Error with CSF Centos 8.1 installation

[ednei13]

I installed CSF on DA plus the lfd service is always Stopped, when I try to start it displays the error message;:
"An error has occurred/usr/bin/systemctl start lfd.service 2>&1".

When I enter the "custombuild" you are getting this error:
"*Error* The path to iptables is either not set or incorrect for IPTABLES [/sbin/ip6tables] in /etc/csf/csf.conf at /usr/local/csf/lib/ConfigServer/URLGet.pm line 26. Compilation failed in require at /sbin/csf line 21. BEGIN failed--compilation aborted at /sbin/csf line 21. BEGIN failed - compilation aborted at / sbin / csf line 21. "

I have already reinstalled the DA several times but the error persists.

 

[ericc]

As I didn't try Centos 8 myself, can't tell exactly, but seems like it doesn't come with iptables. It is replaced by nftables. CSF works with iptables (nftables also?). I'm rather curious about all this stuff, just need more time for checking.

 

[Richard G]

but seems like it doesn't come with iptables. It is replaced by nftables. .

Hmmz, I've read that indeed, but I just installed a fresh Centos 8.1.1911 VPS last week which had iptables installed via the image by default and nftables isn't present. So it might differ from the image provided by the hoster/datacenter.

@ednei13 Check if iptables is installed, run this on command line:

iptables -L
ip6tables -L

If you get an error it probably indeed is not installed. If I'm correct, nftables is not supported yet by CSF/LFD.
In that case I would suggest to remove nftables (if present) and install iptables.
Might be something like this:

systemctl stop firewalld 
systemctl disable firewalld
yum remove nftables
yum install iptables ip6tables

Restart csf and check if it works now.

 

[ericc]

If you get an error it probably indeed is not installed. If I'm correct, nftables is not supported yet by CSF/LFD.

Well, nftables didn't appear like yesterday and I see no movement for CSF towards nftables yet.

In that case I would suggest to remove nftables (if present) and install iptables.

The question now: to throw away a piece of progress - nftables (not everyone sees much of improvement over iptables there, but let's consider this just a natural evolution) or throw away a piece of comfort - CSF? Or to throw away Centos 8?

 

[Richard G]

Well, nftables didn't appear like yesterday and I see no movement for CSF towards nftables yet.

Since Centos 8 is the first RH based OS having this implemented by default (is that the case, because mine wasn't?) I'm sure there will be some movement in the near future, at least I expect it.

Combined with not only the comfort of CSF but the proven security it already provided in the past and the nice CSF/BFM combo which Zeiter made, keeping CSF with iptables for a little while longer is not only a question of throwing a way a piece of comfort. Nftables can't beat this at the moment for sure because next to this it also needs a new learning curve since the CSF script is not updated yet.

No don't throw away Centos 8, you can't compare OS progress with a smaller firewall progress. Changing to nftables is more like already implementing 7.4 while not all your scripts are 7.4 compatible and having to build completely new scripts instead of waiting for an update.

Next to that, in this case the "no progress" for some time, does no harm at all, in spite of the fact that nftables is better performance wise for example.
For people who only use iptables lines as firewall, yes they can better change to nftables, they have no benefit in waiting.

However, this is a bit of an off-topic discussion, I was merely giving the solution to get CSF/LFD working again.

 

[ericc]

Since Centos 8 is the first RH based OS having this implemented by default (is that the case, because mine wasn't?) I'm sure there will be some movement in the near future, at least I expect it.

nftables is around for a few years now officially, but not as default option, that's right.

No don't throw away Centos 8, you can't compare OS progress with a smaller firewall progress. Changing to nftables is more like already implementing 7.4 while not all your scripts are 7.4 compatible and having to build completely new scripts instead of waiting for an update.

Well yes, but the the idea of getting a better equipment (is Centos 8 somehow much better for an average user?) and cutting parts of it, doesn't look like good idea. Taking into account, that this version of OS was designed to work with and has kernel level implementation of nftables.

