SOLVED iptables -L invdrop

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
Cpanel 11.80.0.15 on Centos 7.

I am seeing the following errors when doing iptables -L

INVDROP all -- anywhere anywhere ctstate INVALID
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
INVDROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
INVDROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
INVDROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
INVDROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW

To the newbie eyes this looks like "invalid" drop. Or is that something else?
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
This thread on Configserver forums might be of some use:
CSF Fails to start - ConfigServer Community Forum

Note the code output in first post, scroll to bottom of it to see this message:
Code:
Error: iptables command [/sbin/iptables -v -A INVALID -m state --state INVALID -j INVDROP] failed, you appear to be missing a required iptables module, at line 1457
If that's of no use, maybe one of these search results is:

INVDROP all site:forum.configserver.com
 

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
I apologize in advance I don't quite know what you are driving at: It is one post without any follow up solution.

The error message: "INVDROP] failed, you appear to be missing a required iptables module, at line 1457"

Is of no concrete use to me. What am I supposed to do to solve this? No reference to the actual missing module, and even if there was, shouldn't cpanel be upgrading iptables as part of the standard install?
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
My apologies. I assume you have ConfigServer firewall installed. If you do:
WebHost Manager »Plugins »ConfigServer Security & Firewall, scroll to the bottom of that main page to find the "Test IP Tables" button. You might run that and see what the result is. Be sure to restart firewall there right after.

cPanel doesn't manage CSF, no. Again, assuming you do have CSF installed.
 

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
Yes I have the csf module installed in cpanel/WHM. I ran the test firewall and have the following results:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server

However, I also have in the detailed output as it runs, the following errors:

Flushing chain `INVALID' (this error shown 4X)
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt in !lo out * ::/0 -> ::/0
INVALID tcp opt in * out !lo ::/0 -> ::/0
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
  • Like
Reactions: jeffschips