Page 1 of 1
CC_ALLOW_FILTER and ipset
Posted: 06 Jun 2018, 02:59
by tomdchi1
I have several WHM servers and I am trying to use the CC_ALLOW_FILTER but it is not working. ipset is installed and LF_IPSET is set to on and when I restart csf I see the error:
Code: Select all
csf: IPSET creating set cc_us
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
IPSET: [ipset v6.29: Error in line 65537: Hash is full, cannot add more elements]
Anyone know how to fix this?
Re: CC_ALLOW_FILTER and ipset
Posted: 06 Jun 2018, 21:14
by tomdchi1
I noticed the LF_IPSET_MAXELEM setting and increased the value. CSF restarts with no error but countries not allowed are still not being blocked.
Is there something else that needs to be set somewhere? Here is output from CSF restart:
Code: Select all
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Flushing chain `cphulk'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Deleting chain `cphulk'
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
LOG tcp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP6IN Blocked* '
LOG tcp opt in * out * ::/0 -> ::/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP6OUT Blocked* '
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP6IN Blocked* '
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP6OUT Blocked* '
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP6IN Blocked* '
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP6OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all opt in * out * ::/0 -> ::/0
REJECT all opt in * out * ::/0 -> ::/0 reject-with icmp6-port-unreachable
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DENYOUT all opt in * out !lo ::/0 -> ::/0
DENYIN all opt in !lo out * ::/0 -> ::/0
ALLOWOUT all opt in * out !lo ::/0 -> ::/0
ALLOWIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
INVALID tcp opt in !lo out * ::/0 -> ::/0
INVALID tcp opt in * out !lo ::/0 -> ::/0
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.deny (IPSET)
DROP all opt -- in !lo out * 185.43.209.168 -> 0.0.0.0/0
REJECT all opt -- in * out !lo 0.0.0.0/0 -> 185.43.209.168 reject-with icmp-port-unreachable
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
csf: IPSET creating set bl_SPAMEDROP
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set bl_SPAMEDROP src
csf: IPSET creating set bl_6_SPAMEDROP
DROP all opt in * out * ::/0 -> ::/0 match-set bl_6_SPAMEDROP src
csf: IPSET loading set bl_SPAMEDROP with 130 entries
csf: IPSET loading set bl_6_SPAMEDROP with 0 entries
SPAMEDROP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
SPAMEDROP all opt in !lo out * ::/0 -> ::/0
csf: IPSET creating set bl_HONEYPOT
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set bl_HONEYPOT src
csf: IPSET creating set bl_6_HONEYPOT
DROP all opt in * out * ::/0 -> ::/0 match-set bl_6_HONEYPOT src
csf: IPSET loading set bl_HONEYPOT with 49 entries
csf: IPSET loading set bl_6_HONEYPOT with 0 entries
HONEYPOT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
HONEYPOT all opt in !lo out * ::/0 -> ::/0
csf: IPSET creating set bl_DSHIELD
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set bl_DSHIELD src
csf: IPSET creating set bl_6_DSHIELD
DROP all opt in * out * ::/0 -> ::/0 match-set bl_6_DSHIELD src
csf: IPSET loading set bl_DSHIELD with 20 entries
csf: IPSET loading set bl_6_DSHIELD with 0 entries
DSHIELD all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DSHIELD all opt in !lo out * ::/0 -> ::/0
csf: Generating /etc/exim.smtpauth
csf: IPSET creating set cc_us
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
csf: IPSET creating set cc_ca
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_ca src
csf: IPSET loading set cc_ca with 16099 entries
CC_ALLOWF all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
CC_ALLOWF all opt in !lo out * ::/0 -> ::/0
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
LOGDROPIN icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0
ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 state RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 state RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
REJECT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt in lo out * ::/0 -> ::/0
ACCEPT all opt in * out lo ::/0 -> ::/0
REJECT all opt in * out !lo ::/0 -> ::/0 reject-with icmp6-port-unreachable
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
SMTPOUTPUT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
SMTPOUTPUT all opt in * out * ::/0 -> ::/0
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Re: CC_ALLOW_FILTER and ipset
Posted: 16 Aug 2018, 23:53
by lfkproducts
I am having the same problem. I was originally using IPSET and CC_DENY, with a CC list, and all countries listed were blocked perfectly. However, that list got long. I decided to do it the other way, which is to use CC_ALLOW_FILTER. I added the short list (US,GB,AU,CA,PH), but now the server appears to be open to ALL traffic again. CN, RU, etc...etc... What am I missing? Do I also have to set CC_ALLOW_PORTS as well? IPSET is active and working, with limits properly set... I just cannot have all this spam traffic coming from everywhere. Does anyone know what has to be done? CC_DENY is obviously not the way to go.
Thanks!