Next to that, in this case the "no progress" for some time, does no harm at all, in spite of the fact that nftables is better performance wise for example.
For people who only use iptables lines as firewall, yes they can better change to nftables, they have no benefit in waiting.

You have three yes


P. S.

However, this is a bit of an off-topic discussion, I was merely giving the solution to get CSF/LFD working again.

No, it is important information, because no one actually talks about it and clarification is needed.

 

[Richard G]

Well yes, but the the idea of getting a better equipment (is Centos 8 somehow much better for an average user?)

No I don't agree. It's not that nftables is that much better in safety, it's different and can take up less resources and a bit more speed. That way it's better, but as to functionallity for an average user, it's more difficult because they have to learn nftables while most of them don't even know iptables including a bunch of admins, and I'm sure of that.
So it's better for expert users, for avarage users (and lots of admins) it's better to stay with safe and functional shells like CSF or BFD for iptables.
As far as I know also Centos 7 had that kernel, but I might be mistaken.

No, it is important information, because no one actually talks about it and clarification is needed.

Oke, you got a point there. Because it is present for some years, but still not default. I don't think many people will change to nftables without it being used more by others and talked more about so that also shells like CSF and BFD will create a version for it.
Otherwise it will take some more years, which would be pity because nftables is more efficient.

 

[ericc]

No I don't agree. It's not that nftables is that much better in safety, it's different and can take up less resources and a bit more speed. That way it's better, but as to functionallity for an average user, it's more difficult because they have to learn nftables while most of them don't even know iptables including a bunch of admins, and I'm sure of that.

I was talking about basic OS functionality, not nftables. I mean it doesn't sound good to take away nftables from Centos 8, which should be an advantage, but not as big, as you've pointed already also. There are iptables vs nftables benchmarks and there're only few scenarios, when nftables do better. But overall, it presents a new, more efficient way to deal with traffic filtering.

As far as I know also Centos 7 had that kernel, but I might be mistaken.

It was kernel 3 vs kernel 4 in Centos 8.

Oke, you got a point there. Because it is present for some years, but still not default. I don't think many people will change to nftables without it being used more by others and talked more about so that also shells like CSF and BFD will create a version for it.
Otherwise it will take some more years, which would be pity because nftables is more efficient.

Well, I'm also surprised, that nftables is almost literally left aside. It received a lot of criticism earlier, but yet most of Linux distros moving towards this system. Not as drastically as Centos. And drastic is not completely correct word in this case, Centos just has it's own path of development, with all good and the bad.

 

[Richard G]

It was kernel 3 vs kernel 4 in Centos 8.

Nftables is from kernel 3.13 and higher. So indeed it's Centos 8 as the Centos 7 servers still are using kernel 3.10.

I think we agree on the most part.
I'm also surprised as you that nftables is almost literally left aside. I didn't even know about it until your reply. Now I don't know about a lot of things, but also on searching, I read 1 post on the configserver asking about it. No reply.
Also I read openwrt is not supporting it. I think it needs more request from the side of the users/customers so it will gain popularity.

 

[ericc]

but also on searching, I read 1 post on the configserver asking about it. No reply.

Well, you must have encountered the post of mine there

 

[Richard G]

It was from 2018 so if you are n8v8r then yes.

Lets see if we can stumble it up a bit over there.

 

[ericc]

It was from 2018 so if you are n8v8r then yes.

Lets see if we can stumble it up a bit over there.

No.. Seems like there are more truth seekers around

 

[Richard G]

Oke I searched for nftables+configserver and that was the first page in the result, did not see another one.
Anyway, it's upped, you can participate if you want.

 

[dilhan]

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask --now firewalld

sudo yum install iptables-services

sudo systemctl start iptables
sudo systemctl start ip6tables

sudo systemctl enable iptables
sudo systemctl enable ip6tables

sudo systemctl start csf

you're done.

 

[Richard G]

sudo systemctl start iptables
sudo systemctl start ip6tables

sudo systemctl enable iptables
sudo systemctl enable ip6tables

Do not do these last ones. They should not start automatically. CSF will do that for you.
On automatic start, it could be that default iptables configs are run, you don't want that as this can already block things.

So only disable firewalld (stop and remove nftables if present) and install ipbles if not present yet. Normally present by default.

 

[dilhan]

sudo systemctl start iptables
sudo systemctl start ip6tables

sudo systemctl enable iptables
sudo systemctl enable ip6tables

Do not do these last ones. They should not start automatically. CSF will do that for you.
On automatic start, it could be that default iptables configs are run, you don't want that as this can already block things.

So only disable firewalld (stop and remove nftables if present) and install ipbles if not present yet. Normally present by default.

Thanks for the clarification. I was not aware of that. In my case iptables wasn't installed by default in DO droplet.

 

[BakkerM]

Hi all,

Trying to get DirectAdmin to run on CentOS 8.2 allong with CSF/LFD.
However I am not able to get it working properly... No clue what is wrong here. I tried various solutions from above.

This is what I did:

• disabled/removed nftables (tried both)
• disabled/removed firewalld (tried both)
• installed iptables

However it will not start iptables or ip6tables. I get the following message when I check the status:

Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2020-11-26 13:14:56 CET; 2min 31s ago
Main PID: 2133 (code=exited, status=1/FAILURE)

Nov 26 13:14:56 dns01.servername.net systemd[1]: Starting IPv4 firewall with iptables...
Nov 26 13:14:56 dns01.servername.net iptables.init[2133]: iptables: Applying firewall rules: iptables-restore v1.8.4 (nf_tables):
Nov 26 13:14:56 dns01.servername.net iptables.init[2133]: line 5: CHAIN_UPDATE failed (No such file or directory): chain INPUT
Nov 26 13:14:56 dns01.servername.net iptables.init[2133]: line 6: CHAIN_UPDATE failed (No such file or directory): chain FORWARD
Nov 26 13:14:56 dns01.servername.net iptables.init[2133]: line 7: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT
Nov 26 13:14:56 dns01.servername.net iptables.init[2133]: [FAILED]
Nov 26 13:14:56 dns01.servername.net systemd[1]: iptables.service: Main process exited, code=exited, status=1/FAILURE
Nov 26 13:14:56 dns01.servername.net systemd[1]: iptables.service: Failed with result 'exit-code'.
Nov 26 13:14:56 dns01.servername.net systemd[1]: Failed to start IPv4 firewall with iptables.


Redirecting to /bin/systemctl status ip6tables.service
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2020-11-26 13:14:56 CET; 3min 16s ago
Main PID: 2140 (code=exited, status=1/FAILURE)

Nov 26 13:02:50 dns01.servername.net systemd[1]: Failed to start IPv6 firewall with ip6tables.
Nov 26 13:14:56 dns01.servername.net systemd[1]: Starting IPv6 firewall with ip6tables...
Nov 26 13:14:56 dns01.servername.net ip6tables.init[2140]: ip6tables: Applying firewall rules: ip6tables-restore v1.8.4 (nf_tables):
Nov 26 13:14:56 dns01.servername.net ip6tables.init[2140]: line 5: CHAIN_UPDATE failed (No such file or directory): chain INPUT
Nov 26 13:14:56 dns01.servername.net ip6tables.init[2140]: line 6: CHAIN_UPDATE failed (No such file or directory): chain FORWARD
Nov 26 13:14:56 dns01.servername.net ip6tables.init[2140]: line 7: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT
Nov 26 13:14:56 dns01.servername.net ip6tables.init[2140]: [FAILED]
Nov 26 13:14:56 dns01.servername.net systemd[1]: ip6tables.service: Main process exited, code=exited, status=1/FAILURE
Nov 26 13:14:56 dns01.servername.net systemd[1]: ip6tables.service: Failed with result 'exit-code'.
Nov 26 13:14:56 dns01.servername.net systemd[1]: Failed to start IPv6 firewall with ip6tables.

