CSF not allowing/blocking with iptables-legacy update AL9

imorandin · Post by **imorandin** » 20 Sep 2024, 19:45

OS: CloudLinux release 9.4 (Vladimir Vasyutin)
CSF version: csf: v14.21 (cPanel)

Hi,

I'm facing a strange issue where CSF is not blocking nor allowing IPs in Almalinux/CL 9.
If I add a temporarly allow like this, it creates an IPTABLES entry and it doesn't work (port 22 is not in TCP_OUT):

Code: Select all

# csf -ta 12.34.12.34
ACCEPT  all opt -- in !lo out *  12.34.12.34  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 12.34.12.34
csf: 12.34.12.34 allowed on port * for 3600 seconds in and outbound

# telnet 12.34.12.34 22
Trying 12.34.12.34...
telnet: connect to address 12.34.12.34: Connection refused

But if I use a plain csf -a (quick allow), it uses IPSET (we use ipsets for whole country blocks) and it works fine:

Code: Select all

# csf -a 12.34.12.34
Adding 12.34.12.34 to csf.allow and iptables ACCEPT...
csf: IPSET adding [12.34.12.34] to set [chain_ALLOW]

# telnet 12.34.12.34 22
Trying 12.34.12.34...
Connected to 12.34.12.34.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4

Seems that it has to do with a recent iptables update. I can see this in the dnf logs:

Code: Select all

/var/log/dnf.rpm.log:2024-09-10T03:40:51-0300 SUBDEBUG Upgrade: iptables-libs-1.8.10-4.el9_4.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Installed: iptables-nft-1.8.10-4.el9_4.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Erase: iptables-legacy-1.8.10-2.2.el9.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Upgraded: iptables-libs-1.8.10-2.el9.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Erase: iptables-legacy-libs-1.8.10-2.2.el9.x86_64

Does CSF need iptables-legacy to work correctly?

Thanks,

Ignacio