IP Tables configuration

[monkey64]

I am trying to install CSF Firewall and I have an IP Tables config error when I try to turn on CSF:

Code:

iptables: Unknown error 4294967295
ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:25 OWNER UID match 0 
Error: iptables command [/sbin/iptables -v -I OUTPUT -p tcp --dport 25 -m owner --uid-owner 0 -j ACCEPT] failed, at line 552

Googling "Unknown error 4294967295", gives me a wide range of possible fixes involving the --numiptent variable, or this post which goes way over my head.

It looks as though IP Tables is not configured correctly and I need to add some modules.
I did try this:

Code:

/etc$ modprobe ipt_conntrack
FATAL: Could not load /lib/modules/2.6.39.4-x1/modules.dep: No such file or directory

But I got an error.
Any ideas?

[Infopro]

See if this thread is helpful to you:
when i restart CSF display this error: Error: iptables command [/sbin/iptables -v - cPanel Forums

Or maybe this one is:
ConfigServer Scripts Forum - View topic - VPS iptables problems

If not you might try searching this term instead:
Error: iptables command [/sbin/iptables


HTH!

[monkey64]

Tearing my hair out with this one!
To check that Iptables is actually installed, on my Centos 5 VPS, I run this, and it looks like it is:

Code:

rpm -q iptables
iptables-1.3.5-9.1.el5

To check if iptables is actually running, I run the following, but get an error:

Code:

lsmod | grep ip_tables
Opening /proc/modules: No such file or directory

And quite correctly, there isn't a "/proc/modules" folder. Am I running the wrong command?
To add the modules to iptables, I added the following entry to my /etc/sysconfig/iptables-config and rebooted the server:

Code:

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle  ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ip_conntrack_ftp ipt_conntrack ip_tables  ip_conntrack_netbios_ns"

It doesn't seem to have worked. What is the correct way to add modules to Iptables?

[cPanelTristan]

Are you on a dedicated machine or a VPS machine? You cannot add modules if it is a VPS machine such as Virtuozzo or OpenVZ.

[monkey64]

Tristan

I'm on a VPS running Centos 5. No idea whether it is Virtuozzo or OpenVZ though.
That's a shame because it doesn't look like I can get CSF Firewall to work.
Oh well thanks anyway.

[Infopro]

Tristan

I'm on a VPS running Centos 5. No idea whether it is Virtuozzo or OpenVZ though.
That's a shame because it doesn't look like I can get CSF Firewall to work.
Oh well thanks anyway.

Have you read this document?
http://www.configserver.com/free/csf/install.txt

[monkey64]

Tristan

Thanks for the post.
Yes I have read the document and the problems begin when I run the Perl test script "perl /etc/csf/csftest.pl". The output script gives me the following:

Code:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 4294967295] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

I can't start csf at all because of the iptables error, which leads me back to my first post.
You say that "You cannot add modules if it is a VPS machine", so I can't move forward because it looks like the modules are not being loaded.

Unless you know of another way...

[monkey64]

Tristan

I don't beleive it.
I tried one again to install CSF as I had done many times before and it worked!
So the IPtables Unknown error 4294967295 was a red herring.
Thanks for your help. I wish I understood why it words now.

[revendai]

Helo error on start iptables

iptables v1.3.5: can't initialize iptables table `filter': No chain/target/match by that name
Perhaps iptables or your kernel needs to be upgraded.

[pwhjenny]

You need to contact your host in order to get required Iptable modules installed in your VPS. After that you can install csf.

[monkey64]

Just a quick followup to my original post.

My issue was that I was trying to select a Firewall Security Level which could not be supported with the limited amount of IP Tables modules. Because I did not have xt_connlimit and ipt_owner/xt_owner modules, I could only run the Firewall on its LOW setting. Took a while to figure that out...

I would reccommend ConfigServer Security & Firewall to everyone who is serious about server security.

[storminternet]

I hope this URL will help for how to add /http://forum.parallels.com/showthread.php?t=114991 on the hardware node. But better to consult with your hosting provider before you try this.