OVH Community, your new community space.

automatic HardReboot if Firewall was started


Fabian
01/07/2015, 10h13
HI,

Your firewall will block our monitoring.
You have two possiblity ;
- let monitoring disable but no detection anymore on our side for server availability
- before reactivate monitoring in your control panel whitelist in your firewall ips listed on http://help.ovh.co.uk/firewall

Regards,
Fabian

KLPsAUGER
01/07/2015, 09h30
Hi @ all !!!

If I start my firewall in the terminal, my server takes an automatic HardReboot after few minutes / times. I don't understand the reason, why my server makes automatic an HardReboot. If I don't start the firewall on my server, then the server runs without HardReboot and makes no problems.

Here my firewall config...

Code:
#!/bin/sh

########################################################
#                        VARS                           #
########################################################

SERVER_IP="XXX.XXX.XXX.XX"
NET_DEV="eth0"
IPT="/sbin/iptables"
MAX_NEW_PER_SECOND="10"

# Ports öffnen                        
# Beispiel: TCP_OPEN="80 443 15400"
TCP_OPEN="XXXX XXXX XXXX XXXX"
UDP_OPEN="XXXX"

# Gute und böse vpns
# GW tuns sind als vpn gateway für ankommende clienten gedacht, die auch ins internet wollen.
# nice tuns sehen alle vpn clienten unterienander sofern openvpn das so vorsieht
# jail tuns sehen nur den server und sich selber.
# Beispiel: OPENVPN_TUN_GW="tun0 tun1 tun2 tun45"
OPENVPN_TUN_GW=""
OPENVPN_TUN_NICE="tun0"
OPENVPN_TUN_JAIL=""

# Portweiterleitungen !! NUR TCP !!
# Beispiel 24024:10.8.5.10:15313 oder 24025:10.8.5.10:24025
# 24024 umleiten auf 15313 an 10.8.5.10
FORWARD_PORTS=""

# Output
# Wenn hier nichts steht, ist output für alle allowed
# Beispiel OUTPUT_ALLOWED="47.12.11.53 81.57.112.3"
OUTPUT_ALLOWED=""

#
#     IPs oder hostnam mit Leerzeichen getrennt, gehen auf DROP
#
BADGUYS_IP=""
BADGUYS_HOSTNAME=""

#########################################################
#                                                        #
#########################################################

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!##
#####    BEI NEUEN EINSTELLUNGEN UNBEDINGT AKTIVIEREN!!!!!
#####    In den ersten 5 Minuten nach einem reboot ist die firewall unstartbar.
[ $(cat /proc/uptime | tr "." " " | awk '{print $1}') -lt 300 ] && exit
#####    BEIM BOOTEN WIRD DER FW START VERHINDERT !!!!!
#####    Wenn du dich aussperrst, bist du am ARSCH !!!!!
###!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!##

basement () {
    # meister propper
    $IPT -F
    $IPT -X
    # Du kommst hier net rein
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
    # lo darf natürlich alles
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT
    # Ausgehenden Verkehr gestatten
    if [ -n "$OUTPUT_ALLOWED" ];then
        $IPT -A OUTPUT -d 8.8.8.8 -j ACCEPT
        $IPT -A OUTPUT -d 8.8.4.4 -j ACCEPT
        $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        for host in $OUTPUT_ALLOWED;do
            $IPT -A OUTPUT -p udp -d $host -j ACCEPT
            $IPT -A OUTPUT -p tcp -d $host -j ACCEPT
            $IPT -A INPUT -d $host -j ACCEPT
            $IPT -A FORWARD -d $host -j ACCEPT
        done
    else
        $IPT -A OUTPUT -o $NET_DEV -j ACCEPT
    fi
}

ratelimit_all () {
    # Alle Verbindungen unterliegen dem festgelegten Limit von XXX Verbindungen je Sekunde
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -p udp -m udp --dport 0:65535 -m state --state NEW -m recent --set --name UDP --rsource
    $IPT -A INPUT -p udp -m udp --dport 0:65535 -m state --state NEW -m recent --update --seconds 3 --hitcount $MAX_NEW_PER_SECOND --name UDP --rsource -j DROP
    $IPT -A INPUT -p tcp -m tcp --dport 0:65535 -m state --state NEW -m recent --set --name TCP --rsource
    $IPT -A INPUT -p tcp -m tcp --dport 0:65535 -m state --state NEW -m recent --update --seconds 3 --hitcount $MAX_NEW_PER_SECOND --rttl --name TCP --rsource -j DROP
}

