CSF won't start with new version

[sparek]

I can't get CSF 5.76 to start on a VPS.

I note that running /etc/csf/csftest.pl gives the output:

Code: Select all

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

However, SMTP_BLOCK is set to 0 and CONNLIMIT is empty (should it be 0)?

Starting CSF gives the error:

Code: Select all

iptables: Unknown error 18446744073709551615
ACCEPT  all opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  ctstate RELATED,ESTABLISHED 
Error: iptables command [/sbin/iptables -v -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT] failed, at line 1638

[ForumAdmin]

I can't get CSF 5.76 to start on a VPS.
Starting CSF gives the error:

Code: Select all

iptables: Unknown error 18446744073709551615
ACCEPT  all opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  ctstate RELATED,ESTABLISHED 
Error: iptables command [/sbin/iptables -v -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT] failed, at line 1638

Looks like you have a kernel/iptables issue on your VPS as the state module which we switched csf from to the conntrack module was deprecated some time ago. You could try checking with your VPS provider that they have indeed included the iptables conntrack module, but that error means that they (at the least) need to upgrade the kernel they are using to one that hasn't got a broken conntrack module.

In the meantime, you can work around the problem with:

Code: Select all

sed -i 's/-m conntrack --ctstate/-m state --state/g' /etc/csf/csf.pl

[ForumAdmin]

I'll look at have an exception for the useless Virtuozzo kernels (their iptables implementation is dire) to use the old state module and release a new version shortly.

[ForumAdmin]

I have released v5.77 of csf which should hopefully resolve this:
http://blog.configserver.com/index.php?itemid=718

[JohnS]

If your kernel is up to date, make sure the ipt_conntrack module is enabled. I thought it was but only ip_conntrack was enabled.

[broken]

Good man ForumAdmin

[Michaelg]

Hi, I can't seem to upgrade to the latest, still getting an error...

You have an unresolved error when starting csf. You need to restart csf successfully to remove this warning

and unable to restart lfd...

Error: Error processing command for line [1114] (10 times): [iptables: Unknown error 4294967295], at line 1114

Any suggestions is much appreciated.

Thanks

CENTOS 5.9 i686 xenpv
WHM 11.34.1 (build 7)

[ForumAdmin]

Try v5.78:
http://blog.configserver.com/index.php?itemid=719

[Gavo]

Thanks this resolved the error for me (for now)

I have a default OVH kernel that doesn't support connlimit it looks like if you roll out this update most of there dedicated servers wont support CSF with there default custom kernels, I read on there French forum you have to re-compile to enable the module.

I have 3 ovh boxes and 2 don't support connlimit

[alexNL]

You can only upgrade when you have the firewall enabled, but if you are you cannot connect to the update server. If you got stuck (like me) on either 5.76 or 5.77 here is a solution:

Add this line to firewall allow IPs:
85.13.195.235 # Configserver update IP for the .com site

Then wait the timeout it takes to fetch the update, and get it