1
The VPS iptables rule limit (numiptent) is too low to add 5333 rules (19469/24000)

CSF stopped working spontaneously today.

Saying it can't start because it can't add 5333 rules to an apparent total of 24,000.

The firewall has been configured to keep at most 100 IP addresses, 100 temporary addresses.

There is nowhere that anyone has configured 24000, and certainly no list of 24000 IPtables rules to be found on the server.

How do I fix this problem?

Horace
  • 13
  • 5
  • I removed 3 of the 16 country codes that we block, and now it works? Apparently country codes take up massive chunks of iptables, in some hidden way. – Horace Oct 07 '14 at 15:25
  • CSF probably uses a database with ip blocks and the countries they belong to. And then it creates one iptables rule for each ip block... – etagenklo Oct 07 '14 at 15:39
  • Just an update, the problem isn't resolved in any way. I keep having to decrease the number of country codes we block. It seems there is some iptables rules I can't see or access. I've flushed, them wiped them out, every CSF deny file I can find. It still thinks I have 24000 rules somewhere. I'll do some more research and see what I can come up with. – Horace Oct 08 '14 at 14:33

2 Answers2

1

You're running into a hard limit set by your VPS hosting provider which limits iptables entries on OpenVZ containers. The provider is unlikely to change this for you, so you should consider obtaining a new VPS, which does not use OpenVZ.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

I was trying to help slow down the spam running through EXIM and enabled some new Blocklists on CSF. There is a setting at at the bottom of the CSF config page called "lfd Blocklists" to enable or disable some pre-configured ones. I commented out a few and it started up again. Some of the blocklists can add thousands of IP's to the firewall. When you reach your server's numiptent limit, CSF will fail to start.

Hope this helps you too.

Stoney
  • 1
  • 2