Apf Firewall Giving Iptables: Invalid Argument
Oct 27, 2006
I have a Virtuozzo VPS running Debian Sarge. I installed apf. My /etc/apf/conf.apf looks like:
IFACE_IN="venet0"
IFACE_OUT="venet0"
SET_MONOKERN="1"
IG_TCP_CPORTS="21,22,53,80,443,25,465,110,995,143,993,137,139,445,10000,3306"
IG_UDP_CPORTS="53"
Am am getting several "iptables: Invalid arguments" message. I traced this to these iptables calls from within /etc/apf/firewall. Each of these iptables calls gives "iptables: Invalid arguments":
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL NONE -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,RST SYN,RST -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags FIN,RST FIN,RST -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,FIN FIN -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,URG URG -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,PSH PSH -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN,URG,PSH -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL ALL -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN -j IN_SANITY
Any thoughts? According to my ISP, I have these iptables modules:
iptable_filter
iptable_mangle
ipt_limit
ipt_multiport
ipt_tos
ipt_TOS
ipt_REJECT
ipt_TCPMSS
ipt_tcpmss
ipt_ttl
ipt_LOG
ipt_length
ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
ipt_conntrack
ipt_state
ipt_helper
iptable_nat
ip_nat_ftp
ip_nat_irc
View 0 Replies
ADVERTISEMENT
May 2, 2008
On a RHE 5.1 + cPanel server I got this error usually from apache logs and from php -v output:
[root@server.roo393.com:~]php -v
shmget() failed: Invalid argument
Failed to start up concurrent users module!
PHP 5.2.5 (cli) (built: May 1 2008 22:00:18)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies
[root@server.roo393.com:~]
Tried recompiling latest php 5.2.x and it is always happening while using Zend Optimizer. As you should know, optimizer is need for most web apps today... so it's a must.
View 2 Replies
View Related
Jan 13, 2005
Feel free to use the following iptable commands below to drop INVALID SYN packets that sometimes are also used to flood the server..
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
View 5 Replies
View Related
Jan 5, 2009
Is it me or that anyone else experiencing the VZ master node not properly configured for those front-end firewall programs?
I recently purchased couple Linux VPSs (OpenVZ) from different vendors and both seems not having iptables properly configured. One of them finally got resolved, but took like a week for them to figure out what's wrong with it.
I'm currently still stuck with second VPS not protected.
I have not check into which iptables modules APF or CSF requires, but VPS vendors/resellers should expect their clients would be using those and properly configure their VZ master prior to deployments.
I'm begin to wonder people that purchases VPS slices, are they using any decent firewall front-end or not.
It always seems that ip_conntrack is missing. When exists, everything works.
View 2 Replies
View Related
Jun 8, 2009
after turning on the iptables firewall i can't receive emails anymore on a dedicated centos 5.3 server with postfix and dovecot.
with iptables firewall turned off everythin works fine.
following is the /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
# -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# ************ tried doing this first ************
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -j ACCEPT --syn
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT --syn
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 -j ACCEPT --syn
# ************ tried doing this too ************
-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 72.233.54.234 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 72.233.54.234 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 72.233.54.234 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 25 -d 72.233.54.234 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
as you can see here i have tried opening ports 110, 25, 143 earlier. still did not work.
View 2 Replies
View Related
Oct 21, 2009
Hello !
I've got problems with my APF firewall. Here is are the errors I get :
[root@ks123456 ~]# apf -r
apf(6493): {glob} flushing & zeroing chain policies
apf(6493): {glob} firewall offline
apf(6530): {glob} activating firewall
Opening /proc/modules: No such file or directory
apf(6570): {glob} unable to load iptables module (ip_tables), aborting.
apf(6530): {glob} firewall initalized
apf(6530): {glob} fast load snapshot saved
The /var/log/apf_log file is full of these errors.
I've been told that it was a compatibility issue with the server's kernel. So I upgraded the kernel to the last version, but the problem still remains and I get the same errors...
Can you advise about what I should do now ?
Thank you !
View 2 Replies
View Related
Jun 6, 2007
Hello,
I have two similar VPS plans with identical software setups.
I installed APF Firewall on VPS A, modified the conf.apf file to
change the interfaces to venet0 and set monokern to 1 and
then opened all the ingress ports required. Started the firewall
with 'service apf start' and everything went fine, and everything
is working fine with no errors.
I did the same on VPS B but when I start apf I get the following
error that reoccurs during the startup sequence:
iptables: No chain/target/match by that name
While the firewall does seem to be running (by checking iptables -L)
I am unable to download files on the VPS, via wget or yum ...
View 4 Replies
View Related
Apr 4, 2008
When I click Start Firewall
I get this
iptables LKM ip_tables missing so this firewall cannot function unless you enable MONOLITHIC_KERNEL in /etc/csf/csf.conf
Error: aborted, at line 156
View 3 Replies
View Related
Oct 31, 2008
I find it hard to configure IP tables for firewall, can I find already made scripts anywhere?
