The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables/apf issues on vps

Discussion in 'General Discussion' started by NoAgendas, Aug 24, 2006.

  1. NoAgendas

    NoAgendas Guest

    Ever since a VPS has been transferred to a new vps node, all outbound TCP connections fail to work. It is receiving connections just fine. However, when apf is running I cannot make any TCP connections. I did not change any configuration... it has been doing this since the switch.

    For example:

    telnet google.com 80
    telnet mail.bellsouth.net 25

    all fail, but when I turn off apf (/etc/init.d/apf stop) then it starts working again

    This is causing qmail to not be able to establish connections to other SMTP servers to deliver mail.

    I have figured the cause of the problem. When apf starts (/etc/init.d/apf start)

    Several error messages print out in the form:

    iptables: No chain/target/match by that name

    One of the commands that is failing can be found in the /etc/apf/firewall script file after the line:

    # Standard established/related connections

    If you expand the variables, it is trying to execute:

    /sbin/iptables -A INPUT -i venet0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A INPUT -i venet0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -o venet0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -o venet0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

    These commands are failing, so iptables is allowing the TCP SYN packet, but is blocking the SYN/ACK packet coming back from the outbound connection.

    iptables appears to be loading the state module correctly, because if I do:

    /sbin/iptables -m state --help

    It shows "state v1.2.11" options. Also, if I try using an invalid state then it complains, so I know it is parsing the state correctly.

    iptables was working before the transfer. Now the iptables state module is not working after the transfer. This is preventing outbound connections from working.

    The kernel that is running is a monolithic kernel and does NOT have the ipt_state module built into it. This can be verified by:

    ROOT $ cat /proc/net/ip_tables_matches
    length
    ttl
    tcpmss
    tos
    multiport
    limit
    tcp
    udp
    icmp

    Also, I can show that it was immediately after migration that the problem starting occurring. Looking at /var/log/boot.log.1:

    We see the entry

    Aug 18 17:24:20 efoldering apf: Starting APF:

    looking through the log entries it did not have the error message

    However, the next time the system boots and apf starts:

    Aug 19 15:01:20 efoldering apf: Starting APF:
    Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
    Aug 19 15:01:22 efoldering apf: iptables: No chain/target/match by that name
    ....

    In between that period of time was when the VPS was migrated. I know that migration shouldn't change anything, but apparently somehow it did change something so that the iptables state module isn't in the kernel anymore.

    centos 4 / virtuozzo vps
     
Loading...

Share This Page