ConfigServer Community Forum

Hi,

I use csfpre.sh to configure iptables rules to OPENVPN and work.

But at 2 weeks aprox, openvpn stop work.

I investigate and SNAT is disabled automaticly by CSF or LFD (dont known a correct reason)

This is line on csfpre.sh:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 200.200.200.200


When restart csf, csfpre.sh is run and work perfecly:

[root@vpn ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.8.0.0/24 0.0.0.0/0 to:200.200.200.200

after hours (dont known exactly), iptables changed and not have more SNAT:

[root@vpn ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination


Probably a csf update cause this problem, because I already use this rule at 3 months, and only last 2 or 3 weeks start this problem.

Thanks

Leonardo

I have the exact same problem making my kvm virtual nat network down after a while because csfpre rules get dropped by csf.

Is there a fix for this?

Hello,

We rely on use NAT iptables using SNAT. We are evaluating use in production environment but are concerned with this post. Any feedback if any updates have solved this issue. Thanks!

We have seen this problem several times as well. I have a sneaking suspicion that it has something to do with automatic updates.

The solution to this issue (in case you happen upon this ancient post) is that your iptables commands in csfpre.sh must have the full path to iptables (i.e. /sbin/iptables). The "update" process that automatically restarts does not have /sbin in its path.