Why CSF blocking all traffic?

damians · Mar 18, 2015

I've installed CSF firewall with Directadmin. when the firewall is running, it blocks all the incoming and outgoing connections.

My iptables -L -n:

Code:

Chain INPUT (policy DROP)
target     prot opt source     destination
ACCEPT     tcp  --  8.8.8.8   0.0.0.0/0 tcp dpt:53
ACCEPT     udp  --  8.8.8.8   0.0.0.0/0 udp dpt:53
ACCEPT     tcp  --  8.8.8.8   0.0.0.0/0 tcp spt:53
ACCEPT     udp  --  8.8.8.8   0.0.0.0/0 udp spt:53
LOCALINPUT  all  --  0.0.0.0/0  0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0   0.0.0.0/0
INVALID    tcp  --  0.0.0.0/0   0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:2222
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:6622
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:53
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 8 limit: avg 1/sec burst 5
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 0 limit: avg 1/sec burst 5
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 11
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 3
LOGDROPIN  all  --  0.0.0.0/0   0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source     destination

Chain OUTPUT (policy DROP)
target     prot opt source     destination
ACCEPT     tcp  --  0.0.0.0/0   8.8.8.8   tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0   8.8.8.8   udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0   8.8.8.8   tcp spt:53
ACCEPT     udp  --  0.0.0.0/0   8.8.8.8   udp spt:53
LOCALOUTPUT  all  --  0.0.0.0/0 0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   tcp spt:53
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   udp spt:53
ACCEPT     all  --  0.0.0.0/0   0.0.0.0/0
INVALID    tcp  --  0.0.0.0/0   0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:113
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0   0.0.0.0/0   state NEW tcp dpt:2222
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:113
ACCEPT     udp  --  0.0.0.0/0   0.0.0.0/0   state NEW udp dpt:123
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 0
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 8
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 11
ACCEPT     icmp --  0.0.0.0/0   0.0.0.0/0   icmptype 3
LOGDROPOUT  all  --  0.0.0.0/0  0.0.0.0/0

Chain ALLOWIN (1 references)
target     prot opt source     destination
ACCEPT     all  --  85.89.162.104    0.0.0.0/0

Chain ALLOWOUT (1 references)
target     prot opt source     destination
ACCEPT     all  --  0.0.0.0/0   85.89.162.104

Chain DENYIN (1 references)
target     prot opt source     destination

Chain DENYOUT (1 references)
target     prot opt source     destination

Chain INVALID (2 references)
target     prot opt source     destination
INVDROP    all  --  0.0.0.0/0   0.0.0.0/0   state INVALID
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x3F/0x00
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x3F/0x3F
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x03/0x03
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x06/0x06
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x05/0x05
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x11/0x01
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x18/0x08
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags: 0x30/0x20
INVDROP    tcp  --  0.0.0.0/0   0.0.0.0/0   tcpflags:! 0x17/0x02 state NEW

Chain INVDROP (10 references)
target     prot opt source     destination
DROP    all  --  0.0.0.0/0  0.0.0.0/0

Chain LOCALINPUT (1 references)
target     prot opt source     destination
ALLOWIN    all  --  0.0.0.0/0   0.0.0.0/0
DENYIN     all  --  0.0.0.0/0   0.0.0.0/0

Chain LOCALOUTPUT (1 references)
target     prot opt source     destination
ALLOWOUT   all  --  0.0.0.0/0   0.0.0.0/0
DENYOUT    all  --  0.0.0.0/0   0.0.0.0/0

Chain LOGDROPIN (1 references)
target     prot opt source     destination
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:67
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:67
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:68
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:68
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:111
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:111
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:113
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:113
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpts:135:139
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpts:135:139
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:445
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:445
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:500
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:500
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:513
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:513
DROP    tcp  --  0.0.0.0/0  0.0.0.0/0   tcp dpt:520
DROP    udp  --  0.0.0.0/0  0.0.0.0/0   udp dpt:520
LOG  tcp  --  0.0.0.0/0 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  udp  --  0.0.0.0/0 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  icmp --  0.0.0.0/0 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
DROP    all  --  0.0.0.0/0  0.0.0.0/0

Chain LOGDROPOUT (1 references)
target     prot opt source     destination
LOG  tcp  --  0.0.0.0/0 0.0.0.0/0   tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp  --  0.0.0.0/0 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp --  0.0.0.0/0 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
DROP    all  --  0.0.0.0/0  0.0.0.0/0

perl csftest.pl

Code:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for csf.redirect feature

RESULT: csf will function on this server but some features will not work due to some missing iptables modules [2]

zEitEr · Mar 18, 2015

Hello,

Check

Code:

dmesg

output and counters by

Code:

csf -l

Why CSF blocking all traffic?

damians

New member

zEitEr

Super Moderator