Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th September 2007, 17:31
satimis satimis is offline
Senior Member
 
Join Date: Oct 2006
Posts: 533
Thanks: 4
Thanked 2 Times in 2 Posts
Default System fails to shutdown after starting firewall rules

Hi folks,


Ubuntu 7.04 server amd64 - Host OS
VMware
one NIC


After adding following script on /etc/rc.local
Code:
#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management
interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with
icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with
icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s MGMT_NIC_IP --reject-with
icmp-port-unreachable
MGMT_NIC-IP = fixed IP address assigned by ISP.

and running;

sudo /etc/init.d/rc.local start
No complaint.

Internet can be connected.


$ sudo iptables -nvL
Code:
Chain INPUT (policy ACCEPT 2652 packets, 2244K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0             xxx.xxx.xxx.xxx     state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:8222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:8333 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx     tcp dpt:902 
    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx    reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2355 packets, 393K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx      0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       xxx.xxx.xxx.xxx      0.0.0.0/0           udp dpt:53 
    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx     0.0.0.0/0           reject-with icmp-port-unreachable
But on turning off the PC running;
$ sudo shutdown -h now
Code:
.....
Stopping MySQL database serverice mysqld     [OK]
Shutting donw ALSA    [OK]
Stopping domain name service bind    [OK]
It hung here. I have to turn off the PC manually. I suspect it is caused by the script.


Any advice? TIA

B.R.
satimis
Reply With Quote
Sponsored Links
  #2  
Old 29th September 2007, 12:29
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Quote:
Originally Posted by satimis
Hi folks,


Ubuntu 7.04 server amd64 - Host OS
VMware
one NIC


After adding following script on /etc/rc.local
Code:
#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management
interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with
icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s MGMT_NIC_IP -m state --state
RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with
icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s MGMT_NIC_IP --reject-with
icmp-port-unreachable
MGMT_NIC-IP = fixed IP address assigned by ISP.
I think it's better to put this into /etc/network/if-up.d/iptables. Make the script executable:
Code:
chmod 755 /etc/network/if-up.d/iptables
It should then be executed whenever your network comes up.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 29th September 2007, 18:24
satimis satimis is offline
Senior Member
 
Join Date: Oct 2006
Posts: 533
Thanks: 4
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by falko
I think it's better to put this into /etc/network/if-up.d/iptables. Make the script executable:
Code:
chmod 755 /etc/network/if-up.d/iptables
It should then be executed whenever your network comes up.
Tks for your advice.

Can I just put follow on /etc/network/if-up.d/iptables?
Code:
#! /bin/sh

exec /etc/init.d/rc.local
Then "chmod 755 /etc/network/if-up.d/iptables"


Previously I made a mistake. "Stopping domain name service bind " did not hang there permanently. It hung there for sometimes. After [Fail] (in red colour) popup shutdown procedure continued with PC turned off finally.

Please advise where shall I check. TIA


satimis


B.R.
satimis
Reply With Quote
  #4  
Old 30th September 2007, 04:47
satimis satimis is offline
Senior Member
 
Join Date: Oct 2006
Posts: 533
Thanks: 4
Thanked 2 Times in 2 Posts
Default

Hi falko,


I found something new which I can't resolved.

Performed steps as per your advice and rebooted the server.

$ sudo iptables -nvL
Code:
Chain INPUT (policy ACCEPT 947 packets, 936K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902 
    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 810 packets, 163K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *      xxx.xxx.xxx.xxx       0.0.0.0/0           udp dpt:53 
    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           reject-with icmp-port-unreachable

Then

$ sudo /etc/init.d/rc.local stop
$ sudo /etc/init.d/rc.local start
Code:
 * Running local boot scripts (/etc/rc.local)
   ...done.
$ sudo iptables -nvL
Code:
Chain INPUT (policy ACCEPT 955 packets, 936K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902 
    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:8333 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:902 
    0     0 REJECT     0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 817 packets, 163K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           udp dpt:53 
    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           udp dpt:53 
    0     0 REJECT     0    --  *      *       127.0.0.1            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       xxx.xxx.xxx.xxx       0.0.0.0/0           reject-with icmp-port-unreachable
The output looks different.

Any advice. TIA


satimis

Last edited by satimis; 30th September 2007 at 04:52.
Reply With Quote
  #5  
Old 30th September 2007, 19:53
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
 
Default

Quote:
Originally Posted by satimis
Can I just put follow on /etc/network/if-up.d/iptables?
Code:
#! /bin/sh

exec /etc/init.d/rc.local
Then "chmod 755 /etc/network/if-up.d/iptables"
I wouldn't do it. Please try what I suggested.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Proftpd + MySQL virtual users, can't connect geekman HOWTO-Related Questions 28 27th September 2010 18:03
Postfix fails shutdown gregh Installation/Configuration 2 28th July 2007 09:45
Postfix fails on shutdown gregh Installation/Configuration 2 28th July 2007 09:41
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
custom firewall rules edge Installation/Configuration 2 13th December 2005 13:00


All times are GMT +2. The time now is 08:16.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.