Error while starting iptables

[doratown]

I install iptables on my server with centos with this guide: http://help.directadmin.com/item.php?id=380

And when I run /etc/init.d/iptables restart or /etc/init.d/iptables start

it show the error below

[root@alpha init.d]# /etc/init.d/iptables start
Starting Firewall:
[ OK ]
FATAL: Could not load /lib/modules/2.6.18-274.7.1.el5.028stab095.1/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-274.7.1.el5.028stab095.1/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-274.7.1.el5.028stab095.1/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-274.7.1.el5.028stab095.1/modules.dep: No such file or directory
/etc/init.d/iptables: line 79: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: O peration not permitted
/etc/init.d/iptables: line 91: /proc/sys/net/ipv4/tcp_timestamps: Operation not permitted
/etc/init.d/iptables: line 100: /proc/sys/net/ipv4/icmp_ignore_bogus_error_respo nses: Operation not permitted
/etc/init.d/iptables: line 103: /proc/sys/net/ipv4/ip_dynaddr: Operation not per mitted
/etc/init.d/iptables: line 110: /proc/sys/net/ipv4/ip_local_port_range: Operatio n not permitted
/etc/init.d/iptables: line 113: /proc/sys/net/ipv4/tcp_fin_timeout: Operation no t permitted
/etc/init.d/iptables: line 114: /proc/sys/net/ipv4/tcp_keepalive_time: Operation not permitted
/etc/init.d/iptables: line 115: /proc/sys/net/ipv4/tcp_window_scaling: Operation not permitted
/etc/init.d/iptables: line 116: /proc/sys/net/ipv4/tcp_sack: Operation not permi tted
/etc/init.d/iptables: line 117: /proc/sys/net/ipv4/tcp_max_syn_backlog: Operatio n not permitted

This may also cause even it says the brute force attacker ip is block the same ip is still attacking my server

 

[zEitEr]

Hello,

Is it a VPS? Powered by OpenVZ virtualization? XEN PV?

 

[doratown]

Hello,

Is it a VPS? Powered by OpenVZ virtualization? XEN PV?

Yes a VPS powered by OpenVZ

 

[zEitEr]

And did iptables start? What do you see with

iptables-save

?

 

[doratown]

And did iptables start? What do you see with

iptables-save

?

I think it start because I use another port for my ssh and yesterday I reinstall iptables it accidentally block my access(now I recover it)

