Welcome Guest. Please Login or Register  


You are here: Index > Virtualizor - Virtual Server Control Panel > General Support > Topic : Virtualizor and CSF



Threaded Mode | Print  

 Virtualizor and CSF (9 Replies, Read 1626 times)
northnetworking
Group: Member
Post Group: Newbie
Posts: 14
Status:
Hello!

So I have been trying to setup CSF on the node, but when I do, CSF blocks all VPS on the node.

I followed the guide to make csfpost.sh in /etc/csf/ and inside csfpost.sh have this line:
Code
/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT


And when I start or restart CSF
Code
csf -r

I see that it executes the csfpost.sh file
Code
Running /etc/csf/csfpost.sh


But it is not working. All my VPS is still blocked.

Any suggestions?
Thanks  :D

-----------------------
Networking made easy
contact[at]northnetworking.com
https://northnetworking.com
IP: --   

Virtualizor and CSF
wolke
Group: NOC
Post Group: Working Member
Posts: 246
Status:
you may need to full restart csf (not only reload)

Do a

Code
csf -x


followed by

Code

csf -e
IP: --   

Virtualizor and CSF
northnetworking
Group: Member
Post Group: Newbie
Posts: 14
Status:
Quote From : wolke August 15, 2019, 8:58 am
you may need to full restart csf (not only reload)

Do a

Code
csf -x


followed by

Code

csf -e


Thank you for your reply.

I have tried this, but still no luck.
Tried to manually execute the script also.
Still the VPS is blocked by CSF.

-----------------------
Networking made easy
contact[at]northnetworking.com
https://northnetworking.com
IP: --   

Virtualizor and CSF
wolke
Group: NOC
Post Group: Working Member
Posts: 246
Status:
please send the output of

Code
csf -r



IP: --   

Virtualizor and CSF
northnetworking
Group: Member
Post Group: Newbie
Posts: 14
Status:
Quote From : wolke August 15, 2019, 9:40 am
please send the output of

Code
csf -r





Here you go sir

Code
[root@euvpsnode1 ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5                                                                                                              LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit:                                                                                                              avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5                                                                                                              LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5                                                                                                              LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5                                                                                                              LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5                                                                                                              LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags                                                                                                              0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0  tcp flags:0x17/0x02 limit: avg 30/mi                                                                                                            n burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags                                                                                                              0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags                                                                                                              8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG fla                                                                                                            gs 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG fla                                                                                                            gs 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-u                                                                                                            nreachable
DROP  all opt    in * out *  ::/0  -> ::/0
REJECT  all opt    in * out *  ::/0  -> ::/0  reject-with icmp6-port-unreachabl                                                                                                            e
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0
DENYIN  all opt    in !lo out *  ::/0  -> ::/0
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DROP  all opt    in * out *  ::/0  -> ::/0
INVALID  tcp opt    in !lo out *  ::/0  -> ::/0
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0
csf: FASTSTART loading csf.allow (IPv4)
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmptype 8 limit: av                                                                                                            g 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmptype 8
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  ctstate RELATED,ESTAB                                                                                                            LISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  ctstate RELATED,ESTAB                                                                                                            LISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0  ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0  ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt    in lo out *  ::/0  -> ::/0
ACCEPT  all opt    in * out lo  ::/0  -> ::/0
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Running /etc/csf/csfpost.sh
[root@euvpsnode1 ~]#


-----------------------
Networking made easy
contact[at]northnetworking.com
https://northnetworking.com
IP: --   

Virtualizor and CSF
m9shyamalan
Group: Member
Post Group: Newbie
Posts: 14
Status:
Can you also send the output of iptables -L
IP: --   

Virtualizor and CSF
wolke
Group: NOC
Post Group: Working Member
Posts: 246
Status:
It is not enough to set the forwarding rule for iptables in csfpost.sh
please make sure that

your csfpost.sh begins with
Code
#!/bin/bash

in the very first line.
Then, after the iptable rule, you need to restart libvirtd:


So your csfpost.sh should look like this:

Code
#!/bin/bash
/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
service libvirtd restart



IP: --   

Virtualizor and CSF
northnetworking
Group: Member
Post Group: Newbie
Posts: 14
Status:
Quote From : wolke August 16, 2019, 9:13 am
It is not enough to set the forwarding rule for iptables in csfpost.sh
please make sure that

your csfpost.sh begins with
Code
#!/bin/bash

in the very first line.
Then, after the iptable rule, you need to restart libvirtd:


So your csfpost.sh should look like this:

Code
#!/bin/bash
/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
service libvirtd restart





Woooo!

My csfpost.sh had #!/bin/bash at the top of course :)

But adding service libvirtd restart at the bottom did the trick. CSF is now working in harmony with Virtualizor :D

The guide did not mention adding service libvirtd restart so this was the issue.

Thank you all for helping me!

-----------------------
Networking made easy
contact[at]northnetworking.com
https://northnetworking.com
IP: --   

Virtualizor and CSF
jevingala
Group: Virtualizor Team
Post Group: Elite Member
Posts: 429
Status:
Hi,

I feel libvirtd restart is not required if FORWARD chain is set to ACCEPT.

-----------------------
Regards,
Virtualizor Team.
http://virtualizor.com/
IP: --   

Virtualizor and CSF
wolke
Group: NOC
Post Group: Working Member
Posts: 246
Status:
Your feeling is deceiving you :-)
I have had the same issue several times. Without restarting libvirtd => no connection.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is October 15, 2019, 7:22 pm.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 10  |  Page Created In:4.852