Join the community today
Register Now

OVH OVH ICMP Ping Whitelist for CSF Firewall

Discussion in 'Dedicated server hosting' started by eva2000, Apr 19, 2017.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    According to OVH documentation, they have monitoring systems which need whitelisting their ICMP ping requests. Centmin Mod CSF Firewall can do this by just preloading the iptables rules OVH outlines in a manually created executable file at /etc/csf/csfpre.sh.
    Merging various OVH documentation to create a /etc/csf/csfpre.sh file consisting of below contents - replace IP.251, IP.250 and IP.249 with your specific ip so if ip = aaa.bbb.ccc.ddd use aaa.bbb.ccc.250 and for OVH SLA server IP.251 so aaa.bbb.ccc.251 and only for OVH HG server products add aaa.bbb.ccc.249 and full iptables list becomes. You may need to change first entry's destination port 22 if you have changed your SSH default port from port 22 i.e. dport 22
    Code (Text):
    #!/bin/bash
    # http://docs.ovh.ca/en/guides-network-firewall.html
    # https://docs.ovh.com/gb/en/cloud/dedicated/monitoring-ip-ovh/
    /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.247 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source a2.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.184.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.185.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.186.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 167.114.37.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.251 -j ACCEPT # SLA server
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server
    /sbin/iptables -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT # OVH RTM
    

    make executable and restart CSF Firewalll
    Code (Text):
    chmod +x /etc/csf/csfpre.sh
    csf -r
    


    Example of blocked ICMP ping requests




    Check CSF Firewall blocked ping/icmp entries in /var/log/messages with grep/awk filter and print current date at end to compare with entry times, last blocked ICMP ping entry was ~ 38 mins ago
    Code (Text):
    grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
    Apr 18 18:30:03 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.110 DF PROTO=ICMP
    Apr 18 18:30:06 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.112 DF PROTO=ICMP
    Apr 18 18:30:07 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.117 DF PROTO=ICMP
    Apr 18 18:30:09 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.118 DF PROTO=ICMP
    Apr 18 18:53:17 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.116 DF PROTO=ICMP
    Tue Apr 18 19:31:57 UTC 2017
    

    Code (Text):
    curl ipinfo.io/92.222.185.1
    {
      "ip": "92.222.185.1",
      "hostname": "netmon-1-sbg.ovh.net",
      "city": "Paris",
      "region": "Île-de-France",
      "country": "FR",
      "loc": "48.8628,2.3292",
      "org": "AS16276 OVH SAS",
      "postal": "75001"
    }
    

    Code (Text):
    curl ipinfo.io/167.114.37.1
    {
      "ip": "167.114.37.1",
      "hostname": "netmon-1-bhs.ovh.ca",
      "city": "Montreal",
      "region": "Quebec",
      "country": "CA",
      "loc": "45.5040,-73.5747",
      "org": "AS16276 OVH SAS",
      "postal": "h3a 1k2"
    }
    
     
Thread Status:
Not open for further replies.