View 1 Replies
View Related
Feb 13, 2015
I temporarily enabled and activated Plesk firewall module (which I wish I didn't the first time) and for some reason it seems to have overwritten the default iptables configuration that was set, leaving my ftp unable to be logged into. I tried to disable the firewall module and reboot the server. It didn't work.
I also noticed that it somehow seem to have changed my hostname to my previous server hostname as well
Is there any way to completely revert back to original iptables settings before enabling the Firewall module?
View 4 Replies
View Related
Apr 9, 2014
I'm in the process of installing PPA on infrastructure running Parallels Cloud Server. Each container has 2 interfaces, one public facing and a private interface for inter-server communication.
No problems installing PPA 11.5 (specifying IP's on commandline) or adding service nodes however, the firewall rules the documentation speaks of are nowhere to be seen? i.e.:
Important: After the installation, PPA creates the special firewall chain PPA-SN-Rules-INPUT used for communication with service nodes. Do not change it, otherwise, you will not be able to add service nodes to PPA.Click to expand...
Has this been dropped from PPA 11.5 ? (I recall seeing the firewall settings in 11.1) There is also no sign of the ppa.firewall tool that is also mentioned.
The only rule I see inserted is for Postgres on the management node, and 2 for pleskd on all of the nodes (open to world!).
View 2 Replies
View Related
Jul 14, 2014
I know the command in ssh
/usr/local/psa/bin/domain -u domain.com -status enabled
/usr/local/psa/bin/domain -u domain.com -status disabled
but i want to know how can i do to obtain a complete list with all domains on servers wich indicate me which domains are disabled or not ?
View 4 Replies
View Related
May 29, 2008
I didn't want to say anything bad about this Host, because the staff is very friendly, but people need to be warned incase they didn't get what they ordered either.
I ordered a server with a hotswappable RAID, and got a the welcome letter a few days later. The welcome letter didn't have my root password or my IP address range. So, I emailed asking for that. Then I started wondering if they missed anything else because the welcome letter nor their client area lists the server specs. So I asked if they have my the correct hardware.
They said No, and will give me a monthly credit and the correct hardware for the inconvience. It was a new server and wasn't a big deal to me.
But then I wondered if they did the same to the server I ordered like 40 days ago. So I asked and they said they messed up my hardware on that order too. That server is already up and running with sites on it.
The host is AxisHost , I know many people here recommend them, thats why I chose them, but this seems like it may be happening a lot with them.
View 8 Replies
View Related
Mar 25, 2007
Is there any way to avoid getting false name lookups when trying to resolv inexistent domains ? apart from using another nameserver.
I'm sorry if it was posted earlier, tried searching but it didn't help as it gave me large results.
Code:
[root@removed ~]# ping hjkdji284kajgafhj87da778dfsd.com
PING hjkdji284kajgafhj87da778dfsd..com.insertdchere.com (xx.xxx.xxx.xx) 56(84) bytes of data.
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=0 ttl=61 time=1.00 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=1 ttl=61 time=0.952 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=2 ttl=61 time=1.34 ms
View 2 Replies
View Related
May 24, 2009
I am looking for webhosts providing free dedicated (not shared) SSL certificates alongwith dedicated IP.
Currently I found only dotable.com and other companies in the UK2 group providing such a package. Is there any other good webhost providing free SSL certificates.
My budget is maximum $10 per month.
Only CPanel hosts are preferred and access to WHM would be a definite plus though not mandatory.
View 10 Replies
View Related
Aug 3, 2009
I have a chrooted ftp user that I use on my server. I would like to run a cron job using this user that backs up my mySQL databases. When I execute the job, it complains about date and mysqldump not existing. I was able to fix the date problem simply by copying it from the actual /bin to the chrooted /bin. However, I can't simply copy mysqldump because it depends on several libraries. Anybody know how I can give this chrooted user access to commands that aren't in his chroot?
View 6 Replies
View Related
Mar 21, 2014
I need to get working an apache2 in suse 11 as reverse proxy with a vendor's web page and it is not working. This is what happens:
1. I load the page through the reverse proxy and i can see: http://192.168.1.10/cgi-bin/design/html_template/login.html
2. Then i write user and password
3. I press the login button and i should see:
http://192.168.1.10/cgi-bin/design/html_template/login.cgi
http://192.168.1.10/cgi-bin/design/html_template/webviewer.cgi
but instead of that i see:
404 Not Found
The requested URL /error/HTTP_BAD_GATEWAY.html.var was not found on this server.
