csfpre rules is remove by csf or lfd

[leozim]

Hi,

I use csfpre.sh to configure iptables rules to OPENVPN and work.

But at 2 weeks aprox, openvpn stop work.

I investigate and SNAT is disabled automaticly by CSF or LFD (dont known a correct reason)

This is line on csfpre.sh:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 200.200.200.200


When restart csf, csfpre.sh is run and work perfecly:

[root@vpn ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.8.0.0/24 0.0.0.0/0 to:200.200.200.200

after hours (dont known exactly), iptables changed and not have more SNAT:

[root@vpn ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination


Probably a csf update cause this problem, because I already use this rule at 3 months, and only last 2 or 3 weeks start this problem.

Thanks

Leonardo

[thuantran]

I have the exact same problem making my kvm virtual nat network down after a while because csfpre rules get dropped by csf.

Is there a fix for this?

[bfsworks]

Hello,

We rely on use NAT iptables using SNAT. We are evaluating use in production environment but are concerned with this post. Any feedback if any updates have solved this issue. Thanks!

[TommyTheKid]

We have seen this problem several times as well. I have a sneaking suspicion that it has something to do with automatic updates.

[TommyTheKid]

The solution to this issue (in case you happen upon this ancient post) is that your iptables commands in csfpre.sh must have the full path to iptables (i.e. /sbin/iptables). The "update" process that automatically restarts does not have /sbin in its path.