Page 1 of 1

CSF Blocking everything.

Posted: 03 Aug 2015, 12:15
by solidus1983
Hi i seem to be having an issue with CSF where by when its enabled everything is blocked on my cpanel server unless the IP has been whitelisted.

I am on CPanel Centos OS6.6 WHM 11.50.0 (build 29). Now before the CSF 8.02 was release and CSF 8.03 it has been working on my VPS server quite well.

I have done a complete uninstall and reinstall of CSF and the issue is still present even the VPS Hoster has had a look just incase it was a misconfigured config, however even with the default config the issue of where access is completely block is present unless the IP(s) are white listed.

Now running in CLI csf -f all connections get restore as CSF stops running just like running csf -x but as soon csf -e has been ran all ip's are blocked again from accessing the server.

Adding csf -a 0.0.0.0 (which doesn't work) is pointless as i might as well keep csf disabled for now.

Code: Select all

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Code: Select all

root@server [/home/ultraroot]# csf -e
csf: FASTSTART loading DROP no logging (IPv4)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
csf: FASTSTART loading Packet Filter (IPv4)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
[b]INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0[/b]

Debug output

Code: Select all

debug[553]: Command:/sbin/iptables -v --policy INPUT ACCEPT
debug[554]: Command:/sbin/iptables -v --policy OUTPUT ACCEPT
debug[555]: Command:/sbin/iptables -v --policy FORWARD ACCEPT
debug[556]: Command:/sbin/iptables -v --flush
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SYNFLOOD'
Flushing chain `acctboth'
debug[557]: Command:/sbin/iptables -v -t nat --flush
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
debug[558]: Command:/sbin/iptables -v --delete-chain
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SYNFLOOD'
Deleting chain `acctboth'
debug[676]: Command:/sbin/iptables -v -N SYNFLOOD
debug[695]: Command:/sbin/iptables -v -N LOGDROPIN
debug[696]: Command:/sbin/iptables -v -N LOGDROPOUT
debug[697]: Command:/sbin/iptables -v -N DENYIN
debug[698]: Command:/sbin/iptables -v -N DENYOUT
debug[699]: Command:/sbin/iptables -v -N ALLOWIN
debug[700]: Command:/sbin/iptables -v -N ALLOWOUT
debug[701]: Command:/sbin/iptables -v -N LOCALINPUT
debug[702]: Command:/sbin/iptables -v -N LOCALOUTPUT
csf: FASTSTART loading DROP no logging (IPv4)
debug[732]: Command:/sbin/iptables -v -A LOGDROPIN -p tcp  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 
debug[733]: Command:/sbin/iptables -v -A LOGDROPOUT -p tcp --syn -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *TCP_OUT Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 
debug[734]: Command:/sbin/iptables -v -A LOGDROPIN -p udp  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP_IN Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 
debug[735]: Command:/sbin/iptables -v -A LOGDROPOUT -p udp -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *UDP_OUT Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 
debug[736]: Command:/sbin/iptables -v -A LOGDROPIN -p icmp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP_IN Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 
debug[737]: Command:/sbin/iptables -v -A LOGDROPOUT -p icmp -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *ICMP_OUT Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 
debug[763]: Command:/sbin/iptables -v -A LOGDROPIN -j DROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[764]: Command:/sbin/iptables -v -A LOGDROPOUT -j DROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[770]: Command:/sbin/iptables -v -A LOCALOUTPUT ! -o lo -j DENYOUT
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[771]: Command:/sbin/iptables -v -A LOCALINPUT ! -i lo -j DENYIN
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[772]: Command:/sbin/iptables -v -I LOCALOUTPUT ! -o lo -j ALLOWOUT
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[773]: Command:/sbin/iptables -v -I LOCALINPUT ! -i lo -j ALLOWIN
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading Packet Filter (IPv4)
debug[1444]: Command:/sbin/iptables -v -A INVDROP -j DROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1445]: Command:/sbin/iptables -v -I INPUT ! -i lo -p tcp -j INVALID
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1446]: Command:/sbin/iptables -v -I OUTPUT ! -o lo -p tcp -j INVALID
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading csf.allow (IPv4)
debug[2305]: Command:/sbin/iptables -v -A SYNFLOOD -m limit --limit 100/s --limit-burst 150 -j RETURN
