ConfigServer Community Forum

when i run the iptables test i get this:

esting ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1]


and when try to block an ip

Adding 101.173.42.156 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 101.173.42.156 -> 0.0.0.0/0
DROP all opt -- in * out !lo 0.0.0.0/0 -> 101.173.42.156

and when i try to go to my site from that ip its not blocked

also i get these errors when i restart iptables

service iptables restart
Opening /proc/modules: No such file or directory
iptables: Setting chains to policy ACCEPT: raw nat mangle f[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory

i heard some where that i should delete the iptables config and rules from /etc/sysconfig

but that did not seem to fix the issue either

port blocking works fine on csf but not ip blocking

running a web site on OVH dedicated server, i am trying to block some IPs with CSF.
but IPs that are in the deny file cannot access my server on any port but they can access my web site on port 80 without any problems.

if my IP address is entered in the URL blocked ip cannot open my web site, but if URL has domain name the web site opens fine.

would some one have any ideas what is happening as i do not know how to solve this. BTW apache log file shows the blocked ip in the log as successfully accessing the web site.

Just a guess on my part but you aren't running the stock kernel?

ovh likes to throw grsecurity kernel on there which seems to break iptables with csf

what is the output from

uname -a

(you can remove your server name, just care about the kernel part after)

I know on centos is it easy to replace the grsecurity kernel with the stock kernel, not sure about other distros

its: 3.10.23-xxxx-std-ipv6-64 #1 SMP Tue Mar 18 14:48:24 CET 2014 x86_64 x86_64 x86_64 GNU/Linux

csf works fine the only thing broken is:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1]

i have managed to solve my issue any way i installed flare wall and integrated it with CSF so when i block an ip inside CSF it also gets blocked on cloud flare

so this issue is now resolved sort of..

the only thing i haven't fixed is when i do netstat i see the cloud flare IP's

so automated banning scripts would not work very well unless run from the application level.

i have configured fail2ban to scan the access logs which shows the ips so it scans and blocks ban ips from there using CSF only then cloud flare blocks those Ips.

so in the end its working fine

CSF/iptables still blocks the ip from every other port on the server just not port 80 because the Ip it gets is the cloud flare IP's. and i have mod_cloudflare installed for apache but doesn't work for iptables because Cloudflare Ips need to be resolved and translated before they hit my server or before Iptables firewall.