Page 1 of 1
csfpre.sh
Posted: 04 Feb 2008, 21:41
by realbuz
Hi,
We are using csfpre.sh to add some nat rules to our iptables.
After a server reboot, I need to restart csf service again for those rules to be added.
Any pointer on how to solve this ?
Thanks
Posted: 05 Feb 2008, 16:18
by chirpy
Are you saying that csf is starting after a reboot but it isn't running csfpre.sh, or that csf isn't starting after a reboot at all?
Posted: 05 Feb 2008, 23:42
by realbuz
it seems like anything in csfpre.sh isn't being processed at all on server boot (CSF is loaded at startup).
Thanks
Posted: 07 Feb 2008, 18:41
by realbuz
workaround
I just added a service csf restart in the /etc/rc.local and it works fine enough for us.
Regards,
Re: csfpre.sh
Posted: 08 Jun 2013, 09:49
by parawizard
I have been facing the same problem but apparently its after an update. Found some pointers in other threads. Can't post links and BBCode thread tags don't work thus here is
viewtopic.php?f=6&t=5509
See this in log:
Code: Select all
Jun 8 03:50:01 xxxx /usr/sbin/cron[1048]: (*system*csf_update) RELOAD (/etc/cron.d/csf_update)
Results in:
Code: Select all
Jun 8 07:14:31 xxxx kernel: [664365.120218] Firewall: *UDP_IN Blocked* IN=tun0 OUT= MAC= SRC=10.8.0.10 DST=10.8.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=128 ID=826 PROTO=UDP SPT=63799 DPT=53 LEN=51
Solution use full path to iptables in the csfpre /csfpost sh files
Code: Select all
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 198.46.152.229
Adding documentation:
17. External Pre- and Post- Scripts
###################################
External commands (e.g. iptables rules not covered by csf) can be run before
and/or after csf sets up the iptables chains and rules.
1. To run external commands before csf configures iptables create the file:
/etc/csf/csfpre .sh (have to space out because I can't post urls)
Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.
For example:
#!/bin/sh
/some/path/to/binary -a -b -c etc
Then chmod +x /etc/csf/csfpre .sh (have to space out because I can't post urls)
2. To run external commands after csf configures iptables create the file:
/etc/csf/csfpost .sh (have to space out because I can't post urls)
Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.
Note: You MUST use the full path to any binaries that you execute within these
scripts
Now I know that this is a subtle problem and tons of places are not including this in their tutorials or what not. I know right now you guys would rather not have csfpre .sh and csfpost .sh created on install but if there were and with them came the piece out of the manual above or some smaller other notes about using full paths it could definitely be handy. I found at least 3 or 4 threads on the same subject and it took me a long while thinking about why my openvpn kept dropping off.