combined.sh errors in CentOS 7

[spiritblackhole]

Hi, I run two relays on different OSs. combined.sh executed fine in Ubuntu, but in CentOS 7 I'm getting this output:

net.ipv4.ip_local_port_range = 10000 65000
./combined.sh: line 9: /proc/sys/net/ipv4/tcp_fin_timeout: No such file or directory
ipset v7.1: Set cannot be created: set with the same name already exists
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v7.1: Set cannot be created: set with the same name already exists
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.

What can I do to make this work?

[Enkidu-6]

Hi,
I run my relays on CentOS 7 as well and most of my tests are done on CentOS too. We can figure it out. As for other errors, they seem to be caused by having run the script multiple times.

First please type in terminal:

cat /proc/sys/net/ipv4/tcp_fin_timeout

and let me know what it shows. Also type:

ipset destroy

to get rid of the ipsets that the first run of the script created.

Let me know and we'll take it from there.

[spiritblackhole]

# cat /proc/sys/net/ipv4/tcp_fin_timeout
cat: /proc/sys/net/ipv4/tcp_fin_timeout: No such file or directory

# ipset destroy
ipset v7.1: Set cannot be destroyed: it is in use by a kernel component

[Enkidu-6]

It seems that the iptables rules are in effect at least partially and are using the ipsets, which is strange because the script wipes the rules in mangle table before applying the rules in the script.

A few more questions:

Have you set up any other ipsets for your own projects? perhaps in the filter table?

Type:

ipset -L

and see if the ipsets are there. Do you see any other ipsets beside tor-ddos, tor-ddos6, allow-list, allow-list6 and tor-authorities?

type:

sysctl net.ipv4.tcp_fin_timeout

if it shows 20, the rule is already applied. If it shows 60 then edit your sysctl.conf using nano or vi

nano /etc/sysctl.conf

add:

net.ipv4.tcp_fin_timeout = 20

and save the file. Then type:

/sbin/sysctl -p

That should reload the conf and apply the setting.

Let me know if you have any other ipsets or if you have applied any specific iptables rules for your other apps or projects and we'll go to the next step.

[spiritblackhole]

Thank you for your help!

# ipset -L
Name: allow-list
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 960
References: 1
Number of entries: 15
Members:
128.31.0.39
86.59.21.38
199.58.81.140
131.188.40.189
193.187.88.44
193.187.88.46
45.66.33.45
193.187.88.43
141.212.118.18
171.25.193.9
193.23.244.244
66.111.2.131
193.187.88.45
193.187.88.42
204.13.164.118

Name: tor-ddos
Type: hash:ip
Revision: 4
Header: family inet hashsize 4096 maxelem 65536 timeout 43200
Size in memory: 312
References: 1
Number of entries: 0
Members:

Name: allow-list6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1400
References: 1
Number of entries: 12
Members:
2a0c:dd40:1:b::46
2607:f018:600:8:be30:5bff:fef1:c6fa
2001:858:2:2:aabb:0:563b:1526
2001:638:a000:4140::ffff:189
2620:13:4000:6000::1000:118
2610:1c0:0:5::131
2a0c:dd40:1:b::45
2001:67c:289c::9
2a0c:dd40:1:b::43
2001:678:558:1000::244
2a0c:dd40:1:b::44
2a0c:dd40:1:b::42

Name: tor-ddos6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 4096 maxelem 65536 timeout 43200
Size in memory: 320
References: 1
Number of entries: 0
Members:

# sysctl net.ipv4.tcp_fin_timeout
sysctl: cannot stat /proc/sys/net/ipv4/tcp_fin_timeout: No such file or directory

[Enkidu-6]

Okay, the rules were applied, at least partially. The easiest way to reset all the iptables rules to the original state in CentOS is to type:

firewall-cmd --reload

then

ipset destroy

That should clean everything. edit combined.sh and comment out line 9 "echo 20 > /proc/sys/net/ipv4/tcp_fin_timeout" by putting a # to the left, save and run the script. IT should work.

As for the fin_timeout, I'm not sure why it shouldn't be there if you're running an unmodified CentOS 7.

Do the above and let me know if the script works. We can try to figure out the fin_timeout next.

[spiritblackhole]

I'm not sure about "unmodified" since it's a webhost-provided image... In fact I'm getting "command not found" on firewall-cmd, which could mean firewall is not installed... With this webhost I'm provided an external firewall controlled from their panel, so this kind of makes sense.

What would be the best course of action in this case?

[Enkidu-6]

Okay so it is modified. Try this:

iptables -F -t mangle 
ip6tables -F -t mangle

See if ipset destroy works after that.

[spiritblackhole]

Seems like it did work. ipset -L is returning nothing.

[Enkidu-6]

Sounds good. Now edit combined.sh as I suggested above and comment out the line and run the script.

[spiritblackhole]

Got this:

net.ipv4.ip_local_port_range = 10000 65000
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.

[Enkidu-6]

It seems that your iptables may not even have the mangle table?? Not sure why or how much they've modified the OS.

Try this:

iptable -S -t mangle

see if it returns any listings.

[spiritblackhole]

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -p tcp -m set --match-set allow-list src -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 443 -m recent --set --name tor-ddos --mask 255.255.255.255 --rsource
-A PREROUTING -p tcp -m set --match-set tor-ddos src -j DROP
-A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT

[spiritblackhole]

I obviously don't know enough, but maybe I can just install all the missing stuff to be sure?

[Enkidu-6]

I don't see any of the conntrack rules. It seems that your iptables doesn't accept any conntrack rules which is the basis for our rule sets.

try

iptables -V

to see the version.
I'm really not sure what they've done to the OS but it's nothing like a standard install of CentOS.

[spiritblackhole]

iptables v1.4.21

Got it. Well, if this is beyond reasonable help because of how hacked the OS is, I can't expect you to keep guessing. Unless I can just update/install the missing stuff and go around again?

[Enkidu-6]

The iptables version is correct. That's what you get in CentOS 7. I'm really not sure why it's not accepting conntrack rules. Do you have this file:

/proc/net/nf_conntrack

[spiritblackhole]

Yes, it's empty though.

[Enkidu-6]

If Tor is running that file should have thousands of lines and be updating constantly.

To be honest with you I'm out of guesses. Not sure how your system is set up and how to begin troubleshooting it.

Your options are either to follow up with your provider, they may have some clues as how the system is set up and may be they can tell you what's missing and whether it's possible to get it working by installing a package or two. Or perhaps ask them for a standard version of CentOS if it's possible.

I'm sorry I couldn't be of much help. Still if you find some sort of an answer and want to run it by me, I'll be glad to answer any questions you may have.

[spiritblackhole]

Absolutely. Thank you very much for your help. This should honestly just work, up until now I was simply unaware I had a heavily modified OS here. I'll investigate and get back to you, if only to say things are fiiine.