Csf blocks all on reboot
Posted: 14 Jan 2014, 02:52
I have setup a new dedicated server with Debian 7.2 stable ( Wheezy ) and installed apache, Webmin and CSF with the webmin modules.
During testing, I'm getting expected results. SSH access is fine. and when I disable testing mode on every thing is fine
but when I reboot the server I'm locked out, I have to use the server rescue mode to revert back into testing mode.
SSH is on 4215 and webmin on 10000,
I will post the IP table rules below.
During testing, I'm getting expected results. SSH access is fine. and when I disable testing mode on every thing is fine
but when I reboot the server I'm locked out, I have to use the server rescue mode to revert back into testing mode.
SSH is on 4215 and webmin on 10000,
I will post the IP table rules below.
Code: Select all
ConfigServer Security & Firewall - csf v6.40
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- eth0 * 213.186.33.99 0.0.0.0/0 tcp dpt:53
2 0 0 ACCEPT udp -- eth0 * 213.186.33.99 0.0.0.0/0 udp dpt:53
3 0 0 ACCEPT tcp -- eth0 * 213.186.33.99 0.0.0.0/0 tcp spt:53
4 0 0 ACCEPT udp -- eth0 * 213.186.33.99 0.0.0.0/0 udp spt:53
5 1163 101K LOCALINPUT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
6 4 478 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 411 48243 INVALID tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
8 1148 98511 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:20
10 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21
11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25
13 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
14 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110
15 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143
16 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
17 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:465
18 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:587
19 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:993
20 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:995
21 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:4215
22 18 1080 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:10000
23 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:20
24 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:21
25 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
26 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
27 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
28 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
29 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
30 4 1312 LOGDROPIN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 213.186.33.99 tcp dpt:53
2 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 213.186.33.99 udp dpt:53
3 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 213.186.33.99 tcp spt:53
4 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 213.186.33.99 udp spt:53
5 1249 465K LOCALOUTPUT all -- * eth0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
7 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:53
9 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:53
10 4 478 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
11 482 419K INVALID tcp -- * eth0 0.0.0.0/0 0.0.0.0/0
12 1223 470K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
13 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:20
14 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21
15 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
16 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25
17 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
18 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110
19 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:113
20 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
21 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:4215
22 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:10000
23 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:20
24 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:21
25 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
26 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:113
27 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123
28 0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmptype 0
29 0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmptype 8
30 0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmptype 11
31 0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmptype 3
32 14 840 LOGDROPOUT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain ALLOWIN (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- eth0 * 188.165.222.251 0.0.0.0/0
2 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 188.165.222.208 tcp dpt:4215
Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 20 4248 ACCEPT all -- * eth0 0.0.0.0/0 188.165.222.251
Chain DENYIN (1 references)
num pkts bytes target prot opt in out source destination
Chain DENYOUT (1 references)
num pkts bytes target prot opt in out source destination
Chain INVALID (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00
3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F
4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03
5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06
6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x05/0x05
7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x11/0x01
8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x18/0x08
9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x30/0x20
10 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 ctstate NEW
Chain INVDROP (10 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOCALINPUT (1 references)
num pkts bytes target prot opt in out source destination
1 1163 101K ALLOWIN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 1163 101K DENYIN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain LOCALOUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 1249 465K ALLOWOUT all -- * eth0 0.0.0.0/0 0.0.0.0/0
2 1229 461K DENYOUT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
4 4 1312 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
6 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
7 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
8 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113
9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
10 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
11 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
12 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
13 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
14 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
16 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
17 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
18 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
19 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
20 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
21 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
22 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
num pkts bytes target prot opt in out source destination
1 14 840 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
2 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
4 14 840 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 68 packets, 7434 bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 18 packets, 1080 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36 packets, 5220 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 22 packets, 4380 bytes)
num pkts bytes target prot opt in out source destination
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
csf: v6.40
©2006-2014, ConfigServer Services (Way to the Web Limited)