Results 1 to 10 of 10
  1. #1
    Join Date
    Oct 2005
    Posts
    78

    CSF Firewall won't start

    I installed the CSF firewall, and when I try to start it, I get this:

    Code:
    Starting csf...
    
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
    ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
    iptables: No chain/target/match by that name
    LOG  tcp opt -- in venet0 out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `LOGDROP'
    Deleting chain `LOGDROP'
    Error: iptables command [/sbin/iptables -v -A LOGDROP -p tcp -i venet0  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, at line 171
    
    
    ...Done.
    And even though it says Done, it didn't start due to that error. I used the preconfigured Low security level, so I doubt it's anything I screwed up since I didn't edit the config files directly. Could someone please tell me how to fix this? Thanks

  2. #2
    That's a problem with the vps host server. You'd need to point your VPS provider to:
    http://kb.swsoft.com/article_117_746_en.html

  3. #3
    Hi,
    I have the same problem and I have a VPS but your link doesn't work anymore. Do you have another one ?

    Thank you

    (I know that this thread is horribly old but as I stumbled upon it by searching google I think I won't be the only one)

  4. #4
    Join Date
    Dec 2006
    Location
    London
    Posts
    661
    Basically, your kernel is probably too new for your iptables version. Try to restart csf again and let us know the last few lines of output from dmesg.

    You probably just need a new iptables and to replace the binaries that are listed in which iptables and which ip6tables.
    GigaTux, Value Linux Hosting
    UK, US and Germany based Xen VPS. Reliability is key! Quick support response and 99.9% SLA.

  5. #5
    Well my iptables is at the last version and I managed to retrieve the original article from Parallels and I send it to my VPS provider. I'll see what comes

  6. #6
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,590
    The problem is you need 20 not 30. CSF is not working with more than 20 set.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  7. #7
    Join Date
    Dec 2006
    Location
    London
    Posts
    661
    Doezer, can you please let us know the latest output from dmesg too? This usually says why iptables failed.

    Can you also just run iptables --version? It might be the latest version available in CentOS, but is it the latest version available from source?
    GigaTux, Value Linux Hosting
    UK, US and Germany based Xen VPS. Reliability is key! Quick support response and 99.9% SLA.

  8. #8
    Here it is (nothing is shown after dmesg) :

    # service csf restart
    Stopping csf:You have an unresolved error when starting csf. You need to restart csf successfully to remove this warning
    Done

    Starting csf:Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `PREROUTING'
    Flushing chain `POSTROUTING'
    Flushing chain `OUTPUT'
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:67
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:67
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:68
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:68
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:111
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:111
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:113
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:113
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpts:135:139
    DROP udp opt in * out * ::/0 -> ::/0 udp dpts:135:139
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:445
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:445
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:500
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:500
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:500
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:500
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:513
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:513
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
    DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:520
    DROP udp opt in * out * ::/0 -> ::/0 udp dpt:520
    iptables: No chain/target/match by that name.
    LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
    Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, you appear to be missing a required iptables module, at line 515
    Done

    # dmesg
    # which iptables
    /sbin/iptables
    # which ip6tables
    /sbin/ip6tables
    # iptables --version
    iptables v1.4.8
    And I am under a x64 Debian 6.0.

  9. #9
    Join Date
    Dec 2006
    Location
    London
    Posts
    661
    Ah, you're on OpenVZ then?

    The latest iptables is actually 1.4.16.3 but I can't promise this is your issue now. It probably isn't in fact, so you'll probably need to talk to your hosting provider so they can enable the appropriate iptables module.
    GigaTux, Value Linux Hosting
    UK, US and Germany based Xen VPS. Reliability is key! Quick support response and 99.9% SLA.

  10. #10
    Quote Originally Posted by gigatux View Post
    Ah, you're on OpenVZ then?

    The latest iptables is actually 1.4.16.3 but I can't promise this is your issue now. It probably isn't in fact, so you'll probably need to talk to your hosting provider so they can enable the appropriate iptables module.
    That's what I've done, providing them the link to parallels tuto and to the sticky thread in CSF forums with all the modules.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •