The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with iptables (sendmsg: Operation not permitted)

Discussion in 'Security' started by YasIT, Aug 14, 2014.

  1. YasIT

    YasIT Active Member

    Joined:
    Jan 3, 2014
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    hi

    I'm having trouble with iptables after install cpanel and csf , all website on the server down and whm does not running after restarting iptables all problem sloved.

    rules in iptables :

    /etc/sysconfig/iptables :

    Code:
    # Generated by iptables-save v1.4.7 on Wed Aug 13 19:52:40 2014
    *nat
    :PREROUTING ACCEPT [75579:4880184]
    :POSTROUTING ACCEPT [949:60462]
    :OUTPUT ACCEPT [949:60462]
    COMMIT
    # Completed on Wed Aug 13 19:52:40 2014
    # Generated by iptables-save v1.4.7 on Wed Aug 13 19:52:40 2014
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [10:808]
    :acctboth - [0:0]
    :cP-Firewall-1-INPUT - [0:0]
    -A INPUT -j cP-Firewall-1-INPUT 
    -A INPUT -j acctboth 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
    -A INPUT -j REJECT --reject-with icmp-host-prohibited 
    -A FORWARD -j cP-Firewall-1-INPUT 
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
    -A OUTPUT -j acctboth 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT 
    -A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
    COMMIT
    # Completed on Wed Aug 13 19:52:40 2014
    
    when all website down and whm not running before restarting iptables output of the command "ping google.com" :

    Code:
    PING google.com (74.125.195.100) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    
    the problem sloved restarting iptables but repeat after about 24hr .

    this problem in 3servers of cpanel+cloudliunux and cpanel+centos.

    I running iptables -F and re-install csf and configure but problem not sloved.

    Please help

    Thank you.
     
    #1 YasIT, Aug 14, 2014
    Last edited: Aug 14, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,832
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You could try saving the flushed iptables rule set after disabling CSF with a command such as:

    Code:
    /etc/init.d/iptables save
    However, I suggest consulting with CSF on their support forums for help troubleshooting this issue:

    ConfigServer - Forums

    Thank you.
     
  3. YasIT

    YasIT Active Member

    Joined:
    Jan 3, 2014
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The "ping: sendmsg: Operation not permitted" message occurs when you try to ping an IP that is currently blocked in iptables.

    You need to be sure CSF is entirely removed or at least disabled (csf -x) before flushing iptables. Otherwise you can leave your server in an entirely unreachable state.
     
  5. cPanelKurtN

    cPanelKurtN Well-Known Member
    Staff Member

    Joined:
    Jan 29, 2013
    Messages:
    95
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    The "ping: sendmsg: Operation not permitted" error, means that your system is unable to send ICMP packets outbound from your server. This means that you likely have a firewall rule that is blocking ICMP traffic to that IP, or perhaps ICMP entirely.

    To test if your firewall is indeed the problem, you can manually perform the following steps:
    Code:
    iptables-save > /root/current.ipt
    iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT
    iptables -F INPUT; iptables -F OUTPUT
    ping -c 3 google.com
    iptables-restore < /root/current.ipt
    rm -f /root/current.ipt
    If you're able to successfully ping, then you have a firewall issue.

    If this does not solve the problem, I don't know what other suggestions to offer given the information at hand. Except maybe Selinux, because I always like to blame it for everything anyways. j/k j/k
     
  6. YasIT

    YasIT Active Member

    Joined:
    Jan 3, 2014
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello cPanelKurtN

    thanks for your help, but when I run "csf -r" the hole thing comes again ?
     
  7. cPanelKurtN

    cPanelKurtN Well-Known Member
    Staff Member

    Joined:
    Jan 29, 2013
    Messages:
    95
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Sorry, I'm not familiar with ConfigServer.
    The goal of my example was to give you a few commands that can help you temporary diagnose your issue.
     
Loading...

Share This Page