Page 1 of 1

Csf blocks all on reboot

Posted: 14 Jan 2014, 02:52
by rageriot
I have setup a new dedicated server with Debian 7.2 stable ( Wheezy ) and installed apache, Webmin and CSF with the webmin modules.

During testing, I'm getting expected results. SSH access is fine. and when I disable testing mode on every thing is fine
but when I reboot the server I'm locked out, I have to use the server rescue mode to revert back into testing mode.

SSH is on 4215 and webmin on 10000,

I will post the IP table rules below.

Code: Select all

 ConfigServer Security & Firewall - csf v6.40

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  eth0   *       213.186.33.99        0.0.0.0/0            tcp dpt:53
2        0     0 ACCEPT     udp  --  eth0   *       213.186.33.99        0.0.0.0/0            udp dpt:53
3        0     0 ACCEPT     tcp  --  eth0   *       213.186.33.99        0.0.0.0/0            tcp spt:53
4        0     0 ACCEPT     udp  --  eth0   *       213.186.33.99        0.0.0.0/0            udp spt:53
5     1163  101K LOCALINPUT  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
6        4   478 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
7      411 48243 INVALID    tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
8     1148 98511 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
9        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
10       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
11       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
12       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
13       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
14       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
15       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:143
16       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
17       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:465
18       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
19       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
20       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
21       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:4215
22      18  1080 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:10000
23       0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
24       0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
25       0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
26       0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
27       0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
28       0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 11
29       0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 3
30       4  1312 LOGDROPIN  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            213.186.33.99        tcp dpt:53
2        0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            213.186.33.99        udp dpt:53
3        0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            213.186.33.99        tcp spt:53
4        0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            213.186.33.99        udp spt:53
5     1249  465K LOCALOUTPUT  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
6        0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:53
7        0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:53
8        0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:53
9        0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:53
10       4   478 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
11     482  419K INVALID    tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
12    1223  470K ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
13       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
14       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
15       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
16       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
17       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
18       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
19       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:113
20       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
21       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:4215
22       0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:10000
23       0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
24       0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
25       0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
26       0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:113
27       0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:123
28       0     0 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0            icmptype 0
29       0     0 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0            icmptype 8
30       0     0 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0            icmptype 11
31       0     0 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0            icmptype 3
32      14   840 LOGDROPOUT  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain ALLOWIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  eth0   *       188.165.222.251      0.0.0.0/0           
2        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            188.165.222.208      tcp dpt:4215

Chain ALLOWOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       20  4248 ACCEPT     all  --  *      eth0    0.0.0.0/0            188.165.222.251     

Chain DENYIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DENYOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INVALID (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x00
3        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x3F
4        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x03/0x03
5        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x06
6        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x05/0x05
7        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x11/0x01
8        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x18/0x08
9        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x30/0x20
10       0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 ctstate NEW

Chain INVDROP (10 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     1163  101K ALLOWIN    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
2     1163  101K DENYIN     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     1249  465K ALLOWOUT   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
2     1229  461K DENYOUT    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
2        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
3        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:68
4        4  1312 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
5        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:111
6        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
7        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
8        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:113
9        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:135:139
10       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:135:139
11       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
12       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
13       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
14       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
15       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:513
16       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:513
17       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:520
18       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
19       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
20       0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
21       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
22       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       14   840 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
2        0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
4       14   840 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PREROUTING (policy ACCEPT 68 packets, 7434 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 18 packets, 1080 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 36 packets, 5220 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 22 packets, 4380 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

csf: v6.40

©2006-2014, ConfigServer Services (Way to the Web Limited)

Re: Csf blocks all on reboot

Posted: 14 Jan 2014, 08:24
by ForumAdmin
The only thing I can suggest would be to disable FASTSTART in /etc/csf/csf.conf which has been known to cause boot problems in rare circumstances.

Re: Csf blocks all on reboot

Posted: 14 Jan 2014, 18:34
by rageriot
ok I tried setting FASTBOOT to Zero, rebooted and I appeared to have access again. I logged into SSH and checked

Code: Select all

iptables -L


everything looked normal and just a few minutes later I am locked out again... no ping, no SSH .. nothing ....

Re: Csf blocks all on reboot

Posted: 14 Jan 2014, 19:26
by rageriot
I checked dmesg, last few lines were these

Code: Select all

r8169 0000:03:00.0 eth0: unable to load firmware patch rtl_nic/rtl8168f-1.fw (-2)
r8169 0000:03:00.0 eth0: link down
IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
r8169 0000:03:00.0 eth0: link down


Re: Csf blocks all on reboot

Posted: 14 Jan 2014, 21:36
by ForumAdmin
That indicates a bug in your ethernet controller driver or an incorrect driver is installed and nothing to do with iptables. There appears to be some discussion about that exact error here:
http://forum.ovh.co.uk/showthread.php?6 ... hing/page4

Re: Csf blocks all on reboot

Posted: 16 Jan 2014, 16:27
by rageriot
Thanks, this seemed to fix the problem.

I installed firware-linux and didnt get locked out but tempory banned because of the anti port scan settings.