Maybe someone has an idea? Probably it's something simple (or I hope so), but I cannot get it to work.


I also tried to use:

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

But also no luck whatsoever... Sigh.

 

[BakkerM]

Okay a small follow-up (didn't want to make a mess of my previous post).

I tried a clean install of CentOS 8.2 without DirectAdmin or anything (for testing obviously).
After the setup was done I entered the following commands:

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask --now firewalld

sudo systemctl stop nftables
sudo systemctl disable nftables
sudo systemctl mask --now nftables

yum remove -y firewalld
yum remove -y nftables

#sudo yum install -y iptables-services (was not needed, already installed)

sudo systemctl start iptables
sudo systemctl start ip6tables

sudo systemctl enable iptables
sudo systemctl enable ip6tables

I made some progress! With the above iptables is working, however ip6tables is not working.
See the log below:

Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2020-11-26 14:28:24 CET; 1min 21s ago
Main PID: 1613 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 3200)
Memory: 0B
CGroup: /system.slice/iptables.service

Nov 26 14:28:24 dns01.testserver.net systemd[1]: Starting IPv4 firewall with iptables...
Nov 26 14:28:24 dns01.testserver.net iptables.init[1613]: iptables: Applying firewall rules: [ OK ]
Nov 26 14:28:24 dns01.testserver.net systemd[1]: Started IPv4 firewall with iptables.


Redirecting to /bin/systemctl status ip6tables.service
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2020-11-26 14:28:49 CET; 2min 19s ago
Main PID: 1623 (code=exited, status=1/FAILURE)

Nov 26 14:28:49 dns01.testserver.net systemd[1]: Starting IPv6 firewall with ip6tables...
Nov 26 14:28:49 dns01.testserver.net ip6tables.init[1623]: ip6tables: Applying firewall rules: ip6tables-restore v1.8.4 (nf_tables):
Nov 26 14:28:49 dns01.testserver.net ip6tables.init[1623]: line 5: CHAIN_UPDATE failed (No such file or directory): chain INPUT
Nov 26 14:28:49 dns01.testserver.net ip6tables.init[1623]: line 6: CHAIN_UPDATE failed (No such file or directory): chain FORWARD
Nov 26 14:28:49 dns01.testserver.net ip6tables.init[1623]: line 7: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT
Nov 26 14:28:49 dns01.testserver.net ip6tables.init[1623]: [FAILED]
Nov 26 14:28:49 dns01.testserver.net systemd[1]: ip6tables.service: Main process exited, code=exited, status=1/FAILURE
Nov 26 14:28:49 dns01.testserver.net systemd[1]: ip6tables.service: Failed with result 'exit-code'.
Nov 26 14:28:49 dns01.testserver.net systemd[1]: Failed to start IPv6 firewall with ip6tables.

Will experiement a bit more. Maybe removing and reinstalling iptables in the end will help.

 

[Richard G]

Again. Iptables and ip6tables should not be running via the system, they should only be installed.
So checking as you do does not make any sense when using CSF.

So again. Do what I said in post #15 and stop those iptables.

sudo systemctl stop iptables
sudo systemctl stop ip6tables

sudo systemctl disable iptables
sudo systemctl disable ip6tables

You don't need those, and they can only mess up the system if by accident in one of the files, some access is blocked.

Now start CSF firewall, if you want to check if iptables is working, then do not check systemctl as CSF is starting iptables lines (not the service) for you. You don't need the services as the OS is not running iptables for you, but CSF is.

So check like this:

iptables -L

You will see all kind of iptables lines if all is correct.

You should also check if ipv6 support is enabled in CSF.
So if you want to check, use the kindlike command:

ip6tables -L

 

[BakkerM]

Hi Richard,

Thank you for your help and patience with me; highly appreciated.

Okay, so I redid everything and now I am using the following:

sudo systemctl stop nftables
sudo systemctl disable nftables
sudo systemctl mask --now nftables

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask --now firewalld

sudo dnf remove -y nftables
sudo dnf install -y iptables-services

sudo systemctl stop iptables
sudo systemctl stop ip6tables
sudo systemctl disable iptables
sudo systemctl disable ip6tables

Unless I overlooked things (again), this should be correct, right?


When I run service iptables/ip6tables status I get the following:

Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)

Redirecting to /bin/systemctl status ip6tables.service
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: inactive (dead)

That should be correct.

I also tested what you said: iptables -L & ip6tables -L
Both show information now. Which is good.

Also CSF is up and running, however I did notice an error?

Redirecting to /bin/systemctl status csf.service
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2020-11-27 12:49:14 CET; 3min 13s ago
Process: 472 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
Main PID: 472 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 3200)
Memory: 0B
CGroup: /system.slice/csf.service

Nov 27 12:49:14 dns01.example.com csf[472]: csf: FASTSTART loading SMTP Block (IPv4)
Nov 27 12:49:14 dns01.example.com csf[472]: csf: FASTSTART loading SMTP Block (IPv6)
Nov 27 12:49:14 dns01.example.com csf[472]: csf: FASTSTART loading DNS (IPv4)
Nov 27 12:49:14 dns01.example.com csf[472]: csf: FASTSTART loading DNS (IPv6)
Nov 27 12:49:14 dns01.example.com csf[472]: iptables v1.8.4 (nf_tables): RULE_INSERT failed (No such file or directory): rule in chain OUTPUT
Nov 27 12:49:14 dns01.example.com csf[472]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Nov 27 12:49:14 dns01.example.com csf[472]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Nov 27 12:49:14 dns01.example.com csf[472]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Nov 27 12:49:14 dns01.example.com csf[472]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Nov 27 12:49:14 dns01.example.com systemd[1]: Started ConfigServer Firewall & Security - csf.

No clue if that is important or not, but just wondering.

There does seem to be an issue with LFD though:

Redirecting to /bin/systemctl status lfd.service
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: activating (start) since Fri 2020-11-27 12:55:01 CET; 29s ago
Cntrl PID: 2067 (lfd)
Tasks: 2 (limit: 3200)
Memory: 16.4M
CGroup: /system.slice/lfd.service
├─2067 /usr/bin/perl /usr/sbin/lfd
└─2074 /sbin/iptables --wait -L PREROUTING -t raw

Nov 27 12:55:01 dns01.example.com systemd[1]: Starting ConfigServer Firewall & Security - lfd...

Eventually it fails and tries to restart (over and over).

Because of this (?) logging in DirectAdmin lags. Also opening "ConfigServer Security & Firewall" takes ages and is quite unresponsive.
Also I am getting messages in the "Messsage Center" that "lfd' is down.

If I check the lfd.log it shows the following errors (not much else):

Nov 27 12:35:06 ns1 lfd[434394]: Retrieved and blocking blocklist DSHIELD IP address ranges
Nov 27 12:35:06 ns1 lfd[434394]: *Error* FASTSTART: (Blocklist [DSHIELD] IPv4) [] [iptables-restore: line 2 failed]
Nov 27 12:35:06 ns1 lfd[434394]: Retrieved and blocking blocklist MAXMIND IP address ranges
Nov 27 12:35:06 ns1 lfd[434394]: *Error* FASTSTART: (Blocklist [MAXMIND] IPv4) [] [iptables-restore: line 2 failed]
Nov 27 12:35:07 ns1 lfd[434394]: Retrieved and blocking blocklist BFB IP address ranges
Nov 27 12:35:07 ns1 lfd[434394]: *Error* FASTSTART: (Blocklist [BFB] IPv4) [] [iptables-restore: line 2 failed]

I will remove those entries from the blocklists. Maybe those don't work anymore for some reason.
In the meantime I will test it some more.

I have no clue what else can be wrong here though.

Regards