ConfigServer Community Forum

Posted: **27 Jul 2013, 16:09**

Hi, folks. I've seen a few posts around the web about this problem from other OVH customers, but sadly no solutions... I've gotten a bit further than previous posters, but now I'm stuck. Can anyone point me in the right direction?

I've set up csf on a dedicated CentOS server at OVH. It's using a 3.8.13 kernel that they've compiled, rather than the stock 2.6.X kernel. It works great except for this error when I run csftest:

Code: Select all

Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature

Indeed, the module is not there. But this is because the kernel is built by OVH with the iptables stuff compiled in, not compiled as modules. (See below.) When I reload csf, I get these errors:

Code: Select all

iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:20 flags:0x17/0x02 #conn/32 > 5 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:21 flags:0x17/0x02 #conn/32 > 5 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:22 flags:0x17/0x02 #conn/32 > 5 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:25 flags:0x17/0x02 #conn/32 > 40 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 flags:0x17/0x02 #conn/32 > 200 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:110 flags:0x17/0x02 #conn/32 > 80 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:143 flags:0x17/0x02 #conn/32 > 80 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:443 flags:0x17/0x02 #conn/32 > 200 
iptables: Protocol wrong type for socket.
CONNLIMIT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:2222 flags:0x17/0x02 #conn/32 > 10

Here are what look like the relevant options from the kernel config:

Code: Select all

CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
CONFIG_NF_CONNTRACK_PPTP=y
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=y

Posted: **01 Aug 2013, 09:30**

You would need to either get OVH to fix their custom kernel or install your own or revert to the OS vendor kernel. Many people have issues with their custom kernel and it appears fairly straightforward to switch back to the vendor kernel on their servers, e.g.:
http://change_ovh_kernel.onlinephpfunctions.com/
http://sc.lumic.co.uk/?p=53

Posted: **03 Aug 2013, 20:11**

Yes, that's an option, But I was hoping to move forward, not back.

Can anyone tell me what kernel options would need to change in the above to support the hooks that CSF needs?

ConfigServer Community Forum

CONNLIMIT issue on dedicated server

CONNLIMIT issue on dedicated server

Re: CONNLIMIT issue on dedicated server

Re: CONNLIMIT issue on dedicated server