Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED iptables -L invdrop

Discussion in 'Security' started by jeffschips, Jun 13, 2019.

Tags:
  1. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    Cpanel 11.80.0.15 on Centos 7.

    I am seeing the following errors when doing iptables -L

    INVDROP all -- anywhere anywhere ctstate INVALID
    INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
    INVDROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
    INVDROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
    INVDROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
    INVDROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
    INVDROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
    INVDROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW

    To the newbie eyes this looks like "invalid" drop. Or is that something else?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,933
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This thread on Configserver forums might be of some use:
    CSF Fails to start - ConfigServer Community Forum

    Note the code output in first post, scroll to bottom of it to see this message:
    Code:
    Error: iptables command [/sbin/iptables -v -A INVALID -m state --state INVALID -j INVDROP] failed, you appear to be missing a required iptables module, at line 1457
    If that's of no use, maybe one of these search results is:

    INVDROP all site:forum.configserver.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    I apologize in advance I don't quite know what you are driving at: It is one post without any follow up solution.

    The error message: "INVDROP] failed, you appear to be missing a required iptables module, at line 1457"

    Is of no concrete use to me. What am I supposed to do to solve this? No reference to the actual missing module, and even if there was, shouldn't cpanel be upgrading iptables as part of the standard install?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,933
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    My apologies. I assume you have ConfigServer firewall installed. If you do:
    WebHost Manager »Plugins »ConfigServer Security & Firewall, scroll to the bottom of that main page to find the "Test IP Tables" button. You might run that and see what the result is. Be sure to restart firewall there right after.

    cPanel doesn't manage CSF, no. Again, assuming you do have CSF installed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    Yes I have the csf module installed in cpanel/WHM. I ran the test firewall and have the following results:

    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    RESULT: csf should function on this server

    However, I also have in the detailed output as it runs, the following errors:

    Flushing chain `INVALID' (this error shown 4X)
    INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
    INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
    INVALID tcp opt in !lo out * ::/0 -> ::/0
    INVALID tcp opt in * out !lo ::/0 -> ::/0
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,528
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    jeffschips likes this.
  7. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    Perfect! Thank you!
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice