ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

iptables syntax error

https://mail.forum.configserver.com/viewtopic.php?t=8070

Page 1 of 1

iptables syntax error

Posted: 26 Aug 2014, 04:22
by optize
We run the same config on all of our servers, however this one spits out an iptables error.

Code: Select all

debug[820]: Command:/sbin/iptables -v --policy FORWARD DROP
debug[822]: Command:/sbin/ip6tables -v --policy INPUT   DROP
debug[823]: Command:/sbin/ip6tables -v --policy OUTPUT  DROP
debug[824]: Command:/sbin/ip6tables -v --policy FORWARD DROP
*ERROR* line:[1352]
Command:[/sbin/iptables -v -A DENYIN ! -i lo -p tcp --dport  -s 120.140.154.96 -j DROP]
Error:[iptables v1.4.7: invalid port/service `-s' specified]
You should check through the main output carefully

*ERROR* line:[1352]
Command:[/sbin/iptables -v -A DENYIN ! -i lo -p tcp --dport  -s 187.32.5.17 -j DROP]
Error:[iptables v1.4.7: invalid port/service `-s' specified]
You should check through the main output carefully

*ERROR* line:[1352]
Command:[/sbin/iptables -v -A DENYIN ! -i lo -p tcp --dport  -s 49.248.188.35 -j DROP]
Error:[iptables v1.4.7: invalid port/service `-s' specified]
You should check through the main output carefully

*ERROR* line:[1352]
Command:[/sbin/iptables -v -A DENYIN ! -i lo -p tcp --dport  -s 113.179.240.164 -j DROP]
Error:[iptables v1.4.7: invalid port/service `-s' specified]
You should check through the main output carefully
I grepped /etc/csf for those IPs, and they don't exist, so I'm not sure if it's one of the blacklists added them, and if so, why it's not specifying the dest port. Running CSF v7.15.

Re: iptables syntax error

Posted: 26 Aug 2014, 08:17
by ForumAdmin
From that line number, those are temporary denies. Unless they're already removed, what do you have in /var/lib/csf/csf.tempban?

Re: iptables syntax error

Posted: 26 Aug 2014, 15:44
by optize
It seems they are temp bans, however I'm not sure why they aren't displaying the port.

1409063893|89.254.152.80|,26|in|1800|lfd - (smtpauth) Failed SMTP AUTH login from 89.254.152.80 (LV/Latvia/-): 5 in the last 300 secs

--

*ERROR* line:[1352]
Command:[/sbin/iptables -v -A DENYIN ! -i lo -p tcp --dport -s 89.254.152.80 -j DROP]
Error:[iptables v1.4.7: invalid port/service `-s' specified]
You should check through the main output carefully

Re: iptables syntax error

Posted: 26 Aug 2014, 15:54
by ForumAdmin
What do you have as a value for PORTS_smtpauth in /etc/csf/csf.conf?

Re: iptables syntax error

Posted: 26 Aug 2014, 15:58
by optize
Don't have that in csf.conf.

# grep smtpauth -i /etc/csf/csf.conf
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1800"
# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
SMTPAUTH_LOG = "/var/log/exim_mainlog"

Re: iptables syntax error

Posted: 26 Aug 2014, 16:03
by ForumAdmin
That will be why it is failing then, you have an incomplete csf.conf file. There should be a list of port definitions at the bottom of csf.conf, e.g.:

Code: Select all

# The following are comma separated lists used if LF_SELECT is enabled,
# otherwise they are not used. They are derived from the application returned
# from a regex match in /usr/local/csf/bin/regex.pm
PORTS_pop3d = "110,995"
PORTS_imapd = "143,993"
PORTS_htpasswd = "80,443"
PORTS_mod_security = "80,443"
PORTS_mod_qos = "80,443"
PORTS_symlink = "80,443"
PORTS_suhosin = "80,443"
PORTS_cxs = "80,443"
PORTS_bind = "53"
PORTS_ftpd = "20,21"
PORTS_webmin = "10000"
PORTS_cpanel = "2077,2078,2082,2083,2086,2087,2095,2096"
# This list is extended, if present, by the ports defined by
# /etc/chkservd/exim-*
PORTS_smtpauth = "25,465,587"
PORTS_eximsyntax = "25,465,587"
# This list is replaced, if present, by "Port" definitions in
# /etc/ssh/sshd_config
PORTS_sshd = "22"
Doing a forced update of csf should generate a corrected csf.conf:

Code: Select all

csf -uf

Re: iptables syntax error

Posted: 26 Aug 2014, 16:04
by optize
Got an updated config, still has a syntax error during run.

Re: iptables syntax error

Posted: 26 Aug 2014, 16:14
by ForumAdmin
You will have to remove the corrupt entry you now have in /var/lib/csf/csf.tempban due to the incomplete csf.conf and then restart csf and then lfd.

Re: iptables syntax error

Posted: 26 Aug 2014, 17:03
by optize
It appears that the syntax error is gone, however my original problem (not related directly to the syntax error) is still there, so I guess I'll open up another ticket ;-)

Just for my sanity, doing a upgrade which re-generates csf.conf, does it keep my existing values or do I need to go back and go through each variable again? It appears it keeps them, however just checking.

Re: iptables syntax error

Posted: 26 Aug 2014, 17:05
by ForumAdmin
It keeps existing values.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited