CSF iptables issue on OpenVZ VPS

Date Posted: 07-05-2018

ConfigServer Firewall (CSF) is a software firewall which adds security for your servers. There are cases when CSF wont work on VPS servers due to Iptables modules missing.

 

$ /etc/csf/csftest.pl  
Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: No chain/target/match by that name.] - Required for csf to function
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for csf.redirect feature

RESULT: csf will not function on this server due to FATAL errors from missing modules [1]

Solution:-

At OpenVZ host node, add necessary modules on iptables config file  /etc/sysconfig/iptables-config as below.

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

Then update /etc/sysconfig/vz file also

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

Restart VZ service

service vz restart

Apply netfilter and restart VPS

vzctl set 101 --netfilter full --save --setmode restart

Run CSF perl test

# /etc/csf/csftest.pl 
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

 

Restart csf

service csf restart

 

Post Views: 861

Leave a Reply