1

I'm running CentOS 8 Webserver and recently I had some issues with the CSF Firewall, the CSF Service is running but the LFD is failed.

I did some research and I was able to fix it by doing iptables --flush (I'm not sure it was the problem however!).

Yet, it seems that there is a problem with iptables service, when I start it I get this error:

iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-06-22 23:46:44 EET; 13min ago
  Process: 11362 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
 Main PID: 11362 (code=exited, status=1/FAILURE)

Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: Starting IPv4 firewall with iptables...
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: iptables: Applying firewall rules: iptables-restore v1.8.4 (nf_tables): Chain 'INVDROP' does not exist
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: Error occurred at line: 5
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: [FAILED]
Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: iptables.service: Main process exited, code=exited, status=1/FAILURE
Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: iptables.service: Failed with result 'exit-code'.
Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: Failed to start IPv4 firewall with iptables.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

I've revised the /etc/sysconfig/iptables file and it seems that the INVDROP chain is the problem, but after a long research I found that this chain is created and managed by CSF.

What is the problem, and if the CSF and LFD are working correctly should I bother?

Also, I've tested the iptables using the Perl script at /etc/csf/csftest.pl and all are OK:

[root@server csf]# perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Any help is greatly appreciated...

Ahmed Suror
  • 119
  • 6
  • Not helping the question, just a rant, but anyway, looks like this rules generator generates a lot of unneeded rules. the --ctstate INVALID already checks for invalid TCP combos: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v4.18#n729 . It rejects 23 out of 32 combos of FIN|SYN|RST|ACK|URG . I don't see 23 INVDROP rules here (and the ctstate NEW one has a special switch: `sysctl net.netfilter.nf_conntrack_tcp_loose`) – A.B Jun 22 '21 at 23:05
  • ` I don't see 23 INVDROP rules here` The file is truncated due to pastbin.com limits of 512 KB for free users, and yes, there are many INVDROP rules through the file may be 23, I didn't count! – Ahmed Suror Jun 22 '21 at 23:11
  • Looks the file is missing important parts... conntrack shouldn't be seen in the raw table. So a mangle or filter section is missing. – A.B Jun 22 '21 at 23:18
  • The file wasn't edited manually, it may have been edited by CSF when I made a reboot, also I made `iptables-save` and it is the same result with a warning says: "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them" – Ahmed Suror Jun 22 '21 at 23:28
  • Also the save file is somehow different (not totally) look at the filter: https://pastebin.com/dJGsF0KG – Ahmed Suror Jun 22 '21 at 23:32
  • `but no line starting with :INVDROP` there are lines started with it at the filter – Ahmed Suror Jun 22 '21 at 23:33
  • I'd think you shouldn't use the iptables service at all and leave csf handle things. But you'd better have to wait somebody who knows about csf, I don't. – A.B Jun 22 '21 at 23:36
  • I agree, it seems that CSF is handling this and the proof is that iptable testing was successful, also it seems that CSF is using `nft netfilter` which replaces the old `iptables`. Anyway, I really appreciate your help, thanks very much. – Ahmed Suror Jun 22 '21 at 23:55
  • Are you trying to use csf/lfd or the old-style system iptables scripts?? These are not compatible and cannot be run simultaneously. – Michael Hampton Jun 23 '21 at 11:10
  • @MichaelHampton I'm using **CSF/LFD** but iptables anyway should start normally, I'm wondering how you say: " `These are not compatible and cannot be run simultaneously` "! I know that CSF or FirewallD are somehow like a GUI tools used to deal with iptables... I've solved the problem by making iptables file empty, however, I'm not sure it is the best solution. – Ahmed Suror Jun 23 '21 at 15:24

0 Answers0