Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CSF, CC_ALLOW_FILTER, and ipset

Discussion in 'Security' started by tomdchi, Jun 7, 2018.

  1. tomdchi

    tomdchi Well-Known Member

    Joined:
    Feb 24, 2008
    Messages:
    130
    Likes Received:
    2
    Trophy Points:
    68
    Location:
    Atlanta, GA
    cPanel Access Level:
    DataCenter Provider
    I am trying to only allow IP's from US and Canada through the firewall. It appeared that CC_ALLOW_FILTER would do this but it recommended that LF_IPSET be set to on. This required ipset to be installed. So CC_ALLOW_FILTER is set to US,CA, LF_IPSET is on and ipset is installed but CSF is not blocking connections from other countries.

    I did initally see this error on CSF restart:
    Code:
    csf: IPSET creating set cc_us
    RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_us src
    csf: IPSET loading set cc_us with 66677 entries
    IPSET: [ipset v6.29: Error in line 65537: Hash is full, cannot add more elements]
    I increased LF_IPSET_MAXELEM and after restart no errors where shown.

    Code:
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `ALLOWIN'
    Flushing chain `ALLOWOUT'
    Flushing chain `CC_ALLOWF'
    Flushing chain `DENYIN'
    Flushing chain `DENYOUT'
    Flushing chain `DSHIELD'
    Flushing chain `HONEYPOT'
    Flushing chain `INVALID'
    Flushing chain `INVDROP'
    Flushing chain `LOCALINPUT'
    Flushing chain `LOCALOUTPUT'
    Flushing chain `LOGDROPIN'
    Flushing chain `LOGDROPOUT'
    Flushing chain `SMTPOUTPUT'
    Flushing chain `SPAMEDROP'
    Flushing chain `cphulk'
    Deleting chain `ALLOWIN'
    Deleting chain `ALLOWOUT'
    Deleting chain `CC_ALLOWF'
    Deleting chain `DENYIN'
    Deleting chain `DENYOUT'
    Deleting chain `DSHIELD'
    Deleting chain `HONEYPOT'
    Deleting chain `INVALID'
    Deleting chain `INVDROP'
    Deleting chain `LOCALINPUT'
    Deleting chain `LOCALOUTPUT'
    Deleting chain `LOGDROPIN'
    Deleting chain `LOGDROPOUT'
    Deleting chain `SMTPOUTPUT'
    Deleting chain `SPAMEDROP'
    Deleting chain `cphulk'
    Flushing chain `PREROUTING'
    Flushing chain `POSTROUTING'
    Flushing chain `OUTPUT'
    Flushing chain `PREROUTING'
    Flushing chain `OUTPUT'
    Flushing chain `PREROUTING'
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `POSTROUTING'
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `ALLOWIN'
    Flushing chain `ALLOWOUT'
    Flushing chain `CC_ALLOWF'
    Flushing chain `DENYIN'
    Flushing chain `DENYOUT'
    Flushing chain `DSHIELD'
    Flushing chain `HONEYPOT'
    Flushing chain `INVALID'
    Flushing chain `INVDROP'
    Flushing chain `LOCALINPUT'
    Flushing chain `LOCALOUTPUT'
    Flushing chain `LOGDROPIN'
    Flushing chain `LOGDROPOUT'
    Flushing chain `SMTPOUTPUT'
    Flushing chain `SPAMEDROP'
    Deleting chain `ALLOWIN'
    Deleting chain `ALLOWOUT'
    Deleting chain `CC_ALLOWF'
    Deleting chain `DENYIN'
    Deleting chain `DENYOUT'
    Deleting chain `DSHIELD'
    Deleting chain `HONEYPOT'
    Deleting chain `INVALID'
    Deleting chain `INVDROP'
    Deleting chain `LOCALINPUT'
    Deleting chain `LOCALOUTPUT'
    Deleting chain `LOGDROPIN'
    Deleting chain `LOGDROPOUT'
    Deleting chain `SMTPOUTPUT'
    Deleting chain `SPAMEDROP'
    Flushing chain `PREROUTING'
    Flushing chain `OUTPUT'
    Flushing chain `PREROUTING'
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `POSTROUTING'
    csf: FASTSTART loading DROP no logging (IPv4)
    csf: FASTSTART loading DROP no logging (IPv6)
    LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
    LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
    LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
    LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
    LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
    LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
    LOG  tcp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP6IN Blocked* '
    LOG  tcp opt    in * out *  ::/0  -> ::/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP6OUT Blocked* '
    LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP6IN Blocked* '
    LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP6OUT Blocked* '
    LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP6IN Blocked* '
    LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP6OUT Blocked* '
    DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
    REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable
    DROP  all opt    in * out *  ::/0  -> ::/0
    REJECT  all opt    in * out *  ::/0  -> ::/0  reject-with icmp6-port-unreachable
    DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
    DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
    ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    DENYOUT  all opt    in * out !lo  ::/0  -> ::/0
    DENYIN  all opt    in !lo out *  ::/0  -> ::/0
    ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0
    ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0
    csf: FASTSTART loading Packet Filter (IPv4)
    csf: FASTSTART loading Packet Filter (IPv6)
    DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
    INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
    DROP  all opt    in * out *  ::/0  -> ::/0
    INVALID  tcp opt    in !lo out *  ::/0  -> ::/0
    INVALID  tcp opt    in * out !lo  ::/0  -> ::/0
    csf: IPSET creating set chain_DENY
    csf: IPSET creating set chain_6_DENY
    csf: FASTSTART loading csf.deny (IPv4)
    csf: FASTSTART loading csf.deny (IPv6)
    csf: FASTSTART loading csf.deny (IPSET)
    DROP  all opt -- in !lo out *  185.43.209.168  -> 0.0.0.0/0
    REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 185.43.209.168  reject-with icmp-port-unreachable
    csf: IPSET creating set chain_ALLOW
    csf: IPSET creating set chain_6_ALLOW
    csf: FASTSTART loading csf.allow (IPv4)
    csf: FASTSTART loading csf.allow (IPv6)
    csf: FASTSTART loading csf.allow (IPSET)
    csf: IPSET creating set bl_SPAMEDROP
    DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_SPAMEDROP src
    csf: IPSET creating set bl_6_SPAMEDROP
    DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_SPAMEDROP src
    csf: IPSET loading set bl_SPAMEDROP with 130 entries
    csf: IPSET loading set bl_6_SPAMEDROP with 0 entries
    SPAMEDROP  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    SPAMEDROP  all opt    in !lo out *  ::/0  -> ::/0
    csf: IPSET creating set bl_HONEYPOT
    DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_HONEYPOT src
    csf: IPSET creating set bl_6_HONEYPOT
    DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_HONEYPOT src
    csf: IPSET loading set bl_HONEYPOT with 49 entries
    csf: IPSET loading set bl_6_HONEYPOT with 0 entries
    HONEYPOT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    HONEYPOT  all opt    in !lo out *  ::/0  -> ::/0
    csf: IPSET creating set bl_DSHIELD
    DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_DSHIELD src
    csf: IPSET creating set bl_6_DSHIELD
    DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_DSHIELD src
    csf: IPSET loading set bl_DSHIELD with 20 entries
    csf: IPSET loading set bl_6_DSHIELD with 0 entries
    DSHIELD  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    DSHIELD  all opt    in !lo out *  ::/0  -> ::/0
    csf: Generating /etc/exim.smtpauth
    csf: IPSET creating set cc_us
    RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_us src
    csf: IPSET loading set cc_us with 66677 entries
    csf: IPSET creating set cc_ca
    RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_ca src
    csf: IPSET loading set cc_ca with 16099 entries
    CC_ALLOWF  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    CC_ALLOWF  all opt    in !lo out *  ::/0  -> ::/0
    ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 limit: avg 1/sec burst 5
    LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8
    ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
    ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0
    ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0
    ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
    ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
    ACCEPT  all opt    in !lo out *  ::/0  -> ::/0  state RELATED,ESTABLISHED
    ACCEPT  all opt    in * out !lo  ::/0  -> ::/0  state RELATED,ESTABLISHED
    csf: FASTSTART loading TCP_IN (IPv4)
    csf: FASTSTART loading TCP6_IN (IPv6)
    csf: FASTSTART loading TCP_OUT (IPv4)
    csf: FASTSTART loading TCP6_OUT (IPv6)
    csf: FASTSTART loading UDP_IN (IPv4)
    csf: FASTSTART loading UDP6_IN (IPv6)
    csf: FASTSTART loading UDP_OUT (IPv4)
    csf: FASTSTART loading UDP6_OUT (IPv6)
    ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0
    ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0
    REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable
    LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    ACCEPT  all opt    in lo out *  ::/0  -> ::/0
    ACCEPT  all opt    in * out lo  ::/0  -> ::/0
    REJECT  all opt    in * out !lo  ::/0  -> ::/0  reject-with icmp6-port-unreachable
    LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
    SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
    SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0
    csf: FASTSTART loading SMTP Block (IPv4)
    csf: FASTSTART loading SMTP Block (IPv6)
    csf: FASTSTART loading DNS (IPv4)
    csf: FASTSTART loading DNS (IPv6)
    LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
    LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
    LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
    LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  

    Can someone help me figure out why connections from other countries are still being allowed?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,194
    Likes Received:
    156
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice