CSF not allowing/blocking with iptables-legacy update AL9
Posted: 20 Sep 2024, 19:45
OS: CloudLinux release 9.4 (Vladimir Vasyutin)
CSF version: csf: v14.21 (cPanel)
Hi,
I'm facing a strange issue where CSF is not blocking nor allowing IPs in Almalinux/CL 9.
If I add a temporarly allow like this, it creates an IPTABLES entry and it doesn't work (port 22 is not in TCP_OUT):
But if I use a plain csf -a (quick allow), it uses IPSET (we use ipsets for whole country blocks) and it works fine:
Seems that it has to do with a recent iptables update. I can see this in the dnf logs:
Does CSF need iptables-legacy to work correctly?
Thanks,
Ignacio
CSF version: csf: v14.21 (cPanel)
Hi,
I'm facing a strange issue where CSF is not blocking nor allowing IPs in Almalinux/CL 9.
If I add a temporarly allow like this, it creates an IPTABLES entry and it doesn't work (port 22 is not in TCP_OUT):
Code: Select all
# csf -ta 12.34.12.34
ACCEPT all opt -- in !lo out * 12.34.12.34 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 12.34.12.34
csf: 12.34.12.34 allowed on port * for 3600 seconds in and outbound
# telnet 12.34.12.34 22
Trying 12.34.12.34...
telnet: connect to address 12.34.12.34: Connection refused
Code: Select all
# csf -a 12.34.12.34
Adding 12.34.12.34 to csf.allow and iptables ACCEPT...
csf: IPSET adding [12.34.12.34] to set [chain_ALLOW]
# telnet 12.34.12.34 22
Trying 12.34.12.34...
Connected to 12.34.12.34.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
Code: Select all
/var/log/dnf.rpm.log:2024-09-10T03:40:51-0300 SUBDEBUG Upgrade: iptables-libs-1.8.10-4.el9_4.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Installed: iptables-nft-1.8.10-4.el9_4.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Erase: iptables-legacy-1.8.10-2.2.el9.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Upgraded: iptables-libs-1.8.10-2.el9.x86_64
/var/log/dnf.rpm.log:2024-09-10T03:40:52-0300 SUBDEBUG Erase: iptables-legacy-libs-1.8.10-2.2.el9.x86_64
Thanks,
Ignacio