Re: How do I unblock my server's IP?

deadduck169 · 09-07-2023 05:42 PM

I have a server with Hetzner and it appears to be IP blocked from accessing anything from Google Cloud.

For example,

curl https://packages.cloud.google.com/apt/doc/apt-key.gpg

outputs:

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 403 (Forbidden)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px
arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto
0;max-width:390px;min-height:180px;padding:30px 0 15px}* >
body{background:url(//www.google.com/images/errors/robot.png) 100% 5px
no-repeat;padding-right:205px}p{margin:11px 0
22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png)
no-repeat;margin-left:-5px}@media only screen and
(min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)
no-repeat 0% 0%/100%
100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)
0}}@media only screen and
(-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)
no-repeat;-webkit-background-size:100%
100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>403.</b> <ins>That’s an error.</ins>
  <p>Your client does not have permission to get URL <code>/apt/doc/apt-key.gpg</code>
from this server.  <ins>That’s all we know.</ins>

Is there any way to contact someone from Google to get my IP unblocked?

Don_Tejada

Hello @deadduck169,

The issue you are experiencing is possibly related to a permissions issue. To try and address this, kindly check out this documentation about IAM. If you want to grant access to a specific resource on Google Cloud Platform, you can view this link.

1zero1

@Don_Tejada ,

this "curl https://packages.cloud.google.com/apt/doc/apt-key.gpg" has nothing to do with Iam policy. It's just a proof that the server is blocked.

We face the same problem, using gcloud cli return 403 everywhere, not even able to list projects.

On another server (different IP), same gcloud cli, same authenticated user, we have no problem accessing resources. It's, thus, not an IAM policy problem.

Proof : open a private session in your browser and click the link https://packages.cloud.google.com/apt/doc/apt-key.gpg. You'll be able to see the content directly in your browser's, Nothing to do with IAM,

In our case, the server was just fine couple weeks ago. And for a reason we cannot understand, it's not now. Something happens, and it's not on our server.

What are the steps to unblock the IP?

@deadduck169 , what have you done to fix this?

deadduck169

@1zero1 I was unable to fix it. The only way was to assign a new IP to the server. I also created this topic on ServerFault in case you want to follow it there as well. https://serverfault.com/questions/1143283/google-cloud-platform-authentication-unable-to-list-projec...

s3viour

I am experiencing the same issue, in my case this occurred when I created a new VPS (not with google but a different provider). I then proceeded to use "curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -" which worked fine. As this was just a demo/practice VPS I reinstalled Debian and attempted to run the same command only to be met with the 403 error. I suspect https://packages.cloud.google.com/apt/doc/apt-key.gpg is somehow detecting that even though the VPS has the same IP, it doesn't have the same signature between OS installs and thinks its a malicious entity pretending to be the original host. Now I'm stuck with a VPS and no way to install Kubernetes, assistance with this would be much appreciated.

s3viour

I noticed one thing, here my VPS was trying to connect via IPv6.

debian@vps-12345:~$ curl -v https://packages.cloud.google.com/apt/doc/apt-key.gpg
* Trying [2607:f8b0:4020:805::200e]:443...
* Connected to packages.cloud.google.com (2607:f8b0:4020:805::200e) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.googlecode.com
* start date: Sep 28 05:31:36 2023 GMT
* expire date: Dec 21 05:31:35 2023 GMT
* subjectAltName: host "packages.cloud.google.com" matched cert's "*.cloud.google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /apt/doc/apt-key.gpg]
* h2h3 [:scheme: https]
* h2h3 [:authority: packages.cloud.google.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55f6d814e790)
> GET /apt/doc/apt-key.gpg HTTP/2
> Host: packages.cloud.google.com
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 403
< content-type: text/html; charset=UTF-8
< referrer-policy: no-referrer
< content-length: 1598
< date: Thu, 19 Oct 2023 03:52:59 GMT
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 403 (Forbidden)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>403.</b> <ins>That’s an error.</ins>
<p>Your client does not have permission to get URL <code>/apt/doc/apt-key.gpg</code> from this server. <ins>That’s all we know.</ins>
* Connection #0 to host packages.cloud.google.com left intact

