Hi,
I have CSF installed on one of our server.
CSF dont ban the IP and if manually it is done I get following error.
----------------
csf -d 195.88.65.47
Adding 195.88.65.47 to csf.deny and iptables DROP...
iptables: Index of insertion too big
DROP all opt -- in !lo out * 195.88.65.47 -> 0.0.0.0/0
Error: iptables command [/sbin/iptables -v -I INPUT 2 -i ! lo -s 195.88.65.47 -j DROP] failed, at line 864
-------------------
Also iptables is not running on server.
If status is checked it says its stopped.
I have many sites on my server I dont want to get any downtime.
Please let us know how can we fix this issue as soon as possible.
I have tried reinstall CSF but still the issue remains same.
Waiting for your reply.
Full Version: iptables not working with CSF
Can you type:
iptables -v -I INPUT -s 1.1.1.1 -j DROP
and paste the response.
as well as:
/etc/init.d/iptables status
iptables -v -I INPUT -s 1.1.1.1 -j DROP
and paste the response.
as well as:
/etc/init.d/iptables status
I also am seeing a similar issue with a new install of CSF on a
CPU GenuineIntel, Intel® Pentium® 4 CPU 3.00GHz
Operating system Linux 2.6.18-53.1.13.el5PAE
Plesk version psa v8.3.0_build83080131.20 os_RedHat el5
though I was adding to the whitelist..
[root@ns1 csf]# /usr/sbin/csf -a 222.222.222.222
Adding 222.222.222.222 to csf.allow and iptables ACCEPT...
iptables: Index of insertion too big
ACCEPT all opt -- in eth0 out * 222.222.222.222 -> 0.0.0.0/0
Error: iptables command [/sbin/iptables -v -I INPUT 2 -i eth0 -s 222.222.222.222 -j ACCEPT] failed, at line 864
yet CSF shows it was added
[root@ns1 csf]# cat csf.allow
###############################################################################
# Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables. One IP address
# per line. CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp:in/out:s/d=port:s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
222.222.222.222 # Manually allowed - Mon Mar 3 22:28:54 2008
[root@ns1 csf]# iptables -v -I INPUT -s 1.1.1.1 -j DROP
DROP all opt -- in * out * 1.1.1.1 -> 0.0.0.0/0
[root@ns1 csf]# /etc/init.d/iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
I tried this deny but got an iptables: Index of insertion too big again
[root@ns1 csf]# /usr/sbin/csf -d 1.1.1.2
Adding 1.1.1.2 to csf.deny and iptables DROP...
DROP all opt -- in eth0 out * 1.1.1.2 -> 0.0.0.0/0
iptables: Index of insertion too big
DROP all opt -- in * out eth0 0.0.0.0/0 -> 1.1.1.2
Error: iptables command [/sbin/iptables -v -I OUTPUT 2 -o eth0 -d 1.1.1.2 -j DROP] failed, at line 865
looking at csf.deny I see
1.1.1.2 # Manually denied - Mon Mar 3 23:13:45 2008
restarting I see both the allow 222.222.222.222 and deny 1.1.1.2
but not the 1.1.1.1 added as requested..
[root@ns1 csf]# /usr/sbin/csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in eth0 out * 1.1.1.2 -> 0.0.0.0/0
DROP all opt -- in * out eth0 0.0.0.0/0 -> 1.1.1.2
ACCEPT all opt -- in eth0 out * 222.222.222.222 -> 0.0.0.0/0
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 222.222.222.222
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:8443
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:8443
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
LOGDROPIN all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
csf: TESTING mode is enabled - don't forget to disable it in the configuration
It seem to be working... but why the error?
CPU GenuineIntel, Intel® Pentium® 4 CPU 3.00GHz
Operating system Linux 2.6.18-53.1.13.el5PAE
Plesk version psa v8.3.0_build83080131.20 os_RedHat el5
though I was adding to the whitelist..
