HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   System fails to shutdown after starting firewall rules (http://www.howtoforge.com/forums/showthread.php?t=15852)

satimis 28th September 2007 18:31

System fails to shutdown after starting firewall rules
 
Hi folks,


Ubuntu 7.04 server amd64 - Host OS
VMware
one NIC


After adding following script on /etc/rc.local
Code:

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management
interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with
icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with
icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s MGMT_NIC_IP --reject-with
icmp-port-unreachable

MGMT_NIC-IP = fixed IP address assigned by ISP.

and running;

sudo /etc/init.d/rc.local start
No complaint.

Internet can be connected.


$ sudo iptables -nvL
Code:

Chain INPUT (policy ACCEPT 2652 packets, 2244K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx    state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx    tcp dpt:22
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx    tcp dpt:8222
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx    tcp dpt:8333
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx    tcp dpt:902
    0    0 REJECT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx    reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 2355 packets, 393K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    udp  --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          udp dpt:53
    0    0 REJECT    0    --  *      *      127.0.0.1            0.0.0.0/0          reject-with icmp-port-unreachable
    0    0 REJECT    0    --  *      *      xxx.xxx.xxx.xxx    0.0.0.0/0          reject-with icmp-port-unreachable

But on turning off the PC running;
$ sudo shutdown -h now
Code:

.....
Stopping MySQL database serverice mysqld    [OK]
Shutting donw ALSA    [OK]
Stopping domain name service bind    [OK]

It hung here. I have to turn off the PC manually. I suspect it is caused by the script.


Any advice? TIA

B.R.
satimis

falko 29th September 2007 13:29

Quote:

Originally Posted by satimis
Hi folks,


Ubuntu 7.04 server amd64 - Host OS
VMware
one NIC


After adding following script on /etc/rc.local
Code:

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management
interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with
icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with
icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s MGMT_NIC_IP --reject-with
icmp-port-unreachable

MGMT_NIC-IP = fixed IP address assigned by ISP.

I think it's better to put this into /etc/network/if-up.d/iptables. Make the script executable:
Code:

chmod 755 /etc/network/if-up.d/iptables
It should then be executed whenever your network comes up.

satimis 29th September 2007 19:24

Quote:

Originally Posted by falko
I think it's better to put this into /etc/network/if-up.d/iptables. Make the script executable:
Code:

chmod 755 /etc/network/if-up.d/iptables
It should then be executed whenever your network comes up.

Tks for your advice.

Can I just put follow on /etc/network/if-up.d/iptables?
Code:

#! /bin/sh

exec /etc/init.d/rc.local

Then "chmod 755 /etc/network/if-up.d/iptables"


Previously I made a mistake. "Stopping domain name service bind " did not hang there permanently. It hung there for sometimes. After [Fail] (in red colour) popup shutdown procedure continued with PC turned off finally.

Please advise where shall I check. TIA


satimis


B.R.
satimis

satimis 30th September 2007 05:47

Hi falko,


I found something new which I can't resolved.

Performed steps as per your advice and rebooted the server.

$ sudo iptables -nvL
Code:

Chain INPUT (policy ACCEPT 947 packets, 936K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902
    0    0 REJECT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 810 packets, 163K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    udp  --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          udp dpt:53
    0    0 REJECT    0    --  *      *      127.0.0.1            0.0.0.0/0          reject-with icmp-port-unreachable
    0    0 REJECT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          reject-with icmp-port-unreachable


Then

$ sudo /etc/init.d/rc.local stop
$ sudo /etc/init.d/rc.local start
Code:

* Running local boot scripts (/etc/rc.local)
  ...done.

$ sudo iptables -nvL
Code:

Chain INPUT (policy ACCEPT 955 packets, 936K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902
    0    0 REJECT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable
    0    0 ACCEPT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902
    0    0 REJECT    0    --  *      *      0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 817 packets, 163K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    udp  --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          udp dpt:53
    0    0 REJECT    0    --  *      *      127.0.0.1            0.0.0.0/0          reject-with icmp-port-unreachable
    0    0 REJECT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          reject-with icmp-port-unreachable
    0    0 ACCEPT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    udp  --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          udp dpt:53
    0    0 REJECT    0    --  *      *      127.0.0.1            0.0.0.0/0          reject-with icmp-port-unreachable
    0    0 REJECT    0    --  *      *      xxx.xxx.xxx.xxx      0.0.0.0/0          reject-with icmp-port-unreachable

The output looks different.

Any advice. TIA


satimis

falko 30th September 2007 20:53

Quote:

Originally Posted by satimis
Can I just put follow on /etc/network/if-up.d/iptables?
Code:

#! /bin/sh

exec /etc/init.d/rc.local

Then "chmod 755 /etc/network/if-up.d/iptables"

I wouldn't do it. Please try what I suggested.


All times are GMT +2. The time now is 18:28.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.