Want to subscribe to topics you're interested in?
Become a Member

OVH OVH ICMP Ping Whitelist for CSF Firewall

Discussion in 'Dedicated server hosting' started by eva2000, Apr 19, 2017.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    29,016
    6,584
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,774
    Local Time:
    7:12 AM
    Nginx 1.13.x
    MariaDB 5.5
    According to OVH documentation, they have monitoring systems which need whitelisting their ICMP ping requests. Centmin Mod CSF Firewall can do this by just preloading the iptables rules OVH outlines in a manually created executable file at /etc/csf/csfpre.sh.
    Merging various OVH documentation to create a /etc/csf/csfpre.sh file consisting of below contents - replace IP.250 and IP.249 with your specific ip so if ip = aaa.bbb.ccc.ddd use aaa.bbb.ccc.250 and only for OVH HG server products add aaa.bbb.ccc.249 and full iptables list becomes
    Code (Text):
    #!/bin/bash
    # http://docs.ovh.ca/en/guides-network-firewall.html
    # https://docs.ovh.com/gb/en/cloud/dedicated/monitoring-ip-ovh/
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.247 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source a2.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.184.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.185.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.186.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 167.114.37.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server
    

    make executable and restart CSF Firewalll
    Code (Text):
    chmod +x /etc/csf/csfpre.sh
    csf -r
    


    Example of blocked ICMP ping requests



    Check CSF Firewall blocked ping/icmp entries in /var/log/messages with grep/awk filter and print current date at end to compare with entry times, last blocked ICMP ping entry was ~ 38 mins ago
    Code (Text):
    grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
    Apr 18 18:30:03 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.110 DF PROTO=ICMP
    Apr 18 18:30:06 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.112 DF PROTO=ICMP
    Apr 18 18:30:07 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.117 DF PROTO=ICMP
    Apr 18 18:30:09 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.118 DF PROTO=ICMP
    Apr 18 18:53:17 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.116 DF PROTO=ICMP
    Tue Apr 18 19:31:57 UTC 2017
    

    Code (Text):
    curl ipinfo.io/92.222.185.1
    {
      "ip": "92.222.185.1",
      "hostname": "netmon-1-sbg.ovh.net",
      "city": "Paris",
      "region": "Île-de-France",
      "country": "FR",
      "loc": "48.8628,2.3292",
      "org": "AS16276 OVH SAS",
      "postal": "75001"
    }
    

    Code (Text):
    curl ipinfo.io/167.114.37.1
    {
      "ip": "167.114.37.1",
      "hostname": "netmon-1-bhs.ovh.ca",
      "city": "Montreal",
      "region": "Quebec",
      "country": "CA",
      "loc": "45.5040,-73.5747",
      "org": "AS16276 OVH SAS",
      "postal": "h3a 1k2"
    }
    
     
    • Useful Useful x 1
Thread Status:
Not open for further replies.