PDA

View Full Version : iptables & openvz & csf errors - iptables-restore: line * failed;



Fli
04-27-2014, 09:48 AM
Service iptables start command returning:



iptables: Applying firewall rules: iptables-restore: line 44 failed



Please scroll down this post, there is simple solution right on the bottom. <<<<
------


So i did flush and reinstall of iptables:



# iptables -F
# yum reinstall iptables


did not helped


So i chacked my OpenVZ VPS config file on host node (/etc/vz/conf/860.conf) and it contains some rules:



IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl
ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner"


so i restarted VPS:

vzctl restart 860


Then entered VM:

# vzctl enter 860

entered into CT 860



service iptables status

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
....various rules here.....





# service iptables stop

iptables: Setting chains to policy ACCEPT: mangle filter na[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]



# service iptables start

iptables: Applying firewall rules: iptables-restore: line 44 failed
[FAILED]


Anyone knows please how to find issue please?

At line 44 in /etc/sysconfig/iptables

was some rules inputted by cPanel:


:cP-Firewall-1-INPUT - [0:0]
...
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
...


When uninstalling CSF:

You have an unresolved error when starting csf:
Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, you appear to be missing a required iptables module, at line 617 in /usr/sbin/csf



============
I Installed APF firewall (google: apf centos vps install) and i realised the iptables is somehow running, although /etc/csf/csftest.pl still returns errors :(

The cause was that on host openvz server was not loaded iptables modules (modprobe modulename) (http://internetlifeforum.com/security-protection/461-csf-iptables-module-list-modprobe-ipt_owner-xt_owner-bad-module-fix/)