Fli
04-01-2014, 02:57 PM
ISSUE
Your CSF (Config Server Firewall) test returned errors?
[root@vps log]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_limit/xt_limit...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_recent...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf will not function on this server due to FATAL errors from missing modules [4]
Solution: In case this happens on the virtual private server (VPS), it might be needed to enable above mentioned iptables modules on the root server (host node) & assign them to a VPS (guest)
Here is how to check whether that module is available on the root /node server (the one which host a VPS):
lsmod | grep ip
In general, just do on root/host server modprobe commands for modules that failed in your above CSF test to enable them. Example:
modprobe ipt_LOG
modprobe ipt_multiport
modprobe xt_multiport
modprobe ipt_REJECT
modprobe ipt_state
modprobe xt_state
modprobe ipt_limit
modprobe xt_limit
modprobe ipt_recent
modprobe xt_connlimit
modprobe ipt_owner
modprobe xt_owner
modprobe iptable_nat
modprobe ipt_REDIRECT
then try again running CSF test script. Still failures? If trying to run CSF on VPS (virtual server), host node server (hosting company) may need to enable failing modules for the VPS.
this way to enable iptables modules for OpenVZ VPS (VPS might be restarted?):
vzctl set CTID --netfilter full --save --setmode restart
example:
vzctl set 1120 --netfilter full--save --setmode restart
more about netfilter parameter (full, statefull, stateless, disabled...): https://openvz.org/Man/vzctl.8#Netfilter_.28iptables.29_control_parameter s
then in my case, CSF test.pl script run smoothly except one module
"FATAL Error: iptables: Unknown error *".
If your OS is CentOS 5.x or other old Redhat system, connlimit iptables module will not run, here it is described in detail (https://internetlifeforum.com/virtualisation/1977-centos-how-install-enable-xt_connlimit-iptables-module-openvz-server/).[/FONT][/COLOR]
--- following text is probably outdated and may not be necessary to be used ---
What you can try (but it not helped in my case) is increasing OpenVZ VPS numiptent value (https://wiki.openvz.org/UBC_auxiliary_parameters#numiptent) in vm config file or by command:
vzctl set 190 --numiptent 300 --save
(190 = id of the virtual machine, 300 = number of iptables entries VPS is allowed to use)
--
Outdated method to enable iptables modules on the OpenVZ is to edit node root server VPS's config file:
[/FONT][/COLOR]
vi /etc/vz/conf/190.conf
And on the bottom is variable with ip tables modules in whichi made sure to include all failing iptables modules (the ones CSF reported as error):
IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner"
new method is described above (vzctl command with netfilter switch)
Your CSF (Config Server Firewall) test returned errors?
[root@vps log]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_limit/xt_limit...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function
Testing ipt_recent...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf will not function on this server due to FATAL errors from missing modules [4]
Solution: In case this happens on the virtual private server (VPS), it might be needed to enable above mentioned iptables modules on the root server (host node) & assign them to a VPS (guest)
Here is how to check whether that module is available on the root /node server (the one which host a VPS):
lsmod | grep ip
In general, just do on root/host server modprobe commands for modules that failed in your above CSF test to enable them. Example:
modprobe ipt_LOG
modprobe ipt_multiport
modprobe xt_multiport
modprobe ipt_REJECT
modprobe ipt_state
modprobe xt_state
modprobe ipt_limit
modprobe xt_limit
modprobe ipt_recent
modprobe xt_connlimit
modprobe ipt_owner
modprobe xt_owner
modprobe iptable_nat
modprobe ipt_REDIRECT
then try again running CSF test script. Still failures? If trying to run CSF on VPS (virtual server), host node server (hosting company) may need to enable failing modules for the VPS.
this way to enable iptables modules for OpenVZ VPS (VPS might be restarted?):
vzctl set CTID --netfilter full --save --setmode restart
example:
vzctl set 1120 --netfilter full--save --setmode restart
more about netfilter parameter (full, statefull, stateless, disabled...): https://openvz.org/Man/vzctl.8#Netfilter_.28iptables.29_control_parameter s
then in my case, CSF test.pl script run smoothly except one module
"FATAL Error: iptables: Unknown error *".
If your OS is CentOS 5.x or other old Redhat system, connlimit iptables module will not run, here it is described in detail (https://internetlifeforum.com/virtualisation/1977-centos-how-install-enable-xt_connlimit-iptables-module-openvz-server/).[/FONT][/COLOR]
--- following text is probably outdated and may not be necessary to be used ---
What you can try (but it not helped in my case) is increasing OpenVZ VPS numiptent value (https://wiki.openvz.org/UBC_auxiliary_parameters#numiptent) in vm config file or by command:
vzctl set 190 --numiptent 300 --save
(190 = id of the virtual machine, 300 = number of iptables entries VPS is allowed to use)
--
Outdated method to enable iptables modules on the OpenVZ is to edit node root server VPS's config file:
[/FONT][/COLOR]
vi /etc/vz/conf/190.conf
And on the bottom is variable with ip tables modules in whichi made sure to include all failing iptables modules (the ones CSF reported as error):
IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner"
new method is described above (vzctl command with netfilter switch)