Traffic blocked after autoupdate

[JasonBarnabe]

I have a CentOS 6.6 server, running OpenVZ with two nodes. The nodes are typical web servers, and my intention is to have inbound and outbound HTTP, HTTPS, and SSH open. To make this work, I've created a file under /etc/csf/csfpre.sh:

Code: Select all

iptables -A INPUT -i venet0 -j ACCEPT
iptables -A OUTPUT -o venet0 -j ACCEPT
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

All was going fine, until last night where all traffic to my nodes got blocked.

Code: Select all

[root@myserver ~]# grep csf /var/log/lfd.log-* /var/log/lfd.log | grep -v "Failed SSH"
/var/log/lfd.log-20150614:Jun  8 00:00:02 myserver lfd[836493]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun  9 00:00:01 myserver lfd[837822]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 10 00:00:02 myserver lfd[885092]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 11 00:00:01 myserver lfd[857691]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 12 00:00:02 myserver lfd[811224]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 13 00:00:01 myserver lfd[840898]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 14 00:00:02 myserver lfd[896332]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log:Jun 15 00:00:01 myserver lfd[912876]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log:Jun 15 02:07:07 myserver lfd[999150]: daemon started on myserver.example - csf v7.70 (generic)
/var/log/lfd.log:Jun 15 09:12:12 myserver lfd[999150]: iptables appears to have been flushed - running *csf startup*...
/var/log/lfd.log:Jun 15 09:12:13 myserver lfd[999150]: csf startup completed

So you can see it's doing its thing all week, then at 2:07:07 today runs an update, and at the same time my sites become unavailable. I wake up to a slew of e-mails, run service iptables stop at 09:12:12, and then things are back up.

This particular update doesn't seem to have made any changes of consequence, and I'm crossing my fingers that it doesn't happen again tonight, but there seems to be something wrong with either my config or with how the update process works. Not knowing the internals of CSF, I'm wondering if maybe on update, my csfpre.sh is not taken into account. (csfpre.sh was not deleted or modified by the update, though.)

[ForumAdmin]

As per the documentation (readme.txt) you must use the absolute path to binaries in csfpre.sh, i.e. /sbin/iptables

[JasonBarnabe]

Thanks for the tip. This was a magic incantation some random internet dude suggested, so I hadn't read chapter 17 of your fine readme. I will make that change and wait for the next release to see if it worked.