ConfigServer Community Forum

Posted: **26 Apr 2016, 08:35**

Hi. I am running CSF on a VPS

In openvz config file, I have the following:

IPTABLES=”ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner ipt_conntrack ipt_helper ipt_REDIRECT”

when entering container, I get this error:

Code: Select all

Warning: Unknown iptable module: ”ip_tables, skipped
Warning: Unknown iptable module: ipt_REDIRECT”, skipped

when starting "csf -r" I get:

Code: Select all

root@server [/]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:67
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:67
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:68
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:68
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:111
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:111
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:113
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:113
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpts:135:139
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpts:135:139
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:445
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:445
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:500
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:500
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:513
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:513
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:520
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:520
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
iptables: No chain/target/match by that name.
INVDROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state INVALID
Error: iptables command [/sbin/iptables -v -A INVALID -m state --state INVALID -j INVDROP] failed, you appear to be missing a required iptables module, at line 1457

What is the INVDROP module? How can I activate it? What could be the problem? Thanks in advance

Posted: **28 Apr 2016, 09:29**

I don't have a solution to your problem, but I'd say that INVDROP is not a module, but an iptables CHAIN csf has created and makes use of. It's a chain where invalid packets are dropped, that's it.
They're invalid, because they do not observe the TCP-flag rules. These are some basic rules csf applies:

Code: Select all

-A INVALID -m conntrack --ctstate INVALID -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP 
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP

ConfigServer Community Forum

CSF Fails to start

CSF Fails to start

Re: CSF Fails to start