|
#1
08-27-2009, 05:12 PM
|
||||
|
||||
problem with iptables
There is still some kind of problem with iptables.
If CSF is ON you can't connect in to the VPS, or out from it. I am able to connect to it because my IP is in csf.allow
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss 
|
|
#2
08-27-2009, 05:20 PM
|
|||
|
|||
|
Re: problem with iptables
Well... the iptables issue is nearly completely fixed.
Here's the result for mine, after DaveC PMed me, stating that he thinks he'd fixed it. Sure enough, he did, though there's one more issue remaining: Code:
Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing ipt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1] It appears to be taking a LONG time. Looks like it decided to die instead of starting. Bummer, had hoped it'd start successfully. ... Okay, it looks like restarting CSF took out the WHM. Whoops! ... Oh dear, yup, definitely took it out. If you see Messenger error like I did, DO NOT RESTART! Edit 2: Yeah, definitely took it out, completely. I'm not sure if I should send in a reboot ticket or something.... Last edited by LitomoSilver; 08-27-2009 at 05:26 PM.
|
|
#3
08-27-2009, 05:37 PM
|
||||
|
||||
|
Re: problem with iptables
Quote:
You can reboot the VPS if you login to the power panel at https://<YOUR-IP>:8443
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#4
08-27-2009, 05:38 PM
|
|||
|
|||
|
Re: problem with iptables
Right, I forgot about that.
We'll see how that goes! I'm sure I added myself to the allow list... but I'll check again once I've gotten it to reboot. Edit: Fail. I cannot get the httpd and named daemon to restart. SSHD is still up, so I'll try getting in that way and trying to start... or at least trying to find the error. Edit 2: named restarted successfully via ssh. httpd... well, there wasn't an indicator that it worked, so I'll check further. Edit 3: Appears Parallels Power Panel has a slight issue detecting whether services were actually working. :-P The server is fine now. Edit 4: Successfully restarted lfd and CSF in test mode. Switching it out of test mode and checking for sure. Edit 5: Appears to take longer than usual to restart... but it seems to be fine. Last edited by LitomoSilver; 08-27-2009 at 05:47 PM.
|
|
#5
08-27-2009, 05:55 PM
|
|||
|
|||
|
Re: problem with iptables
Whoops. Looks like I whapped it again.
-sigh.- Okay, CSF seems to be finicky with me. :P Restarting it doesn't seem to work. So... looks like it's time to PM DaveC.
|
|
#6
08-27-2009, 06:20 PM
|
||||
|
||||
|
Re: problem with iptables
Quote:
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#7
08-27-2009, 06:26 PM
|
|||
|
|||
|
Re: problem with iptables
I tried... didn't work the 3 or more times I tried.
It's dead. I don't know what else I can do, since it doesn't respond to anything after the restarts. Edit: Seems to be back online... but I can't access the WHM. Or the cPanel. Or SSH, either. Just the main server's "Great success!" ... I'm not sure what happened there, and since I cannot get in to resolve the issue... Last edited by LitomoSilver; 08-27-2009 at 06:37 PM.
|
|
#8
09-01-2009, 01:54 PM
|
||||
|
||||
|
Re: problem with iptables
Currently I have the following iptables modules loaded. Let me know if you guys need any other ones loaded.
--- ip_tables ipt_state ipt_multiport iptable_filter ipt_limit ipt_LOG ipt_REJECT ipt_conntrack ip_conntrack ip_conntrack_ftp iptable_mangle ipt_owner ipt_recent iptable_nat ipt_REDIRECT ---
|
|
#9
09-01-2009, 04:32 PM
|
||||
|
||||
|
Re: problem with iptables
CSF seems to work:
Quote:
if CSF is running can't connect in or out. I can connect IN if I have my IP in csf.allow.
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#10
09-01-2009, 04:40 PM
|
|||
|
|||
|
Re: problem with iptables
Testing iptables...