allow_all_tun () {
    for tun in $OPENVPN_TUN_NICE;do
        $IPT -A INPUT -i $tun -j ACCEPT
        $IPT -A OUTPUT -o $tun -j ACCEPT
        #$IPT -A FORWARD -i $tun -o tun+ -j ACCEPT
        $IPT -A FORWARD -i $tun -j ACCEPT
    done
    for tun in $OPENVPN_TUN_JAIL;do
        $IPT -A INPUT -i $tun -j ACCEPT
        $IPT -A OUTPUT -o $tun -j ACCEPT
        $IPT -A FORWARD -i $tun -j DROP
    done
}

open_ports () {
    if [ -n "$TCP_OPEN" ];then
        for port in $TCP_OPEN;do
            $IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
            $IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
            $IPT -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above 5 -j DROP
        done
    fi
    if [ -n "$UDP_OPEN" ];then
        for port in $UDP_OPEN;do
            $IPT -A INPUT -p udp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
            $IPT -A OUTPUT -p udp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
            #$IPT -A INPUT -p udp --syn --dport $port -m connlimit --connlimit-above 5 -j DROP
        done
    fi
}

forward_ports () {
    for string in $FORWARD_PORTS; do
        src_p=$(echo $string | tr ":" " " | awk '{print $1}')
        dst_p=$(echo $string | tr ":" " " | awk '{print $3}')
        target=$(echo $string | tr ":" " " | awk '{print $2}')
        $IPT -t nat -A PREROUTING -p tcp -i $NET_DEV --dport $src_p -j DNAT --to-destination $target:$dst_p
        $IPT -A FORWARD -p tcp -d $target --dport $dst_p -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    done
}

gw_vpn () {
    if [ -n "$OPENVPN_TUN_GW" ];then
        $IPT -A INPUT -i $OPENVPN_TUN_GW -j ACCEPT
        $IPT -A FORWARD -i $OPENVPN_TUN_GW -j ACCEPT
        $IPT -A FORWARD -i $OPENVPN_TUN_GW -o $NET_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -A FORWARD -i $NET_DEV -o $OPENVPN_TUN_GW -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -t nat -A POSTROUTING -s XX.X.X.X/24 -o $NET_DEV -j MASQUERADE
    fi
}

bad_guys () {
    if [ -n "$BADGUYS_IP" ];then
        for ip in $BADGUYS_IP;do
            $IPT -A INPUT -s $ip -j DROP
        done
    fi
    if [ -n "$BADGUYS_HOSTNAME" ];then
        for host in $BADGUYS_HOSTNAME;do
            ip=$(nslookup $host | grep "Address:" | tail -1 | awk '{print $2}')
            $IPT -A INPUT -s $ip -j DROP
        done
    fi
}

stop_fw () {
    # meister propper
    $IPT -F
    $IPT -X
    $IPT -t nat -F
    $IPT -t nat -X
    $IPT -t mangle -F
    $IPT -t mangle -X
    $IPT -P INPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    $IPT -P OUTPUT ACCEPT
}

start_fw () {
    basement                # DROPALL / REENABLE OUT & LO
    bad_guys
    ratelimit_all            # ANTI SYN
    open_ports
    allow_all_tun            # Weiterleitungen und ein- / ausgänge für         OPENVPN
    gw_vpn
    forward_ports
    # STFU - allway the last block
    $IPT -A INPUT -j DROP
    $IPT -A OUTPUT -j DROP
    $IPT -P FORWARD DROP
}

case $1 in
    start)
        start_fw
        ;;
    stop)
        stop_fw
        ;;
    status)
        clear
        iptables -L -v -n
        ;;
    reload)
        stop_fw
        start_fw
        ;;
    restart|force-reload)
        stop_fw
        start_fw
        ;;
    *)
        ;;
esac

I made my IP - adresses and ports irrecognizable with "X".



Here are any info's from my SYSLOG...

Jun 28 22:17:01 ns310577 /USR/SBIN/CRON[12946]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Jun 28 22:35:30 ns310577 kernel: [24672.668552] ip_tables: (C) 2000-2006 Netfilter Core Team
Jun 28 22:35:30 ns310577 kernel: [24672.731136] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Jun 28 23:15:17 ns310577 kernel: [27053.030564] e1000e: eth0 NIC Link is Down
Jun 28 23:15:19 ns310577 kernel: [27054.777231] e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None
Jun 28 23:15:19 ns310577 kernel: [27054.777237] e1000e 0000:00:19.0: eth0: 10/100 speed: disabling TSO


If I type in terminal "iptables - L", it looks so...

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I hope anybody can help me and can find my problem...



mfg,
KLPsAUGER