Posted By: northnetworking on August 15, 2019, 6:32 am |
Hello!
So I have been trying to setup CSF on the node, but when I do, CSF blocks all VPS on the node. I followed the guide to make csfpost.sh in /etc/csf/ and inside csfpost.sh have this line: Code /sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT And when I start or restart CSF Code csf -r I see that it executes the csfpost.sh file Code Running /etc/csf/csfpost.sh But it is not working. All my VPS is still blocked. Any suggestions? Thanks ----------------------- Networking made easy contact[at]northnetworking.com https://northnetworking.com |
Posted By: wolke on August 15, 2019, 8:58 am | Post: 1 |
you may need to full restart csf (not only reload)
Do a Code csf -x followed by Code csf -e |
Posted By: northnetworking on August 15, 2019, 9:29 am | Post: 2 |
Quote From : wolke August 15, 2019, 8:58 am you may need to full restart csf (not only reload)
Do a Code csf -x followed by Code csf -e Thank you for your reply. I have tried this, but still no luck. Tried to manually execute the script also. Still the VPS is blocked by CSF. ----------------------- Networking made easy contact[at]northnetworking.com https://northnetworking.com |
Posted By: wolke on August 15, 2019, 9:40 am | Post: 3 |
please send the output of
Code csf -r |
Posted By: northnetworking on August 15, 2019, 6:26 pm | Post: 4 |
Quote From : wolke August 15, 2019, 9:40 am please send the output of
Code csf -r Here you go sir Code [root@euvpsnode1 ~]# csf -r
Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `ALLOWIN' Flushing chain `ALLOWOUT' Flushing chain `DENYIN' Flushing chain `DENYOUT' Flushing chain `INVALID' Flushing chain `INVDROP' Flushing chain `LOCALINPUT' Flushing chain `LOCALOUTPUT' Flushing chain `LOGDROPIN' Flushing chain `LOGDROPOUT' Deleting chain `ALLOWIN' Deleting chain `ALLOWOUT' Deleting chain `DENYIN' Deleting chain `DENYOUT' Deleting chain `INVALID' Deleting chain `INVDROP' Deleting chain `LOCALINPUT' Deleting chain `LOCALOUTPUT' Deleting chain `LOGDROPIN' Deleting chain `LOGDROPOUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `PREROUTING' Flushing chain `OUTPUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `ALLOWIN' Flushing chain `ALLOWOUT' Flushing chain `DENYIN' Flushing chain `DENYOUT' Flushing chain `INVALID' Flushing chain `INVDROP' Flushing chain `LOCALINPUT' Flushing chain `LOCALOUTPUT' Flushing chain `LOGDROPIN' Flushing chain `LOGDROPOUT' Deleting chain `ALLOWIN' Deleting chain `ALLOWOUT' Deleting chain `DENYIN' Deleting chain `DENYOUT' Deleting chain `INVALID' Deleting chain `INVDROP' Deleting chain `LOCALINPUT' Deleting chain `LOCALOUTPUT' Deleting chain `LOGDROPIN' Deleting chain `LOGDROPOUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `PREROUTING' Flushing chain `OUTPUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' csf: FASTSTART loading DROP no logging (IPv4) csf: FASTSTART loading DROP no logging (IPv6) LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* " LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* " LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* " LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* " LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* " LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* " LOG tcp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* " LOG tcp opt in * out * ::/0 -> ::/0 tcp flags:0x17/0x02 limit: avg 30/mi n burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* " LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* " LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* " LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG fla gs 0 level 4 prefix "Firewall: *ICMP6IN Blocked* " LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG fla gs 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* " DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-u nreachable DROP all opt in * out * ::/0 -> ::/0 REJECT all opt in * out * ::/0 -> ::/0 reject-with icmp6-port-unreachabl e DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 DENYOUT all opt in * out !lo ::/0 -> ::/0 DENYIN all opt in !lo out * ::/0 -> ::/0 ALLOWOUT all opt in * out !lo ::/0 -> ::/0 ALLOWIN all opt in !lo out * ::/0 -> ::/0 csf: FASTSTART loading Packet Filter (IPv4) csf: FASTSTART loading Packet Filter (IPv6) DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt in * out * ::/0 -> ::/0 INVALID tcp opt in !lo out * ::/0 -> ::/0 INVALID tcp opt in * out !lo ::/0 -> ::/0 csf: FASTSTART loading csf.allow (IPv4) ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: av g 1/sec burst 5 LOGDROPIN icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0 ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0 ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTAB LISHED ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTAB LISHED ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED csf: FASTSTART loading TCP_IN (IPv4) csf: FASTSTART loading TCP6_IN (IPv6) csf: FASTSTART loading TCP_OUT (IPv4) csf: FASTSTART loading TCP6_OUT (IPv6) csf: FASTSTART loading UDP_IN (IPv4) csf: FASTSTART loading UDP6_IN (IPv6) csf: FASTSTART loading UDP_OUT (IPv4) csf: FASTSTART loading UDP6_OUT (IPv6) ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT all opt in lo out * ::/0 -> ::/0 ACCEPT all opt in * out lo ::/0 -> ::/0 LOGDROPOUT all opt in * out !lo ::/0 -> ::/0 LOGDROPIN all opt in !lo out * ::/0 -> ::/0 csf: FASTSTART loading DNS (IPv4) csf: FASTSTART loading DNS (IPv6) LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0 Running /etc/csf/csfpost.sh [root@euvpsnode1 ~]# ----------------------- Networking made easy contact[at]northnetworking.com https://northnetworking.com |
Posted By: m9shyamalan on August 16, 2019, 7:54 am | Post: 5 |
Can you also send the output of iptables -L |
Posted By: northnetworking on August 16, 2019, 10:36 am | Post: 7 |
Quote From : wolke August 16, 2019, 9:13 am It is not enough to set the forwarding rule for iptables in csfpost.sh
please make sure that your csfpost.sh begins with Code #!/bin/bash in the very first line. Then, after the iptable rule, you need to restart libvirtd: So your csfpost.sh should look like this: Code #!/bin/bash
/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT service libvirtd restart Woooo! My csfpost.sh had #!/bin/bash at the top of course But adding service libvirtd restart at the bottom did the trick. CSF is now working in harmony with Virtualizor The guide did not mention adding service libvirtd restart so this was the issue. Thank you all for helping me! ----------------------- Networking made easy contact[at]northnetworking.com https://northnetworking.com |
Posted By: jevingala on August 16, 2019, 3:09 pm | Post: 8 |
Hi,
I feel libvirtd restart is not required if FORWARD chain is set to ACCEPT. ----------------------- Regards, Virtualizor Team. http://virtualizor.com/ |
Posted By: wolke on August 16, 2019, 3:12 pm | Post: 9 |
Your feeling is deceiving you :-)
I have had the same issue several times. Without restarting libvirtd => no connection. |