After disabling IPv6 on my Debian VPS I was able to hit the IPv4 page successfully:

debian@vps-123455:~$ curl -v https://packages.cloud.google.com/apt/doc/apt-key.gpg
* Trying 172.217.13.142:443...
* Connected to packages.cloud.google.com (172.217.13.142) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.googlecode.com
* start date: Sep 28 05:31:36 2023 GMT
* expire date: Dec 21 05:31:35 2023 GMT
* subjectAltName: host "packages.cloud.google.com" matched cert's "*.cloud.google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /apt/doc/apt-key.gpg]
* h2h3 [:scheme: https]
* h2h3 [:authority: packages.cloud.google.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55da74508790)
> GET /apt/doc/apt-key.gpg HTTP/2
> Host: packages.cloud.google.com
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200
< accept-ranges: bytes
< content-length: 2659
< content-security-policy: object-src 'none'; script-src 'nonce-hvlTutWqlerJ4gfdgCmXfo7hhJQ=' 'unsafe-inline'; base-uri 'none'; report-uri https://csp.withgoogle.com/csp/rapture/
< content-type: text/plain; charset=utf-8
< last-modified: Thu, 12 Oct 2023 21:32:36 GMT
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 0
< date: Thu, 19 Oct 2023 03:54:55 GMT
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
-----BEGIN PGP PUBLIC KEY BLOCK-----

1zero1

@s3viour , it worked!

Many thanks.

I had also seen the IP v6 so when I read your comment I went right through my ubuntu and deactivate it.

if it can help anyone facing the problem, my setup is :

VPS running Ubuntu 11, hosted at OVH.

I have followed this doc to disable ipv6 :

https://www.itzgeek.com/how-tos/linux/debian/how-to-disable-ipv6-on-debian-9-ubuntu-16-04.html#googl...

s3viour

I'm glad my solution was able to resolve it for you, interestingly my setup is VPS running Debian 12, hosted at OVH.

I wonder if it could somehow be also related to the hosting provider. I guess the workaround is disable IPv6 for the time being.

Expertopinionsa

Hey deadduck169,

No sweat—let's get that IP unblocked. First off, check your server's firewall rules to ensure they're not causing the hiccup. Confirm the block using tools like "ipinfo.io" or chat up Hetzner support for a quick check.

Now, head into your Google Cloud Console, hit up the firewall settings, and scan for your server's IP. If it's there, boot it out. Still stuck? Time to call in the big guns—reach out to Google Cloud Support through the Console's "Support" section. They'll walk you through untangling the mess.

For good measure, eyeball your server and GCP access logs to sniff out anything fishy. Oh, and don't forget Hetzner's firewall—make sure it's not playing gatekeeper. I took help from triotech systems they were amazing!

Give it a bit to settle, and you should be back in business!

Cheers,
Rehes

also check this link: https://serverfault.com/questions/997075/company-public-ip-is-being-blocked-by-google-cloud-platform

deadduck169

I have already changed my server's IP address, so I am unable to try this solution. Can anyone else validate if this solution works for them? I'm pretty sure it wasn't the firewall on my server since it immediately started working when I assigned a new IP, and it wouldn't make sense for Hetzner to block certain external IPs when originating from some of their IPs but not all.

s3viour

In my scenario I had a fresh VPS instance with no firewall enabled, so I don't think firewall was an issue for me.

Expertopinionsa

Hey @deadduck169,

No worries, I get it. Changing the server's IP was a smart move on your end. It's odd that it started working right away, but sometimes these things can be a bit quirky.

If anyone else tries out the solution, feel free to share your experience here. We're a community, after all, and your insights could help someone else down the line.

By the way, good call on checking Hetzner's end too. It's always good to rule out all possibilities. If you run into any more snags or if others have suggestions, keep us posted. We've got your back!

Thanks!