ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF 3.17 IPtables Error

https://mail.forum.configserver.com/viewtopic.php?t=1163

Page 1 of 1

CSF 3.17 IPtables Error

Posted: 21 Mar 2008, 18:27
by knuckles
Hello,

I just upgraded CSF from 3.16 to 3.17. Upon restarting CSF, a bunch of these errors were spammed:
iptables v1.3.8: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
Based on my limited knowledge of IPTables, it doesn't look like any of my denied IPs were applied to IPTables rules via CSF (ie, they all errored out with the above).

The -j option exists in my version of IPTables, and the error was not verbose enough for me to troubleshoot it:
[root@claymore ]# iptables -h
iptables v1.3.8

Usage: iptables -[AD] chain rule-specification [options]
<snip>
--jump -j target
target for rule (may load target extension)
I was unable to figure out the problem, so I had to revert to the csf.conf.preupgrade file and was able to restart CSF without the iptables errors.

I'm running on FC8. I tried both of the kernels I had available to me (2.6.24.3-34.fc8 and 2.6.23.15-137.fc8) prior to reverting the config back. I also installed iptables-devel in hopes that would help.

Posted: 21 Mar 2008, 18:51
by chirpy
That's odd.

If you're able to give me access to the server I'd like to have a look:
https://support.waytotheweb.com/cgi-bin ... /pdesk.cgi

Failing that, are you sure you went from v3.16 to v3.17 and not an earlier version?
Was this the cPanel version or the Generic version?

Also, if you still have to csf.conf that didn't work, could you post a diff between it and the current csf.conf, e.g.:

diff failed.conf /etc/csf/csf.conf

Posted: 21 Mar 2008, 19:01
by knuckles
I will submit a support request right now. I'll need your IP to add it to TCPwrappers if you need SSH access.

I do automatic upgrades, and am sure I was on 3.16 (generic) prior to doing a csf -u today (manual upgrade rather than waiting:)).

Here is the diff:

Code: Select all

[root@claymore csf]# diff csf.conf.backup csf.conf
30,32c30,35
< # By default, csf will auto-configure iptables to filter all traffic except on
< # the local (lo:) device. If you only want iptables rules applied to a specific
< # NIC, then list it here (e.g. eth1, or eth+)
---
> # Ethernet device setting is taken from the shared IP address in
> # /etc/wwwacct.conf but can be overridden here (e.g. "eth0")
> #
> # If you have multiple ethernet NICs that you want to apply all rules to, then
> # you can set the following to the interface name immediately followed by a
> # plus sign. For example, eth+ will apply all rules to eth0, eth1, etc
35,36c38
< # If you don't want iptables rules applied to specific NICs, then list them in
< # a comma separated list (e.g "eth1,eth2")
---
> # Unfiltered ethernet devices in a comma separated list (e.g "eth1,eth2")
45a48
> #TCP_OUT = "20,21,22,25,26,37,43,53,80,110,111,113,443,953,2401,2703,6881:6899,8888,9999,13549,41495:41499,65500:65534,1:65534"
83a87,93
> # Drop target for iptables rules. This can be set to either DROP ot REJECT.
> # REJECT will send back an error packet, DROP will not respond at all. REJECT
> # is more polite, however it does provide extra information to a hacker and
> # lets them know that a firewall is blocking their attempts. DROP hangs their
> # connection, thereby frustrating attempts to port scan the server.
> DROP = "DROP"
> 
174a185,186
> #
> # You can also configure a global ignore file for IP's that lfd should ignore
176a189
> GLOBAL_IGNORE = ""
300c313
< LF_INTEGRITY = "3600"
---
> LF_INTEGRITY = "3600";
416a430,435
> # If you only want to ount specific states (e.g. SYN_RECV) then add the states
> # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
> #
> # Leave this option empty to count all states against CT_LIMIT
> CT_STATES = ""
> 
481c500
< # Set PT_LOAD to "0" to disable this feature
---
> # Set LF_LOAD to "0" to disable this feature
548d566
< IPTABLES_LOG = "/var/log/messages"

Posted: 21 Mar 2008, 21:42
by chirpy
I've released v3.18 that fixes this issue - thank you for the help in tracking the problem down.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited