  Allowing traffic on TCP port: 20000
  Allowing traffic on UDP port: domain
  Allowing traffic on UDP port: ftp
  Allowing traffic on UDP port: ftp-data

Contents of the “/etc/sysconfig/iptables” file:

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT
-A INPUT -p udp -m udp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10003 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport https -j ACCEPT
-A INPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
-A INPUT -p tcp -m tcp --dport imap -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport submission -j ACCEPT
-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

It would appear another program is managing the firewall since iptables/ip6tables is masked and not all the above rules are working.

I’m completely confused?

David