Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

iptables/apf issues on vps

Discussion in 'General Discussion' started by NoAgendas, Aug 24, 2006.

  1. NoAgendas

    NoAgendas Guest

    Ever since a VPS has been transferred to a new vps node, all outbound TCP connections fail to work. It is receiving connections just fine. However, when apf is running I cannot make any TCP connections. I did not change any configuration... it has been doing this since the switch.

    For example:

    telnet 80
    telnet 25

    all fail, but when I turn off apf (/etc/init.d/apf stop) then it starts working again

    This is causing qmail to not be able to establish connections to other SMTP servers to deliver mail.

    I have figured the cause of the problem. When apf starts (/etc/init.d/apf start)

    Several error messages print out in the form:

    iptables: No chain/target/match by that name

    One of the commands that is failing can be found in the /etc/apf/firewall script file after the line:

    # Standard established/related connections

    If you expand the variables, it is trying to execute:

    /sbin/iptables -A INPUT -i venet0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A INPUT -i venet0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -o venet0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -o venet0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

    These commands are failing, so iptables is allowing the TCP SYN packet, but is blocking the SYN/ACK packet coming back from the outbound connection.

    iptables appears to be loading the state module correctly, because if I do:

    /sbin/iptables -m state --help

    It shows "state v1.2.11" options. Also, if I try using an invalid state then it complains, so I know it is parsing the state correctly.

    iptables was working before the transfer. Now the iptables state module is not working after the transfer. This is preventing outbound connections from working.

    The kernel that is running is a monolithic kernel and does NOT have the ipt_state module built into it. This can be verified by:

    ROOT $ cat /proc/net/ip_tables_matches

    Also, I can show that it was immediately after migration that the problem starting occurring. Looking at /var/log/boot.log.1:

    We see the entry

    Aug 18 17:24:20 efoldering apf: Starting APF:

    looking through the log entries it did not have the error message

    However, the next time the system boots and apf starts:

    Aug 19 15:01:20 efoldering apf: Starting APF:
    Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
    Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name

    In between that period of time was when the VPS was migrated. I know that migration shouldn't change anything, but apparently somehow it did change something so that the iptables state module isn't in the kernel anymore.

    centos 4 / virtuozzo vps

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice