Error: FASTTART: iptables-restore: line xyz failed ...

Post Reply
User
Junior Member
Posts: 6
Joined: 13 Aug 2013, 12:58

Error: FASTTART: iptables-restore: line xyz failed ...

Post by User »

After upgrade today from 6.X to 7.01 on 3 servers – all servers are virtual root servers running under Debian Wheezy – I'm getting those errors:
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist OPENBL (IPv4)
Error: FASTTART: iptables-restore: line 6217 failed, at line 3759
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist SPAMEDROP (IPv4)
SPAMEDROP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading Blocklist OPENBL (IPv4)
Error: FASTTART: iptables-restore: line 6218 failed, at line 3759
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist SPAMEDROP (IPv4)
SPAMEDROP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading Blocklist SPAMDROP (IPv4)
Error: FASTTART: iptables-restore: line 607 failed, at line 3759
Is there any fast solution? Running webservers without firewall is a bad idea.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by ForumAdmin »

Disable FASTSTART in csf.conf. The errors suggest that your server cannot cope with running the iptables-restore binary, perhaps due to low memory.
User
Junior Member
Posts: 6
Joined: 13 Aug 2013, 12:58

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by User »

Thanks for quick response.
ForumAdmin wrote:The errors suggest that your server cannot cope with running the iptables-restore binary, perhaps due to low memory.
How much memory is needed? My servers have this memory:
Server 1: Real memory 16 GB total, 835.15 MB used
Server 2: Real memory 6 GB total, 872.45 MB used
Server 3: Real memory 20 GB total, 2.56 GB used

I never had this error with version 6.x.
ForumAdmin wrote:Disable FASTSTART in csf.conf.
I disabled FASTSTART. But now I'm getting these errors:
Error: The VPS iptables rule limit (numiptent) is too low (1015/1024) - stopping firewall to prevent iptables blocking all connections, at line 1521
Error: The VPS iptables rule limit (numiptent) is too low (375/384) - stopping firewall to prevent iptables blocking all connections, at line 1521
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by ForumAdmin »

The problem is with the VPS configuration. numiptent is a server setting that can only be changed by the VPS server provider, it determines how many iptables rules can be used. You need to have your server provider increase the value significantly, especially if you are going to use block lists. To work around the issue until numiptent is increased, you should disable all the block lists in /etc/csf/csf.blocklists
User
Junior Member
Posts: 6
Joined: 13 Aug 2013, 12:58

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by User »

Thanks. But I used some blocklists with v.6.x. Why doesn't it work any more with v. 7.01?
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by ForumAdmin »

Evidently numiptent is not high enough for the number of rules required. The OPENBL list currently has 6241 entries of its own, so I can only guess it was failing before and you had not noticed, or it had not successfully downloaded them before.
User
Junior Member
Posts: 6
Joined: 13 Aug 2013, 12:58

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by User »

ForumAdmin wrote:... or it had not successfully downloaded them before.
Yes, that's my only explanation for this issue.

Thanks for your fast help.

:)
sys7cp
Junior Member
Posts: 1
Joined: 07 May 2014, 11:05
Location: Brasil

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by sys7cp »

Hi good mornig,
I ask to my datacenter to change this ip limits but i need wait.
I like to know it there are any way to install back the old version of CSF? while i what. and we do not stay with out firewall active?

tanks

Romero Carvalho
CanisMaj
Junior Member
Posts: 1
Joined: 12 May 2015, 20:25

Re: Error: FASTTART: iptables-restore: line xyz failed ...

Post by CanisMaj »

Hi,

if anyone has this problem, I have a neat solution on ubuntu 14.04 server, if you have tons of duplicates in iptables.
First do a backup of your iptables, and in crontab a line to restore it in 5 minutes, so you don't lock yourself out if shit happens. After that

Code: Select all

iptables-save  > dupl.txt
Make sure you register where the Commits are(table creations and at the end for example)

Code: Select all

iptables-save | awk ' !x[$0]++' > nondupl.txt
This removes the duplicates, but also the Commits after the first one. I'm not too savvy in awk to make an exception to the rule.

So you write the Commits to the same places that were in dupl.txt and restore iptables with

Code: Select all

iptables-restore < nondupl.txt
Remove the csf.error, and restart lfd and csf.
No guarantees, best of luck!
Post Reply