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 100/sec burst 150 
debug[2306]: Command:/sbin/iptables -v -A SYNFLOOD -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *SYNFLOOD Blocked* '
LOG  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *SYNFLOOD Blocked* ' 
debug[2307]: Command:/sbin/iptables -v -A SYNFLOOD -j DROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[2308]: Command:/sbin/iptables -v -I INPUT ! -i lo -p tcp --syn -j SYNFLOOD
SYNFLOOD  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 
debug[2383]: Command:/sbin/iptables -v -A INPUT ! -i lo -m state --state ESTABLISHED,RELATED -j ACCEPT
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 
debug[2384]: Command:/sbin/iptables -v -A OUTPUT ! -o lo -m state --state ESTABLISHED,RELATED -j ACCEPT
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP_OUT (IPv4)
debug[2527]: Command:/sbin/iptables -v -A INPUT ! -i lo -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 limit: avg 1/sec burst 5 
debug[2528]: Command:/sbin/iptables -v -A OUTPUT ! -o lo -p icmp --icmp-type echo-reply  -j ACCEPT
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  icmp type 0 
debug[2532]: Command:/sbin/iptables -v -A OUTPUT ! -o lo -p icmp --icmp-type echo-request  -j ACCEPT
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 
debug[2533]: Command:/sbin/iptables -v -A INPUT ! -i lo -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 0 limit: avg 1/sec burst 5 
debug[2536]: Command:/sbin/iptables -v -A INPUT ! -i lo -p icmp --icmp-type time-exceeded -j ACCEPT
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 11 
debug[2537]: Command:/sbin/iptables -v -A INPUT ! -i lo -p icmp --icmp-type destination-unreachable -j ACCEPT
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 3 
debug[2539]: Command:/sbin/iptables -v -A OUTPUT ! -o lo -p icmp --icmp-type time-exceeded -j ACCEPT
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  icmp type 11 
debug[2540]: Command:/sbin/iptables -v -A OUTPUT ! -o lo -p icmp --icmp-type destination-unreachable -j ACCEPT
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  icmp type 3 
debug[800]: Command:/sbin/iptables -v -I INPUT  -i lo -j ACCEPT
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[801]: Command:/sbin/iptables -v -I OUTPUT -o lo -j ACCEPT
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[803]: Command:/sbin/iptables -v -A OUTPUT ! -o lo -j LOGDROPOUT
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[804]: Command:/sbin/iptables -v -A INPUT ! -i lo -j LOGDROPIN
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv4)
Restarting bandmin acctboth chains for cPanel
debug[912]: Command:/usr/local/bandmin/bandminstart
debug[913]: Command:/sbin/iptables -v -D INPUT -j acctboth
acctboth  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[914]: Command:/sbin/iptables -v -D OUTPUT -j acctboth
acctboth  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[915]: Command:/sbin/iptables -v -I INPUT -j acctboth
acctboth  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[916]: Command:/sbin/iptables -v -I OUTPUT -j acctboth
acctboth  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[936]: Command:/sbin/iptables -v -I OUTPUT 10 ! -o lo -j LOCALOUTPUT
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[937]: Command:/sbin/iptables -v -I INPUT 10 ! -i lo -j LOCALINPUT
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[959]: Command:/sbin/iptables -v --policy INPUT   DROP
debug[960]: Command:/sbin/iptables -v --policy OUTPUT  DROP
debug[961]: Command:/sbin/iptables -v --policy FORWARD DROP
*WARNING* The option "WHM > Security Center > SMTP Restrictions" is incompatible with this firewall. [b](Now Done)[/b]
The option must be disabled in WHM and the SMTP_BLOCK alternative in csf used instead
*WARNING* DEBUG sanity check. DEBUG = 1. Recommended range: 0 (Default: 0)

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Now i have disabled fast start and even use the TCP and UDP ports to use 0:65335 during testing rest of the config is stock, even down to MESSENGER being disabled too.

The only think i can think that is causing the issue is the link that is in bold where is saying invalid.

Re: CSF Blocking everything.

Posted: 07 Aug 2015, 05:27
by solidus1983
The issue seems to be related to to centos 6.6 as just now my Centos OS install just updated to Centos 6.7 and now CSF is working without having to white list 0.0.0.0/0 so that people can access websites on the server. So thought i'd give a heads up if others are having the same issue as me.