Hi my issue is more related to csf and iptables and I have posted in the csf forum but im hoping someone in this forum may have come across or is able to suggest ideas to try and sort it out . The issue has started happening on my centos 6.4 x64 DA kvm vps only in the last 24 hours where all ports are being blocked so there is no access to the vps. The only access that works is via vnc in the Solusvm control panel. If i restart csf the problem clears for up to 20 mins sometimes but then it blocks ports again. checking the logs at the times of when the problem occurs im seeing this entry " kernel: ip_tables: (C) 2000-2006 Netfilter Core Team " after that there is no access to the vps until i restart csf .From searching on the net i think it may have to do with rhel-iptables but not sure,it is like it reloads the tables again and then csf blocks everything . Any help would be much appreciated . Thanks
Blocked access to DA CentOS VPS
- Thread starter westoz
- Start date
scsi
Verified User
- Joined
- Aug 19, 2008
- Messages
- 4,569
You should whitelist your own ip address in /etc/csf/csf.allow and /etc/csf/csf.ignore
What ports do you have open in /etc/csf/csf.conf on line TCP_IN
You should also set in /etc/csf/csf.conf LF_ALERT_TO to be your email address so you know when ips are being blocked. Also in /etc/csf/csf.conf set LF_ALERT_FROM to be the from address that your alerts will be from example [email protected]. After you set those settings you will get email alerts on who is getting blocked and for what reasons. You may get a ton of email from this until you tweak alot of settings in csf.
What ports do you have open in /etc/csf/csf.conf on line TCP_IN
You should also set in /etc/csf/csf.conf LF_ALERT_TO to be your email address so you know when ips are being blocked. Also in /etc/csf/csf.conf set LF_ALERT_FROM to be the from address that your alerts will be from example [email protected]. After you set those settings you will get email alerts on who is getting blocked and for what reasons. You may get a ton of email from this until you tweak alot of settings in csf.
Thanks scsi I have my ip's whitelisted the problem was it would block all connections to the vps and I say was as I have not seen kernel: ip_tables: (C) 2000-2006 Netfilter Core Team show in the logs for over 24 hours now and my monitoring has not shown the vds offline for this time as well . I have made no changes so I have messaged the server provider to try and find out if they made any changes as it would be good to know what was causing this. They initially said that they had checked the vps and there were no problems on their side when I first created the ticket with them but looks to be running ok at the moment.
Hi I am still having issues with this i can recreate the issue by running /etc/init.d/iptables restart and access to the vps is lost. If I run csf -r access to the vps is ok , so when the bfm runs the blockip script and then restarts iptables the problem occurs, why does a reload of iptables cause this issue ? by restarting csf dosnt it reload iptables ? . Any suggestions on what I need to check or change to correct this issue ?? Thanks for any help that can be provided .
nobaloney
NoBaloney Internet Svcs - In Memoriam †
This means that there's a setting in the default iptables which is blocking you. If you're going to run CSF/LFD or something similar, I recommend emptying the default.
Depending on your OS, it may be a line in /etc/sysconfig/iptables.
Jeff
I wonder if this happened to me too. I am pretty sure that I'd deleted the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables once I changed /etc/init.d/iptables to the DA script.
I was unable to ping or anything the IP and since I wanted to see if I could pull it off, I just used to SolusVM to reinstall the OS.
Little did I know, it required me to use the VNC connection to do the OS install. If I'd have known I probably would have used the VNC to check the KVM first. I am still curious as to what happened.
Before the IP went dead to me I'd instituted a blackout for all but my home IP on the SSH port with an /etc/init.d/iptables script. Worked as expected.. Wonder if my provider or ?? had anything to do with the IP, actually 2 IPv4 being dead.
If these VM have any sort of self healing stuff to them and would decide I need a new iptables or reinstate iptables.old I'd be sort of miffed.
I was unable to ping or anything the IP and since I wanted to see if I could pull it off, I just used to SolusVM to reinstall the OS.
Little did I know, it required me to use the VNC connection to do the OS install. If I'd have known I probably would have used the VNC to check the KVM first. I am still curious as to what happened.
Before the IP went dead to me I'd instituted a blackout for all but my home IP on the SSH port with an /etc/init.d/iptables script. Worked as expected.. Wonder if my provider or ?? had anything to do with the IP, actually 2 IPv4 being dead.
If these VM have any sort of self healing stuff to them and would decide I need a new iptables or reinstate iptables.old I'd be sort of miffed.
Thanks Jeff so when csf reloads which iptables does it use ? a temp fix to stop the blocking i have edited the block_ip and other scripts etc not to use /etc/init.d/iptables restart but use csf -r which is working at present . below is /etc/sysconfig/iptables
Darren
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Darren
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
zEitEr
Super Moderator
You probably need to check this http://forum.directadmin.com/showthread.php?t=44839 to make BFM to work with CSF/LFD.