HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - System fails to shutdown after starting firewall rules

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)

- - System fails to shutdown after starting firewall rules (http://www.howtoforge.com/forums/showthread.php?t=15852)

System fails to shutdown after starting firewall rules

Hi folks,

Ubuntu 7.04 server amd64 - Host OS
VMware
one NIC

After adding following script on /etc/rc.local

Code:

#

# INPUT

#



# allow all incoming traffic from the management interface NIC

# as long as it is a part of an established connection

iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state

RELATED,ESTABLISHED



# allow all ssh traffic to the management interface NIC

iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22



# allow all VMware MUI HTTP traffic to the management interface NIC

iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222



# allow all VMware MUI HTTPS traffic to the management interface NIC

iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333



# allow all VMware Authorization Daemon traffic to the management

interface NIC

iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902



# reject all other traffic to the management interface NIC

iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with

icmp-port-unreachable





#

# OUTPUT

#



# allow all outgoing traffic from the management interface NIC

# if it is a part of an established connection

iptables -I OUTPUT 1 -j ACCEPT -s MGMT_NIC_IP -m state --state

RELATED,ESTABLISHED



# allow all DNS queries from the management interface NIC

iptables -I OUTPUT 2 -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53



# reject all other traffic from localhost

iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with

icmp-port-unreachable



# reject all other traffic from the management interface NIC

iptables -I OUTPUT 4 -j REJECT -s MGMT_NIC_IP --reject-with

icmp-port-unreachable

MGMT_NIC-IP = fixed IP address assigned by ISP.

and running;

sudo /etc/init.d/rc.local start
No complaint.

Internet can be connected.

$ sudo iptables -nvL

Code:

Chain INPUT (policy ACCEPT 2652 packets, 2244K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     0    --  *      *       0.0.0.0/0             xxx.xxx.xxx.xxx     state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:22 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:8222 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:8333 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:902 

    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx    reject-with icmp-port-unreachable 



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 2355 packets, 393K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx      0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     udp  --  *      *       xxx.xxx.xxx.xxx      0.0.0.0/0           udp dpt:53 

    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable 

    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx     0.0.0.0/0           reject-with icmp-port-unreachable

But on turning off the PC running;
$ sudo shutdown -h now

Code:

.....

Stopping MySQL database serverice mysqld     [OK]

Shutting donw ALSA    [OK]

Stopping domain name service bind    [OK]

It hung here. I have to turn off the PC manually. I suspect it is caused by the script.

Any advice? TIA

B.R.
satimis

Quote:

Originally Posted by satimis

Hi folks,

Ubuntu 7.04 server amd64 - Host OS
VMware
one NIC

After adding following script on /etc/rc.local

Code:

#

# INPUT

#



# allow all incoming traffic from the management interface NIC

# as long as it is a part of an established connection

iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state

RELATED,ESTABLISHED



# allow all ssh traffic to the management interface NIC

iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22



# allow all VMware MUI HTTP traffic to the management interface NIC

iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222



# allow all VMware MUI HTTPS traffic to the management interface NIC

iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333



# allow all VMware Authorization Daemon traffic to the management

interface NIC

iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902



# reject all other traffic to the management interface NIC

iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with

icmp-port-unreachable





#

# OUTPUT

#



# allow all outgoing traffic from the management interface NIC

# if it is a part of an established connection

iptables -I OUTPUT 1 -j ACCEPT -s MGMT_NIC_IP -m state --state

RELATED,ESTABLISHED



# allow all DNS queries from the management interface NIC

iptables -I OUTPUT 2 -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53



# reject all other traffic from localhost

iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with

icmp-port-unreachable



# reject all other traffic from the management interface NIC

iptables -I OUTPUT 4 -j REJECT -s MGMT_NIC_IP --reject-with

icmp-port-unreachable

MGMT_NIC-IP = fixed IP address assigned by ISP.

I think it's better to put this into /etc/network/if-up.d/iptables. Make the script executable:

Code:

chmod 755 /etc/network/if-up.d/iptables

It should then be executed whenever your network comes up.

Quote:

Originally Posted by falko

I think it's better to put this into /etc/network/if-up.d/iptables. Make the script executable:

Code:

chmod 755 /etc/network/if-up.d/iptables

It should then be executed whenever your network comes up.

Tks for your advice.

Can I just put follow on /etc/network/if-up.d/iptables?

Code:

#! /bin/sh



exec /etc/init.d/rc.local

Then "chmod 755 /etc/network/if-up.d/iptables"

Previously I made a mistake. "Stopping domain name service bind " did not hang there permanently. It hung there for sometimes. After [Fail] (in red colour) popup shutdown procedure continued with PC turned off finally.

Please advise where shall I check. TIA

satimis

B.R.
satimis

Hi falko,

I found something new which I can't resolved.

Performed steps as per your advice and rebooted the server.

$ sudo iptables -nvL

Code:

Chain INPUT (policy ACCEPT 947 packets, 936K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902 

    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable 



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 810 packets, 163K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     udp  --  *      *      xxx.xxx.xxx.xxx       0.0.0.0/0           udp dpt:53 

    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable 

    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           reject-with icmp-port-unreachable

Then

$ sudo /etc/init.d/rc.local stop
$ sudo /etc/init.d/rc.local start

Code:

 * Running local boot scripts (/etc/rc.local)

   ...done.

$ sudo iptables -nvL

Code:

Chain INPUT (policy ACCEPT 955 packets, 936K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902 

    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable

    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902 

    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 817 packets, 163K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     udp  --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           udp dpt:53 

    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable

    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           reject-with icmp-port-unreachable

    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     udp  --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           udp dpt:53 

    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable

    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           reject-with icmp-port-unreachable

The output looks different.

Any advice. TIA

satimis

Quote:

Originally Posted by satimis

Can I just put follow on /etc/network/if-up.d/iptables?

Code:

#! /bin/sh



exec /etc/init.d/rc.local

Then "chmod 755 /etc/network/if-up.d/iptables"

I wouldn't do it. Please try what I suggested.