ConfigServer Security & Firewall: executing csfpost.sh at boot time [SOLVED]

Aspegic

Verified User
Joined
Aug 4, 2005
Messages
268
I am setting up a new Centos 7 server to replace an old Centos 6 server.

I have installed DirectAdmin on the Centos 7 server. Everything works great.
I need this server to also act as a NAT server, so I created a csfpost.sh file with the following content:
Code:
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE
/usr/sbin/iptables --append FORWARD --in-interface eno1 -j ACCEPT
I made the script executable and put it in the folder /etc/csf
This script runs fine and does exactly what it needs to do.

The problem is that it does not execute at startup. When I reboot the server, this script is not executed. I first have to login to DirectAdmin and choose "Firewall Restart" . Then the script is executed and it works.

I would assume that CSF is started automatically at boot time, and that it would execute csfpost.sh automatically, as is stated in the documentation. But it seems not.

I have searched a lot and tried several different solutions, but none have worked so far.
I tried adding csf -r to rc.local. That did not work.
I tried adding csfpost.sh itself to rc.local. That did not work either.
I do not know why it is not working....

Is there someone who can tell me what I need to do?
Thanks!
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,035
Location
Maastricht
Well, in fact this is a CSF issue, it might be fixed if you presented the issue over there.

Did you already try to create a cron job to restart csf at boot time?
@reboot /path/to/shell.script
@reboot /path/to/command arg1 arg2

So maybe like:
@reboot /usr/sbin/csf -r
 

Aspegic

Verified User
Joined
Aug 4, 2005
Messages
268
Hello Richard, thanks for your input!

Yes, I tried both: @reboot /usr/sbin/csf -ra
and also: @reboot /etc/csf/csfpost.sh

Unfortunately it gives the same result as with rc.local: neither works.
 

Aspegic

Verified User
Joined
Aug 4, 2005
Messages
268
The problem turned out to be a permission issue.

I had put csfposh.sh in /etc/csf
According to the documentation, it needs to be there for csf to execute it.
I had chmod 755 csfpost.sh and make it executable.

The problem however was caused by the permissions of the /etc/csf folder itself.
It allows access only for root.
So, I chmod 755 /etc/csf ... ammmm NOPE!
As soon as you do that, csf itself reverts the permissions of the folder back to root only. I am guessing some kind of security measure.

So, to solve it, I have to run the script at boot time as root.
Unfortunately that rules out the cronjob interface in DirectAdmin, because it does not let the cronjobs execute as root (at least I do not know how).

So I logged in as root and started crontab -e
there I added the line to execute the script
and now it works.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,035
Location
Maastricht
So, to solve it, I have to run the script at boot time as root.
Yes ofcourse you have to start this at root.
The rc.local is also executed as root, so I presumed you knew that and then the @reboot cronjob would work.

Did you tried the cronjob via the DA panel then because it not worked before?
 

Aspegic

Verified User
Joined
Aug 4, 2005
Messages
268
Haha yes, after I finished writing that last message, I realized that rc.local is also executed as root. So it should have worked the first time. But it didn't!
I have no explanation for that yet.
Maybe rc.local is executed before csf starts and maybe csf clears the iptable rules during startup, undoing the things I do in the script. I do not know if that is what's happening, but that could be an explanation...

However, I want to know the answer to this, so I will continue to investigate and when I know the solution I will write it here, for posterity ;)
 
Top