ConfigServer Community Forum

After upgrade today from 6.X to 7.01 on 3 servers – all servers are virtual root servers running under Debian Wheezy – I'm getting those errors:

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist OPENBL (IPv4)
Error: FASTTART: iptables-restore: line 6217 failed, at line 3759

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist SPAMEDROP (IPv4)
SPAMEDROP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading Blocklist OPENBL (IPv4)
Error: FASTTART: iptables-restore: line 6218 failed, at line 3759

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist SPAMEDROP (IPv4)
SPAMEDROP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading Blocklist SPAMDROP (IPv4)
Error: FASTTART: iptables-restore: line 607 failed, at line 3759

Is there any fast solution? Running webservers without firewall is a bad idea.

Disable FASTSTART in csf.conf. The errors suggest that your server cannot cope with running the iptables-restore binary, perhaps due to low memory.

Thanks for quick response.

ForumAdmin wrote:The errors suggest that your server cannot cope with running the iptables-restore binary, perhaps due to low memory.

How much memory is needed? My servers have this memory:
Server 1: Real memory 16 GB total, 835.15 MB used
Server 2: Real memory 6 GB total, 872.45 MB used
Server 3: Real memory 20 GB total, 2.56 GB used

I never had this error with version 6.x.

ForumAdmin wrote:Disable FASTSTART in csf.conf.

I disabled FASTSTART. But now I'm getting these errors:

Error: The VPS iptables rule limit (numiptent) is too low (1015/1024) - stopping firewall to prevent iptables blocking all connections, at line 1521

Error: The VPS iptables rule limit (numiptent) is too low (375/384) - stopping firewall to prevent iptables blocking all connections, at line 1521

The problem is with the VPS configuration. numiptent is a server setting that can only be changed by the VPS server provider, it determines how many iptables rules can be used. You need to have your server provider increase the value significantly, especially if you are going to use block lists. To work around the issue until numiptent is increased, you should disable all the block lists in /etc/csf/csf.blocklists

Thanks. But I used some blocklists with v.6.x. Why doesn't it work any more with v. 7.01?

Evidently numiptent is not high enough for the number of rules required. The OPENBL list currently has 6241 entries of its own, so I can only guess it was failing before and you had not noticed, or it had not successfully downloaded them before.

ForumAdmin wrote:... or it had not successfully downloaded them before.

Yes, that's my only explanation for this issue.

Thanks for your fast help.

Hi good mornig,
I ask to my datacenter to change this ip limits but i need wait.
I like to know it there are any way to install back the old version of CSF? while i what. and we do not stay with out firewall active?

tanks

Romero Carvalho

Hi,

if anyone has this problem, I have a neat solution on ubuntu 14.04 server, if you have tons of duplicates in iptables.
First do a backup of your iptables, and in crontab a line to restore it in 5 minutes, so you don't lock yourself out if shit happens. After that Make sure you register where the Commits are(table creations and at the end for example)
This removes the duplicates, but also the Commits after the first one. I'm not too savvy in awk to make an exception to the rule.

So you write the Commits to the same places that were in dupl.txt and restore iptables with Remove the csf.error, and restart lfd and csf.
No guarantees, best of luck!