Page 1 of 1

CC_ALLOW_FILTER and ipset

Posted: 06 Jun 2018, 02:59
by tomdchi1
I have several WHM servers and I am trying to use the CC_ALLOW_FILTER but it is not working. ipset is installed and LF_IPSET is set to on and when I restart csf I see the error:

Code: Select all

csf: IPSET creating set cc_us
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
IPSET: [ipset v6.29: Error in line 65537: Hash is full, cannot add more elements]
Anyone know how to fix this?

Re: CC_ALLOW_FILTER and ipset

Posted: 06 Jun 2018, 21:14
by tomdchi1
I noticed the LF_IPSET_MAXELEM setting and increased the value. CSF restarts with no error but countries not allowed are still not being blocked.

Is there something else that needs to be set somewhere? Here is output from CSF restart:

Code: Select all

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Flushing chain `cphulk'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Deleting chain `cphulk'
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 
LOG  tcp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP6IN Blocked* ' 
LOG  tcp opt    in * out *  ::/0  -> ::/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP6OUT Blocked* ' 
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP6IN Blocked* ' 
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP6OUT Blocked* ' 
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP6IN Blocked* ' 
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP6OUT Blocked* ' 
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable 
DROP  all opt    in * out *  ::/0  -> ::/0  
REJECT  all opt    in * out *  ::/0  -> ::/0  reject-with icmp6-port-unreachable 
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0  
DENYIN  all opt    in !lo out *  ::/0  -> ::/0  
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0  
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
DROP  all opt    in * out *  ::/0  -> ::/0  
INVALID  tcp opt    in !lo out *  ::/0  -> ::/0  
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0  
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.deny (IPSET)
DROP  all opt -- in !lo out *  185.43.209.168  -> 0.0.0.0/0  
REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 185.43.209.168  reject-with icmp-port-unreachable 
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
csf: IPSET creating set bl_SPAMEDROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_SPAMEDROP src 
csf: IPSET creating set bl_6_SPAMEDROP
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_SPAMEDROP src 
csf: IPSET loading set bl_SPAMEDROP with 130 entries
csf: IPSET loading set bl_6_SPAMEDROP with 0 entries
SPAMEDROP  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
SPAMEDROP  all opt    in !lo out *  ::/0  -> ::/0  
csf: IPSET creating set bl_HONEYPOT
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_HONEYPOT src 
csf: IPSET creating set bl_6_HONEYPOT
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_HONEYPOT src 
csf: IPSET loading set bl_HONEYPOT with 49 entries
csf: IPSET loading set bl_6_HONEYPOT with 0 entries
HONEYPOT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
HONEYPOT  all opt    in !lo out *  ::/0  -> ::/0  
csf: IPSET creating set bl_DSHIELD
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_DSHIELD src 
csf: IPSET creating set bl_6_DSHIELD
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_DSHIELD src 
csf: IPSET loading set bl_DSHIELD with 20 entries
csf: IPSET loading set bl_6_DSHIELD with 0 entries
DSHIELD  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
DSHIELD  all opt    in !lo out *  ::/0  -> ::/0  
csf: Generating /etc/exim.smtpauth
csf: IPSET creating set cc_us
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_us src 
csf: IPSET loading set cc_us with 66677 entries
csf: IPSET creating set cc_ca
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_ca src 
csf: IPSET loading set cc_ca with 16099 entries
CC_ALLOWF  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
CC_ALLOWF  all opt    in !lo out *  ::/0  -> ::/0  
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 limit: avg 1/sec burst 5 
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0  
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0  state RELATED,ESTABLISHED 
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0  state RELATED,ESTABLISHED 
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable 
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt    in lo out *  ::/0  -> ::/0  
ACCEPT  all opt    in * out lo  ::/0  -> ::/0  
REJECT  all opt    in * out !lo  ::/0  -> ::/0  reject-with icmp6-port-unreachable 
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0  
SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0  
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  

Re: CC_ALLOW_FILTER and ipset

Posted: 16 Aug 2018, 23:53
by lfkproducts
I am having the same problem. I was originally using IPSET and CC_DENY, with a CC list, and all countries listed were blocked perfectly. However, that list got long. I decided to do it the other way, which is to use CC_ALLOW_FILTER. I added the short list (US,GB,AU,CA,PH), but now the server appears to be open to ALL traffic again. CN, RU, etc...etc... What am I missing? Do I also have to set CC_ALLOW_PORTS as well? IPSET is active and working, with limits properly set... I just cannot have all this spam traffic coming from everywhere. Does anyone know what has to be done? CC_DENY is obviously not the way to go.

Thanks!