N
NoAgendas
Guest
Ever since a VPS has been transferred to a new vps node, all outbound TCP connections fail to work. It is receiving connections just fine. However, when apf is running I cannot make any TCP connections. I did not change any configuration... it has been doing this since the switch.
For example:
telnet google.com 80
telnet mail.bellsouth.net 25
all fail, but when I turn off apf (/etc/init.d/apf stop) then it starts working again
This is causing qmail to not be able to establish connections to other SMTP servers to deliver mail.
I have figured the cause of the problem. When apf starts (/etc/init.d/apf start)
Several error messages print out in the form:
iptables: No chain/target/match by that name
One of the commands that is failing can be found in the /etc/apf/firewall script file after the line:
# Standard established/related connections
If you expand the variables, it is trying to execute:
/sbin/iptables -A INPUT -i venet0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i venet0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
These commands are failing, so iptables is allowing the TCP SYN packet, but is blocking the SYN/ACK packet coming back from the outbound connection.
iptables appears to be loading the state module correctly, because if I do:
/sbin/iptables -m state --help
It shows "state v1.2.11" options. Also, if I try using an invalid state then it complains, so I know it is parsing the state correctly.
iptables was working before the transfer. Now the iptables state module is not working after the transfer. This is preventing outbound connections from working.
The kernel that is running is a monolithic kernel and does NOT have the ipt_state module built into it. This can be verified by:
ROOT $ cat /proc/net/ip_tables_matches
length
ttl
tcpmss
tos
multiport
limit
tcp
udp
icmp
Also, I can show that it was immediately after migration that the problem starting occurring. Looking at /var/log/boot.log.1:
We see the entry
Aug 18 17:24:20 efoldering apf: Starting APF:
looking through the log entries it did not have the error message
However, the next time the system boots and apf starts:
Aug 19 15:01:20 efoldering apf: Starting APF:
Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
....
In between that period of time was when the VPS was migrated. I know that migration shouldn't change anything, but apparently somehow it did change something so that the iptables state module isn't in the kernel anymore.
centos 4 / virtuozzo vps
For example:
telnet google.com 80
telnet mail.bellsouth.net 25
all fail, but when I turn off apf (/etc/init.d/apf stop) then it starts working again
This is causing qmail to not be able to establish connections to other SMTP servers to deliver mail.
I have figured the cause of the problem. When apf starts (/etc/init.d/apf start)
Several error messages print out in the form:
iptables: No chain/target/match by that name
One of the commands that is failing can be found in the /etc/apf/firewall script file after the line:
# Standard established/related connections
If you expand the variables, it is trying to execute:
/sbin/iptables -A INPUT -i venet0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i venet0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
These commands are failing, so iptables is allowing the TCP SYN packet, but is blocking the SYN/ACK packet coming back from the outbound connection.
iptables appears to be loading the state module correctly, because if I do:
/sbin/iptables -m state --help
It shows "state v1.2.11" options. Also, if I try using an invalid state then it complains, so I know it is parsing the state correctly.
iptables was working before the transfer. Now the iptables state module is not working after the transfer. This is preventing outbound connections from working.
The kernel that is running is a monolithic kernel and does NOT have the ipt_state module built into it. This can be verified by:
ROOT $ cat /proc/net/ip_tables_matches
length
ttl
tcpmss
tos
multiport
limit
tcp
udp
icmp
Also, I can show that it was immediately after migration that the problem starting occurring. Looking at /var/log/boot.log.1:
We see the entry
Aug 18 17:24:20 efoldering apf: Starting APF:
looking through the log entries it did not have the error message
However, the next time the system boots and apf starts:
Aug 19 15:01:20 efoldering apf: Starting APF:
Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
....
In between that period of time was when the VPS was migrated. I know that migration shouldn't change anything, but apparently somehow it did change something so that the iptables state module isn't in the kernel anymore.
centos 4 / virtuozzo vps