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing ipt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1] Yup, same here.
|
|
#11
09-01-2009, 06:45 PM
|
||||
|
||||
|
Re: problem with iptables
Quote:
Hello, I've added the module iptable_natfor you. Please let me know if you need anything else added.
|
|
#12
09-01-2009, 07:20 PM
|
|||
|
|||
|
Re: problem with iptables
Quote:
Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing ipt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1] ...Done. I'm guessing it's the iptables MySQL table, `nat or something of the sort. It's still not working correctly.
|
|
#13
09-01-2009, 07:55 PM
|
||||
|
||||
|
Re: problem with iptables
Hmm, for the heck of it, try running `iptables -N nat`. That *might* work, but I doubt it.
|
|
#14
09-01-2009, 08:26 PM
|
|||
|
|||
|
Re: problem with iptables
login as: root
root@serv1.shattereddreamshosting.com's password: Last login: Tue Sep 1 19:03:07 2009 from 173-11-139-41-houston.txt.hfc.comcastbusiness.net root@serv1 [~]# `iptables -N nat` root@serv1 [~]# iptables -N nat iptables: Chain already exists root@serv1 [~]# Then: Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing ipt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1] ...Done. I'm doublechecking in Firefox to ensure this isn't a cache issue. As far as I can tell, it isn't the cache. And now I can't get into the server via SSH. (Quick check out as to why the SSHD isn't accepting my connection?) Edit: Yes, I've tried restarting the SSHD so that I could directly test the script in the server.) Last edited by LitomoSilver; 09-01-2009 at 08:32 PM.
|
|
#15
09-01-2009, 09:11 PM
|
|||
|
|||
|
Re: problem with iptables
[QUOTE=LitomoSilver;183537]login as: root
root@serv1.shattereddreamshosting.com's password: Last login: Tue Sep 1 19:03:07 2009 from 173-11-139-41-houston.txt.hfc.comcastbusiness.net root@serv1 [~]# `iptables -N nat` root@serv1 [~]# iptables -N nat iptables: Chain already exists root@serv1 [~]# Then: Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing ipt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1] ...Done. I'm doublechecking in Firefox to ensure this isn't a cache issue. As far as I can tell, it isn't the cache. And now I can't get into the server via SSH. (Quick check out as to why the SSHD isn't accepting my connection?) Edit: Yes, I've tried restarting the SSHD so that I could directly test the script in the server.) Edit 2: Wonder if it's a bug?
|
|
#16
09-02-2009, 02:04 PM
|
||||
|
||||
|
Re: problem with iptables
Just a reminder that this problem with CSF/IPTABLES still exists.
And I do not mean this error: Quote:
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss Last edited by quietFinn; 09-02-2009 at 02:07 PM.
|
|
#17
09-02-2009, 11:37 PM
|
|||
|
|||
|
Re: problem with iptables
Quote:
I just don't know why it says it isn't.
