Blocks all traffic after disable testing mode

[86brown]

I'm also experiencing this issue, although this is my own server in my own datacenter.

Installed minimal install of CentOS 6.5, then continued by installing OpenVZ. Created a container, installed cPanel, followed by csf. All default settings, no changes. Tried this on 2 separate servers, both with the same result. All that I changed was disabling testing mode.

CSF does work, but blocks ALL traffic. Not sure how to fix it. Basically, if you add an IP to csf.allow, it is allowed through.

I've tried all of the help listed in the sticky posts, one particular one has 3 broken links in it for VPS providers but can't get to the info.

One thing I did notice however, is that if you don't disable OR flush & save iptables rules before booting into OpenVZ kernel after installation, you won't get access to your box afterwards. Had to go to DC and disable iptables on the HW node to regain access.

Also tried setting various settings in /etc/csf/csf.conf such as directed by several sites while searching through Google, such as the ETH device to venet+, setting conntrack mode to 1, adding inital rules in csfpre or csfpost...

Any help on this would be greatly appreciated, very difficult to get a new server going, I don't remember it being this difficult on the 30+ other servers I've configured in the past.

No fatal errors in csftest:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature

RESULT: csf will function on this server but some features will not work due to some missing iptables modules [2]

[86brown]

Some packets are being identified as invalid, not sure if this is why its blocking or not. This is a new datacenter, no currently working setup from this location, so far. I'm using a Layer 3 switch from the feed they are giving me, with IP routing enabled.

This is what most of the blockings are saying:

kernel: [20604.837769] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=*MYIP* DST=*SERVERIP* LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=15851 DF PROTO=TCP SPT=61742 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0

Here's the invalid packet:

kernel: [16708.550424] Firewall: *INVALID* IN=venet0 OUT= MAC= SRC=MYIP DST=SERVERIP LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=12281 DF PROTO=TCP SPT=60992 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Performed a wireshark trace to review further, only see 1 packet that is trying to go through TCP Retransmission:

44 2.311914000 192.168.2.244 SERVERIP TCP 66 62354 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

I've read in a few places that packets can be marked as invalid by an ASA having TCP sequence number randomization enabled, but I'm not sure if this is the case and/or the cause of the problem, so looking for further help before contacting the DC. For those wondering, the L3 switch is a Baystack 5510

[86brown]

Ok so checking out packets on both server/client, same packet isolated, different MSS showing up as 1452 instead of 1460 server side, is all I notice...If anyone is willing to help me out that would be great, tip included

Client side (my PC):

77 4.434317000 192.168.2.244 SERVER-IP TCP 66 63866 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Server side (server tcpdump)

1 0.000000 MY-ISP-IP SERVER-IP TCP 68 61992 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1452 WS=4 SACK_PERM=1

No return packets.

[86brown]

Could this perhaps be due to the L3 switch not having been configured past default configs, other than setting IP routing to enabled? No VLAN ports have been tagged/untagged or anything, should it be?

[86brown]

Well, figured it out. Turns out I wasn't misconfiguring anything, sorta. Here's a new commit by OpenVZ group, explaining NETFILTER/IPTABLES changes

This must be set to either "stateful" or "full" to allow CSF to work properly, in the /etc/vz/conf/[VEID].conf file. It cannot be set by default in vz.conf.

I was stumped by this one as I had set up many many other servers in a similar fashion, but this ones' new!

http://git.openvz.org/?p=vzctl;a=commit ... 9c54e4e87b

Cheers, and hope it helps you all as well