monkey64

Well-Known Member
Nov 6, 2011
121
5
68
cPanel Access Level
Root Administrator
I am trying to install CSF Firewall and I have an IP Tables config error when I try to turn on CSF:

Code:
iptables: Unknown error 4294967295
ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:25 OWNER UID match 0 
Error: iptables command [/sbin/iptables -v -I OUTPUT -p tcp --dport 25 -m owner --uid-owner 0 -j ACCEPT] failed, at line 552
Googling "Unknown error 4294967295", gives me a wide range of possible fixes involving the --numiptent variable, or this post which goes way over my head.

It looks as though IP Tables is not configured correctly and I need to add some modules.
I did try this:

Code:
/etc$ modprobe ipt_conntrack
FATAL: Could not load /lib/modules/2.6.39.4-x1/modules.dep: No such file or directory
But I got an error.
Any ideas?
 
Last edited:

monkey64

Well-Known Member
Nov 6, 2011
121
5
68
cPanel Access Level
Root Administrator
Tearing my hair out with this one!
To check that Iptables is actually installed, on my Centos 5 VPS, I run this, and it looks like it is:

Code:
rpm -q iptables
iptables-1.3.5-9.1.el5
To check if iptables is actually running, I run the following, but get an error:

Code:
lsmod | grep ip_tables
Opening /proc/modules: No such file or directory
And quite correctly, there isn't a "/proc/modules" folder. Am I running the wrong command?
To add the modules to iptables, I added the following entry to my /etc/sysconfig/iptables-config and rebooted the server:

Code:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle  ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ip_conntrack_ftp ipt_conntrack ip_tables  ip_conntrack_netbios_ns"
It doesn't seem to have worked. What is the correct way to add modules to Iptables? :confused:
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Are you on a dedicated machine or a VPS machine? You cannot add modules if it is a VPS machine such as Virtuozzo or OpenVZ.
 

monkey64

Well-Known Member
Nov 6, 2011
121
5
68
cPanel Access Level
Root Administrator
Tristan

I'm on a VPS running Centos 5. No idea whether it is Virtuozzo or OpenVZ though.
That's a shame because it doesn't look like I can get CSF Firewall to work.
Oh well thanks anyway.
 

monkey64

Well-Known Member
Nov 6, 2011
121
5
68
cPanel Access Level
Root Administrator
Tristan

Thanks for the post.
Yes I have read the document and the problems begin when I run the Perl test script "perl /etc/csf/csftest.pl". The output script gives me the following:

Code:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 4294967295] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
I can't start csf at all because of the iptables error, which leads me back to my first post.
You say that "You cannot add modules if it is a VPS machine", so I can't move forward because it looks like the modules are not being loaded.

Unless you know of another way...
 

monkey64

Well-Known Member
Nov 6, 2011
121
5
68
cPanel Access Level
Root Administrator
Tristan

I don't beleive it.
I tried one again to install CSF as I had done many times before and it worked!
So the IPtables Unknown error 4294967295 was a red herring.
Thanks for your help. I wish I understood why it words now.
 

revendai

Registered
Sep 23, 2012
1
0
1
RJ
cPanel Access Level
Root Administrator
Helo error on start iptables

iptables v1.3.5: can't initialize iptables table `filter': No chain/target/match by that name
Perhaps iptables or your kernel needs to be upgraded.
 

pwhjenny

Well-Known Member
Aug 31, 2012
138
0
91
cPanel Access Level
Root Administrator
You need to contact your host in order to get required Iptable modules installed in your VPS. After that you can install csf.
 

monkey64

Well-Known Member
Nov 6, 2011
121
5
68
cPanel Access Level
Root Administrator
Just a quick followup to my original post.

My issue was that I was trying to select a Firewall Security Level which could not be supported with the limited amount of IP Tables modules. Because I did not have xt_connlimit and ipt_owner/xt_owner modules, I could only run the Firewall on its LOW setting. Took a while to figure that out...

I would reccommend ConfigServer Security & Firewall to everyone who is serious about server security.