csfpre.sh

Post Reply
realbuz
Junior Member
Posts: 5
Joined: 18 Jan 2008, 18:20

csfpre.sh

Post by realbuz »

Hi,

We are using csfpre.sh to add some nat rules to our iptables.

After a server reboot, I need to restart csf service again for those rules to be added.

Any pointer on how to solve this ?


Thanks
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Are you saying that csf is starting after a reboot but it isn't running csfpre.sh, or that csf isn't starting after a reboot at all?
Top
realbuz
Junior Member
Posts: 5
Joined: 18 Jan 2008, 18:20

Post by realbuz »

it seems like anything in csfpre.sh isn't being processed at all on server boot (CSF is loaded at startup).


Thanks
Top
realbuz
Junior Member
Posts: 5
Joined: 18 Jan 2008, 18:20

Post by realbuz »

workaround

I just added a service csf restart in the /etc/rc.local and it works fine enough for us.

Regards,
Top
parawizard
Junior Member
Posts: 3
Joined: 08 Jun 2013, 08:39

Re: csfpre.sh

Post by parawizard »

I have been facing the same problem but apparently its after an update. Found some pointers in other threads. Can't post links and BBCode thread tags don't work thus here is viewtopic.php?f=6&t=5509

See this in log:

Code: Select all

Jun  8 03:50:01 xxxx /usr/sbin/cron[1048]: (*system*csf_update) RELOAD (/etc/cron.d/csf_update)
Results in:

Code: Select all

Jun  8 07:14:31 xxxx kernel: [664365.120218] Firewall: *UDP_IN Blocked* IN=tun0 OUT= MAC= SRC=10.8.0.10 DST=10.8.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=128 ID=826 PROTO=UDP SPT=63799 DPT=53 LEN=51
Solution use full path to iptables in the csfpre /csfpost sh files

Code: Select all

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 198.46.152.229
Adding documentation:
17. External Pre- and Post- Scripts
###################################

External commands (e.g. iptables rules not covered by csf) can be run before
and/or after csf sets up the iptables chains and rules.

1. To run external commands before csf configures iptables create the file:

/etc/csf/csfpre .sh (have to space out because I can't post urls)

Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.

For example:

#!/bin/sh
/some/path/to/binary -a -b -c etc

Then chmod +x /etc/csf/csfpre .sh (have to space out because I can't post urls)


2. To run external commands after csf configures iptables create the file:

/etc/csf/csfpost .sh (have to space out because I can't post urls)


Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.

Note: You MUST use the full path to any binaries that you execute within these
scripts
Now I know that this is a subtle problem and tons of places are not including this in their tutorials or what not. I know right now you guys would rather not have csfpre .sh and csfpost .sh created on install but if there were and with them came the piece out of the manual above or some smaller other notes about using full paths it could definitely be handy. I found at least 3 or 4 threads on the same subject and it took me a long while thinking about why my openvpn kept dropping off.
Top
Post Reply

Return to “General Discussion (csf)”