ifupdown2 removed but server no longer worked

[jobbedf]

Dear

I would have liked to remove ifupdown2 from my server because this package would cause problems when I did an aggresive port scan from an outside network (the server or proxmox was unreachable during the scan). Ifupdown2 would be the problem, this I read other proxmox forum tickets.

So I removed the ifupdown2 and had rebooted my server but that apparently caused problems because the whole server was ni reachable, then it I reinstalled ifupdown and then it worked again but the server is still unreachable during the scans.

Now my question is what should I do so that I can remove ifupdown2 and so that the server still works.

 

[Moayad]

Hi,

I scanned my PVE server external+internal on port 8006 and everything is ok.

May you give us more information about the command you are using to scan the port? And what the Proxmox VE network configuration looks like? (what version of Proxmox VE are you use `pveversion -v`)?

 

[jobbedf]

Hello

Thanks for your resonse.

I did an intense scan with nmap.
My problem looks like this ticket: https://forum.proxmox.com/threads/proxmox-host-became-unreachable-after-aggressive-port-scan.62358/ .

This is my network configuration:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

#enp41s0 is alias from eth0
auto enp41s0
iface enp41s0 inet manual

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address x.x.x.x/26
        gateway x.x.x.x
        bridge-ports enp41s0
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.0.0.2
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -j DNAT --to 10.0.0.2

#Traffic from primairy ip to this bridge; this bridge is the WAN in the firewall vm
auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/30' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/30' -o vmbr0 -j MASQUERADE

#LAN
auto vmbr2
iface vmbr2 inet static
        address 172.16.x.x/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

Version:

root@proxmox ~ # pveversion -v
proxmox-ve: 7.3-1 (running kernel: 5.15.83-1-pve)
pve-manager: 7.3-6 (running version: 7.3-6/723bb6ec)
pve-kernel-helper: 7.3-3
pve-kernel-5.15: 7.3-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
ceph-fuse: 14.2.21-1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.3
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.3-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-2
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.3-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-1
lxcfs: 5.0.3-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u2
proxmox-backup-client: 2.3.2-1
proxmox-backup-file-restore: 2.3.2-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.3
pve-cluster: 7.3-2
pve-container: 4.4-2
pve-docs: 7.3-1
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.6-3
pve-ha-manager: 3.5.1
pve-i18n: 2.8-2
pve-qemu-kvm: 7.1.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.3-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1

 

[Moayad]

Thank you for the output!

The network configuration looks good for me. However, the issue not happened to my server when I scan it remote or even locally with -A flag in nmap.

- Does the output of `ifreload -a` say anything?
- Can you see what happening in the network traffic when you scan the port from tcpdump?

 

[jobbedf]

Thank you for the output!

The network configuration looks good for me. However, the issue not happened to my server when I scan it remote or even locally with -A flag in nmap.

- Does the output of `ifreload -a` say anything?
- Can you see what happening in the network traffic when you scan the port from tcpdump?

I see no output when I execute the command `ifreload -a`.

I have no experience with tcpdump so what should I do to test it?

 

[Moayad]

First, I would check if there is a Firewall for incoming HTTP requests blocking after some requests. In order to run the tcpdump on the Proxmox VE server, issue the following command:

tcpdump -i vmbr0 port 8006 and src host <PVE IP> and dst host <target IP> -w /tmp/http_traffic.pcap

Replace the <PVE IP> to your Proxmox VE IP and the <target IP> of the remote IP who you do a nmap scan. After the scan finish do Ctrl+c on the tcpudump command, and you will see the /tmp/http_trafic.pcap file. You can analyze the traffic using wireshark or tcpdump.