when i run the iptables test i get this:
esting ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1]
and when try to block an ip
Adding 101.173.42.156 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 101.173.42.156 -> 0.0.0.0/0
DROP all opt -- in * out !lo 0.0.0.0/0 -> 101.173.42.156
and when i try to go to my site from that ip its not blocked
also i get these errors when i restart iptables
service iptables restart
Opening /proc/modules: No such file or directory
iptables: Setting chains to policy ACCEPT: raw nat mangle f[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
i heard some where that i should delete the iptables config and rules from /etc/sysconfig
but that did not seem to fix the issue either
port blocking works fine on csf but not ip blocking
OVH Server CSF ip Deny Has No Effect
-
XxUnkn0wnxX
- Junior Member
- Posts: 6
- Joined: 10 Jul 2014, 19:46
-
XxUnkn0wnxX
- Junior Member
- Posts: 6
- Joined: 10 Jul 2014, 19:46
Re: OVH Server CSF ip Deny Has No Effect
running a web site on OVH dedicated server, i am trying to block some IPs with CSF.
but IPs that are in the deny file cannot access my server on any port but they can access my web site on port 80 without any problems.
if my IP address is entered in the URL blocked ip cannot open my web site, but if URL has domain name the web site opens fine.
would some one have any ideas what is happening as i do not know how to solve this. BTW apache log file shows the blocked ip in the log as successfully accessing the web site.
but IPs that are in the deny file cannot access my server on any port but they can access my web site on port 80 without any problems.
if my IP address is entered in the URL blocked ip cannot open my web site, but if URL has domain name the web site opens fine.
would some one have any ideas what is happening as i do not know how to solve this. BTW apache log file shows the blocked ip in the log as successfully accessing the web site.
Re: OVH Server CSF ip Deny Has No Effect
Just a guess on my part but you aren't running the stock kernel?
ovh likes to throw grsecurity kernel on there which seems to break iptables with csf
what is the output from
uname -a
(you can remove your server name, just care about the kernel part after)
I know on centos is it easy to replace the grsecurity kernel with the stock kernel, not sure about other distros
ovh likes to throw grsecurity kernel on there which seems to break iptables with csf
what is the output from
uname -a
(you can remove your server name, just care about the kernel part after)
I know on centos is it easy to replace the grsecurity kernel with the stock kernel, not sure about other distros
-
XxUnkn0wnxX
- Junior Member
- Posts: 6
- Joined: 10 Jul 2014, 19:46
Re: OVH Server CSF ip Deny Has No Effect
its: 3.10.23-xxxx-std-ipv6-64 #1 SMP Tue Mar 18 14:48:24 CET 2014 x86_64 x86_64 x86_64 GNU/Linux
csf works fine the only thing broken is:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1]
i have managed to solve my issue any way i installed flare wall and integrated it with CSF so when i block an ip inside CSF it also gets blocked on cloud flare
so this issue is now resolved sort of..
the only thing i haven't fixed is when i do netstat i see the cloud flare IP's
so automated banning scripts would not work very well unless run from the application level.
i have configured fail2ban to scan the access logs which shows the ips so it scans and blocks ban ips from there using CSF only then cloud flare blocks those Ips.
so in the end its working fine
CSF/iptables still blocks the ip from every other port on the server just not port 80 because the Ip it gets is the cloud flare IP's. and i have mod_cloudflare installed for apache but doesn't work for iptables because Cloudflare Ips need to be resolved and translated before they hit my server or before Iptables firewall.
csf works fine the only thing broken is:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1]
i have managed to solve my issue any way i installed flare wall and integrated it with CSF so when i block an ip inside CSF it also gets blocked on cloud flare
so this issue is now resolved sort of..
the only thing i haven't fixed is when i do netstat i see the cloud flare IP's
so automated banning scripts would not work very well unless run from the application level.
i have configured fail2ban to scan the access logs which shows the ips so it scans and blocks ban ips from there using CSF only then cloud flare blocks those Ips.
so in the end its working fine
CSF/iptables still blocks the ip from every other port on the server just not port 80 because the Ip it gets is the cloud flare IP's. and i have mod_cloudflare installed for apache but doesn't work for iptables because Cloudflare Ips need to be resolved and translated before they hit my server or before Iptables firewall.