|
|
#18
09-03-2009, 06:14 AM
|
||||
|
||||
|
Re: problem with iptables
Seems the node was rebooted and now we are back to this:
Quote:
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#19
09-03-2009, 06:20 AM
|
|||
|
|||
|
Re: problem with iptables
Quote:
-facepalms.- Well... I followed the Parallels guide. This is the result that I got when I tried adding the modules: Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp [FAILED] ... So it looks like everything that we needed was removed from the master node. My thinking was that I'd add it to sysconfig's iptables-config and restart it, and see what would happen. I'll leave it as is and wait and see what happens when the stuff we need is readded. Edit: Also, what about the insmod thing that the test keeps referring to when it WAS working? That must've been why it died on an earlier installation attempt that I'd made... I'd gotten a comment stating that something'd forced it to restart, terminating the installation and forcing me to reattempt the installation. Fortunately, it worked that time. Looks like we're still having issues with iptables... Hostgator, have you guys read the guide HERE: Parallels iptables Guide yet? I'm just asking, since it seems the answer's obviously there... or at least, I'd think so. Edit: ConfigServer Security & Firewall - csf v4.77 Starting csf... Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `acctboth' Flushing chain `icmpchk' Flushing chain `nat' Flushing chain `syn-flood' Flushing chain `tcpchk' Flushing chain `udpchk' Deleting chain `acctboth' Deleting chain `icmpchk' Deleting chain `nat' Deleting chain `syn-flood' Deleting chain `tcpchk' Deleting chain `udpchk' Restarting bandmin acctboth chains for cPanel DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520 iptables: Unknown error 18446744073709551615 LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, at line 280 ...Done. I'll see what the test has to say. Edit 2: Yup, same error as QuietFinn's. ConfigServer Security & Firewall - csf v4.77 Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function Testing ipt_REJECT...OK Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function Testing ipt_limit/xt_limit...FAILED [FATAL Error: iptables: Unknown error 18446744073709551615] - Required for csf to function Testing ipt_recent...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for PORTFLOOD feature Testing ipt_owner...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for SMTP_BLOCK and UID/GID blocking features Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature RESULT: csf will not function on this server due to FATAL errors from missing modules [4] ...Done. I know we're beta-testing this... but to be honest, this is starting to really annoy me. >_> Edit 3: I just noticed that the table, `nat, exists. Which leaves the suggestion, "insmod" as the last option as suggested by the CSF test script. Can we PLEASE have somebody look into what "insmod" does and get it installed on our VPSes? Then we can see if this causes the errors to go completely away. >_> Last edited by LitomoSilver; 09-03-2009 at 06:34 AM.
|
|
#20
09-04-2009, 06:24 AM
|
||||
|
||||
|
Re: problem with iptables
This problem still exists.
The iptables modules seem to be there: Quote:
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#21
09-04-2009, 07:13 AM
|
|||
|
|||
|
Re: problem with iptables
Yup...
Can we see what insmod does? From what I've googled, it appears to be something related to hardware... but I really don't know to be honest. So I look in /var/log/messages and looky here: Sep 4 07:19:57 serv1 modprobe: FATAL: Could not load /lib/modules/2.6.18-028stab064.7/modules.dep: No such file or directory Sep 4 07:20:53 serv1 modprobe: FATAL: Could not load /lib/modules/2.6.18-028stab064.7/modules.dep: No such file or directory This might be the issue. Edit 2: Yeah, that's the issue. I just ran the iptables test script and checked right after the test was completed and got the above modprobe error in /var/log/messages. Last edited by LitomoSilver; 09-04-2009 at 07:27 AM.
|
|
#22
09-04-2009, 03:56 PM
|
||||
|
||||
|
Re: problem with iptables
What functionality isn't working with CSF? Can someone provide me with a login, and what to run?
I've used IPtables on the VPS's and it seems to work fine. However, I haven't really used NAT as I don't see a reason to really use it on a standard firewall.
|
|
#23
09-04-2009, 05:07 PM
|
||||
|
||||
|
Re: problem with iptables
Quote:
I can connect in if my IP is in csf.allow My root password is still the same. Quote:
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#24
09-04-2009, 05:44 PM
|
||||
|
||||
|
Re: problem with iptables
When I run csftest.pl I see this in /var/log/messages :
Quote:
__________________
quietFinn - netFinn Finland "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr. Seuss
|
|
#25
09-06-2009, 06:17 AM
|
|||
|
|||
|
Re: problem with iptables
... Only way CSF works at all is if Testing Mode's still enabled.
I left it on, because it seems like every time I turn off Testing Mode, it royally balls itself up. Then I'd need to reinstall the VPS as it was unrecoverable. (Especially since it locked me out of everything, including Parallel Power Panel's SSH connection.) ... ;x I've not been able to find out anything that even resembles a solution for this issue.
|
 |
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| SMF SEF Problem | Gat0r | Shared Hosting Support | 6 | 04-07-2007 03:41 PM |
| Still having this problem with BMW | nodtveidt | Network Status | 14 | 06-17-2005 04:55 AM |
All times are GMT -5. The time now is 11:42 PM.