[root@ns1 csf]# /usr/sbin/csf -a 222.222.222.222
Adding 222.222.222.222 to csf.allow and iptables ACCEPT...
iptables: Index of insertion too big
ACCEPT all opt -- in eth0 out * 222.222.222.222 -> 0.0.0.0/0
Error: iptables command [/sbin/iptables -v -I INPUT 2 -i eth0 -s 222.222.222.222 -j ACCEPT] failed, at line 864
yet CSF shows it was added
[root@ns1 csf]# cat csf.allow
###############################################################################
# Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables. One IP address
# per line. CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp:in/out:s/d=port:s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
222.222.222.222 # Manually allowed - Mon Mar 3 22:28:54 2008
QUOTE (jjhurani @ Feb 8 2008, 01:02 AM) 
Can you type:
iptables -v -I INPUT -s 1.1.1.1 -j DROP
and paste the response.
as well as:
/etc/init.d/iptables status
iptables -v -I INPUT -s 1.1.1.1 -j DROP
and paste the response.
as well as:
/etc/init.d/iptables status
[root@ns1 csf]# iptables -v -I INPUT -s 1.1.1.1 -j DROP
DROP all opt -- in * out * 1.1.1.1 -> 0.0.0.0/0
[root@ns1 csf]# /etc/init.d/iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
I tried this deny but got an iptables: Index of insertion too big again
[root@ns1 csf]# /usr/sbin/csf -d 1.1.1.2
Adding 1.1.1.2 to csf.deny and iptables DROP...
DROP all opt -- in eth0 out * 1.1.1.2 -> 0.0.0.0/0
iptables: Index of insertion too big
DROP all opt -- in * out eth0 0.0.0.0/0 -> 1.1.1.2
Error: iptables command [/sbin/iptables -v -I OUTPUT 2 -o eth0 -d 1.1.1.2 -j DROP] failed, at line 865
looking at csf.deny I see
1.1.1.2 # Manually denied - Mon Mar 3 23:13:45 2008
restarting I see both the allow 222.222.222.222 and deny 1.1.1.2
but not the 1.1.1.1 added as requested..
QUOTE (jjhurani @ Feb 8 2008, 01:02 AM)
Can you type:
iptables -v -I INPUT -s 1.1.1.1 -j DROP
and paste the response.
iptables -v -I INPUT -s 1.1.1.1 -j DROP
and paste the response.
[root@ns1 csf]# /usr/sbin/csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in eth0 out * 1.1.1.2 -> 0.0.0.0/0
DROP all opt -- in * out eth0 0.0.0.0/0 -> 1.1.1.2
ACCEPT all opt -- in eth0 out * 222.222.222.222 -> 0.0.0.0/0
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 222.222.222.222
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:8443
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:8443
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
LOGDROPIN all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
csf: TESTING mode is enabled - don't forget to disable it in the configuration
It seem to be working... but why the error?
"When csf is in TESTING mode it will flush iptables after 5 minutes. When iptables is flushed, the iptables insert command doesn't work (as you cannot insert above a rule that doesn't exist). Once you take csf out of TESTING mode (in csf.conf) and restart csf, it should work without problems."
ahhhgh.. I forgot the logic that its a cover of the iptables script,,, even though it adds and remembers in CSF.. maybe this should be noted in the readme or conf to avoid any end user concern
also note in general non-cpanel install to set ETH_DEVICE = ""
A Question:
I'm not sure if I needed to add anything other than
DNS 53 tp UDP inbound
I'm not sure if I needed to add the plesk 8443 to the UDP outbound
nor 20 ftp-data to TCP inbound or outbound and UDP inbound
ahhhgh.. I forgot the logic that its a cover of the iptables script,,, even though it adds and remembers in CSF.. maybe this should be noted in the readme or conf to avoid any end user concern
also note in general non-cpanel install to set ETH_DEVICE = ""
A Question:
I'm not sure if I needed to add anything other than
DNS 53 tp UDP inbound
I'm not sure if I needed to add the plesk 8443 to the UDP outbound
nor 20 ftp-data to TCP inbound or outbound and UDP inbound
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.