this is what I see with iptables-save

# Generated by iptables-save v1.3.5 on Thu Aug 9 22:23:54 2012
*mangle
REROUTING ACCEPT [467791:64374055]
:INPUT ACCEPT [467791:64374055]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [500826:293012590]
OSTROUTING ACCEPT [500826:293012590]
COMMIT
# Completed on Thu Aug 9 22:23:54 2012
# Generated by iptables-save v1.3.5 on Thu Aug 9 22:23:54 2012
*filter
:INPUT ACCEPT [13033:1463290]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13225:6286724]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 178.239.58.41 -j DROP
-A INPUT -s 202.101.113.24 -j DROP
-A INPUT -s 117.135.160.172 -j DROP
-A INPUT -s 188.187.247.19 -j DROP
-A INPUT -s 69.50.194.41 -j DROP
-A INPUT -s 95.59.141.226 -j DROP
-A INPUT -s 46.21.149.252 -j DROP
-A INPUT -s 66.85.139.139 -j DROP
-A INPUT -s 173.15.197.46 -j DROP
-A INPUT -s 174.140.165.103 -j DROP
-A INPUT -s 50.79.122.51 -j DROP
-A INPUT -s 112.221.237.28 -j DROP
-A INPUT -s 50.115.171.147 -j DROP
-A INPUT -s 190.0.36.194 -j DROP
-A INPUT -s 58.177.188.246 -j DROP
-A INPUT -s 218.202.130.216 -j DROP
-A INPUT -s 59.175.231.210 -j DROP
-A INPUT -s 49.238.40.243 -j DROP
-A INPUT -s 184.107.165.218 -j DROP
-A INPUT -s 85.114.137.178 -j DROP
-A INPUT -s 211.233.38.131 -j DROP
-A INPUT -s 108.174.52.194 -j DROP
-A INPUT -s 78.108.197.62 -j DROP
-A INPUT -s 89.209.13.194 -j DROP
-A INPUT -s 111.207.237.142 -j DROP
-A INPUT -s 149.154.67.115 -j DROP
-A INPUT -s 200.183.152.133 -j DROP
-A INPUT -s 219.138.126.205 -j DROP
-A INPUT -s 88.190.231.205 -j DROP
-A INPUT -s 50.115.118.251 -j DROP
-A INPUT -s 173.10.11.146 -j DROP
-A INPUT -s 120.86.115.119 -j DROP
-A INPUT -s 195.2.195.9 -j DROP
-A INPUT -s 120.203.214.98 -j DROP
-A INPUT -s 91.213.169.8 -j DROP
-A INPUT -s 208.115.237.141 -j DROP
-A INPUT -s 95.154.88.146 -j DROP
-A INPUT -s 174.129.149.158 -j DROP
-A INPUT -s 218.78.187.14 -j DROP
-A INPUT -s 60.9.130.251 -j DROP
-A INPUT -s 49.212.155.197 -j DROP
-A INPUT -s 213.0.180.23 -j DROP
-A INPUT -s 195.198.236.88 -j DROP
-A INPUT -s 218.94.114.151 -j DROP
-A INPUT -s 211.137.2.66 -j DROP
-A INPUT -s 222.186.50.253 -j DROP
-A INPUT -s 50.75.53.140 -j DROP
-A INPUT -s 60.182.68.16 -j DROP
-A INPUT -s 78.187.14.134 -j DROP
-A INPUT -s 87.235.88.252 -j DROP
-A INPUT -s 49.89.42.56 -j DROP
-A INPUT -s 112.20.56.18 -j DROP
-A INPUT -s 46.42.232.106 -j DROP
-A INPUT -s 223.65.215.254 -j DROP
-A INPUT -s 112.24.160.65 -j DROP
-A INPUT -s 159.226.16.67 -j DROP
-A INPUT -s 223.65.215.203 -j DROP
-A INPUT -s 61.4.83.242 -j DROP
-A INPUT -s 62.134.46.66 -j DROP
-A INPUT -s 223.68.233.3 -j DROP
-A INPUT -s 69.162.124.133 -j DROP
-A INPUT -s 118.116.162.59 -j DROP
-A INPUT -s 5.9.32.178 -j DROP
-A INPUT -s 50.75.156.129 -j DROP
-A INPUT -s 223.68.233.196 -j DROP
-A INPUT -s 223.68.233.243 -j DROP
-A INPUT -s 97.89.193.190 -j DROP
-A INPUT -s 223.68.232.164 -j DROP
-A INPUT -s 31.210.84.99 -j DROP
-A INPUT -s 113.240.64.34 -j DROP
-A INPUT -s 201.239.238.32 -j DROP
-A INPUT -s 223.65.214.3 -j DROP
-A INPUT -s 222.247.123.93 -j DROP
-A INPUT -s 223.68.233.98 -j DROP
-A INPUT -s 111.77.230.38 -j DROP
-A INPUT -s 223.68.233.187 -j DROP
-A INPUT -s 194.50.116.211 -j DROP
-A INPUT -s 223.68.232.82 -j DROP
-A INPUT -s 95.0.52.20 -j DROP
-A INPUT -s 178.208.75.188 -j DROP
-A INPUT -s 120.97.248.1 -j DROP
-A INPUT -s 91.207.220.21 -j DROP
-A INPUT -s 116.255.247.144 -j DROP
-A INPUT -s 95.128.240.238 -j DROP
-A INPUT -s 83.36.60.23 -j DROP
-A INPUT -s 75.146.123.145 -j DROP
-A INPUT -s 95.82.77.6 -j DROP
-A INPUT -s 5.9.13.208 -j DROP
-A INPUT -s 5.9.48.179 -j DROP
-A INPUT -s 24.123.96.114 -j DROP
-A INPUT -s 60.18.150.100 -j DROP
-A INPUT -s 60.18.150.101 -j DROP
-A INPUT -s 60.18.150.102 -j DROP
-A INPUT -s 60.18.150.105 -j DROP
-A INPUT -s 60.18.150.109 -j DROP
-A INPUT -s 60.18.150.98 -j DROP
-A INPUT -s 60.18.150.99 -j DROP
-A INPUT -s 218.17.149.237 -j DROP
-A INPUT -p icmp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --lim it 1/sec --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p udp -m udp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1433 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: MSSQL "
-A INPUT -p tcp -m tcp --dport 1433 -j DROP
-A INPUT -p tcp -m tcp --dport 6670 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Deepthrt "
-A INPUT -p tcp -m tcp --dport 6670 -j DROP
-A INPUT -p tcp -m tcp --dport 6711 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Sub7 "
-A INPUT -p tcp -m tcp --dport 6711 -j DROP
-A INPUT -p tcp -m tcp --dport 6712 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Sub7 "
-A INPUT -p tcp -m tcp --dport 6712 -j DROP
-A INPUT -p tcp -m tcp --dport 6713 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Sub7 "
-A INPUT -p tcp -m tcp --dport 6713 -j DROP
-A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Netbus "
-A INPUT -p tcp -m tcp --dport 12345 -j DROP
-A INPUT -p tcp -m tcp --dport 12346 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Netbus "
-A INPUT -p tcp -m tcp --dport 12346 -j DROP
-A INPUT -p tcp -m tcp --dport 20034 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: Netbus "
-A INPUT -p tcp -m tcp --dport 20034 -j DROP
-A INPUT -p tcp -m tcp --dport 31337 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: BO "
-A INPUT -p tcp -m tcp --dport 31337 -j DROP
-A INPUT -p tcp -m tcp --dport 6000 -m limit --limit 3/hour -j LOG --log-prefix "Firewalled packet: XWin "
-A INPUT -p tcp -m tcp --dport 6000 -j DROP
-A INPUT -p udp -m udp --dport 33434:33523 -j DROP
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p igmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/min -j LOG --log-prefix "Firewalled packet:"
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/min -j LOG --log-prefix "Firewalled packet:"
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -j DROP
-A OUTPUT -p tcp -m tcp --dport 6660:6669 -j DROP
-A OUTPUT -p tcp -m tcp --dport 7000 -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Thu Aug 9 22:23:54 2012
# Generated by iptables-save v1.3.5 on Thu Aug 9 22:23:54 2012
*nat
REROUTING ACCEPT [68934:4125984]
OSTROUTING ACCEPT [2031:111830]
:OUTPUT ACCEPT [1012:71070]
COMMIT

 

[zEitEr]

You can not load kernel modules within a OpenVZ container, since that it's OK to see those warnings. And it seems you're not allowed to change those settings ( /proc/sys/net/ipv4/ ), since that it's OK to see those warnings either. And since iptables starts OK, you might want either to comment those lines in iptables script, or ignore those messages.