iptables/apf issues on vps



Ever since a VPS has been transferred to a new vps node, all outbound TCP connections fail to work. It is receiving connections just fine. However, when apf is running I cannot make any TCP connections. I did not change any configuration... it has been doing this since the switch.

For example:

telnet google.com 80
telnet mail.bellsouth.net 25

all fail, but when I turn off apf (/etc/init.d/apf stop) then it starts working again

This is causing qmail to not be able to establish connections to other SMTP servers to deliver mail.

I have figured the cause of the problem. When apf starts (/etc/init.d/apf start)

Several error messages print out in the form:

iptables: No chain/target/match by that name

One of the commands that is failing can be found in the /etc/apf/firewall script file after the line:

# Standard established/related connections

If you expand the variables, it is trying to execute:

/sbin/iptables -A INPUT -i venet0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -i venet0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A OUTPUT -o venet0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A OUTPUT -o venet0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

These commands are failing, so iptables is allowing the TCP SYN packet, but is blocking the SYN/ACK packet coming back from the outbound connection.

iptables appears to be loading the state module correctly, because if I do:

/sbin/iptables -m state --help

It shows "state v1.2.11" options. Also, if I try using an invalid state then it complains, so I know it is parsing the state correctly.

iptables was working before the transfer. Now the iptables state module is not working after the transfer. This is preventing outbound connections from working.

The kernel that is running is a monolithic kernel and does NOT have the ipt_state module built into it. This can be verified by:

ROOT $ cat /proc/net/ip_tables_matches

Also, I can show that it was immediately after migration that the problem starting occurring. Looking at /var/log/boot.log.1:

We see the entry

Aug 18 17:24:20 efoldering apf: Starting APF:

looking through the log entries it did not have the error message

However, the next time the system boots and apf starts:

Aug 19 15:01:20 efoldering apf: Starting APF:
Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name

In between that period of time was when the VPS was migrated. I know that migration shouldn't change anything, but apparently somehow it did change something so that the iptables state module isn't in the kernel anymore.

centos 4 / virtuozzo vps