This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
I just upgraded CSF from 3.16 to 3.17. Upon restarting CSF, a bunch of these errors were spammed:
iptables v1.3.8: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
Based on my limited knowledge of IPTables, it doesn't look like any of my denied IPs were applied to IPTables rules via CSF (ie, they all errored out with the above).
The -j option exists in my version of IPTables, and the error was not verbose enough for me to troubleshoot it:
I was unable to figure out the problem, so I had to revert to the csf.conf.preupgrade file and was able to restart CSF without the iptables errors.
I'm running on FC8. I tried both of the kernels I had available to me (2.6.24.3-34.fc8 and 2.6.23.15-137.fc8) prior to reverting the config back. I also installed iptables-devel in hopes that would help.
[root@claymore csf]# diff csf.conf.backup csf.conf
30,32c30,35
< # By default, csf will auto-configure iptables to filter all traffic except on
< # the local (lo:) device. If you only want iptables rules applied to a specific
< # NIC, then list it here (e.g. eth1, or eth+)
---
> # Ethernet device setting is taken from the shared IP address in
> # /etc/wwwacct.conf but can be overridden here (e.g. "eth0")
> #
> # If you have multiple ethernet NICs that you want to apply all rules to, then
> # you can set the following to the interface name immediately followed by a
> # plus sign. For example, eth+ will apply all rules to eth0, eth1, etc
35,36c38
< # If you don't want iptables rules applied to specific NICs, then list them in
< # a comma separated list (e.g "eth1,eth2")
---
> # Unfiltered ethernet devices in a comma separated list (e.g "eth1,eth2")
45a48
> #TCP_OUT = "20,21,22,25,26,37,43,53,80,110,111,113,443,953,2401,2703,6881:6899,8888,9999,13549,41495:41499,65500:65534,1:65534"
83a87,93
> # Drop target for iptables rules. This can be set to either DROP ot REJECT.
> # REJECT will send back an error packet, DROP will not respond at all. REJECT
> # is more polite, however it does provide extra information to a hacker and
> # lets them know that a firewall is blocking their attempts. DROP hangs their
> # connection, thereby frustrating attempts to port scan the server.
> DROP = "DROP"
>
174a185,186
> #
> # You can also configure a global ignore file for IP's that lfd should ignore
176a189
> GLOBAL_IGNORE = ""
300c313
< LF_INTEGRITY = "3600"
---
> LF_INTEGRITY = "3600";
416a430,435
> # If you only want to ount specific states (e.g. SYN_RECV) then add the states
> # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
> #
> # Leave this option empty to count all states against CT_LIMIT
> CT_STATES = ""
>
481c500
< # Set PT_LOAD to "0" to disable this feature
---
> # Set LF_LOAD to "0" to disable this feature
548d566
< IPTABLES_LOG = "/var/log/messages"