View 5 Replies
View Related
Jun 3, 2009
I've had this virtual server with Godaddy forever. I have about 52 websites on it. I was adding another and I walked through the registration process and forgot to click the save button. I then proceeded to the domain area of Godaddy to update the IP address. Now I can't add domains, delete dns settings, or update DNS settings without getting these kinds of messages:
Your URL: /dns/sync.do
Error details:
CommandFailedException: Unable to parse DNS configuration file
at c.g.t.f.systems.dns.LinuxDnsSubsystem.updateConfigFile:1165
at c.g.t.f.systems.dns.LinuxDnsSubsystem.synchronizeDomains:958
at c.g.t.w.actions.dns.ActionDnsSync.process:39
at c.g.t.w.actions.AbstractSpringAction.execute:118
...
at c.g.t.w.filters.AuthorizedResourceFilter.doFilter:38
...
at c.g.t.w.filters.RequestPopulationFilter.doFilter:117
...
Cause: SAXParseException: Premature end of file.
...
at c.g.t.f.systems.dns.LinuxDnsSubsystem.updateConfigFile:982
at c.g.t.f.systems.dns.LinuxDnsSubsystem.synchronizeDomains:958
at c.g.t.w.actions.dns.ActionDnsSync.process:39
at c.g.t.w.actions.AbstractSpringAction.execute:118
...
at c.g.t.w.filters.AuthorizedResourceFilter.doFilter:38
...
at c.g.t.w.filters.RequestPopulationFilter.doFilter:117
...
So! Godaddy has now had me upgrade my disk space to another 10gig, I've tunneled in with ssh and ran memhog to increase memory because they are suggesting that I'm too low on RAM and want me to purchase another server, I can't just ugrade. I've updated all the packages in my simple control panel.
I finally got an email from them after begging for help, because $75 an hour is just too much for me!
This is what I got:
Dear Sir/Madam,
Thank you for contacting Server Support.
If this issue started after the modifications to the DNS of a domain, then it is likely that the DNS file or configuration has become corrupted. You can attempt to manually update or recreate the DNS file via SSH. Unfortunately, we are unable to provide assistance with the configuration of the server or modification of files. While you do have a lot of domain names added to the server, a backup of the content and reprovision of the server will reset the server to the default settings. However, this will remove all content and require that you re-add all domains and content once again.
I have backed up all my sites and databases, but to start all over again is a horrific thought. I can't imagine the nightmare.
View 0 Replies
View Related
Jan 5, 2008
I execute the following commands, in the following order:
iptables --flush
iptables --zero
iptables -A INPUT -s 218.65.12.161 -j DROP
will that last command successfully ban that IP until reboot?
If not, what needs to be done? I can't access my site if I don't flush + zero iptables first but I need to be able to ban with iptables.
View 2 Replies
View Related
Dec 17, 2008
Do you recommend a software firewall when behind a hardware firewall?
All of our servers are behind Cisco ASA 5505 firewalls which we rent from Liquidweb. All are being managed correctly and setup to there optimal levels. With hardware firewalls firmly in place, do you still recommend a software firewall such as APF or IPTables (we're talking linux); in our opinion we see it as an extra administration overhead. If this is however untrue, we will change out thinking.
View 3 Replies
View Related
Jun 13, 2008
I've found a dedicated server at a great price and plan to stick with it, my first ( already have 2 vps accounts ). I don't have the money for a hardware firewall. However, I do have a chance to renew a Kerio WinRoute Firewall license from way back.
Does anyone think this would be better than the default windows 2003 firewall?
View 1 Replies
View Related
Mar 9, 2008
I compiled apache 2.2 with php 4 (+ phpsuexec) last night. Seems all is well, only one domain facing an issue and the apache error log states this
Invalid mimetype: should contain a slash
I've never seen such an error to be honest. Any help appreciated.
This is a cpanel box with php 4, apache 2.2, phpsuexec
View 2 Replies
View Related
Aug 8, 2007
My server is fedora core 4
in whm :
Invalid Hostname. (This account is currently not available.). Hostnames must be
fully qualified domain names and not contain any spaces or tabs.
View 6 Replies
View Related
Dec 16, 2008
litespeed - Invalid Credentials
I always got a Invalid Credentials error when I tried to login to admin panel
Is there any way to I can fix it or how can I change litespeed username/password via ssh
View 0 Replies
View Related
May 14, 2008
[Wed May 14 18:15:17 2008] [error] [client 66.228.119.67]
Invalid URI in request entersomenicedatastringshereidontthinkthisislongenoughsoiwilladdmoreheherr669760763646r
View 0 Replies
View Related
Jul 22, 2008
In my logs:
[Tue Jul 22 01:01:35 2008] [error] [client x.x.x.x] Invalid URI in request GET . HTTP/1.0
(yes, that is it for this entry/line)
This showed up in logwatch as:
Requests with error response codes
400 Bad Request
.: 4 Time(s)
...what was this guy trying to do?
The offending IP was banned in APF last night, if his IP is still showing up in my logs, is he using aproxy?
After adding his ip to:
/etc/apf/deny_hosts.rules
I ran:
apf -r
View 2 Replies
View Related
Mar 24, 2008
.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration
Domain causing 500 error
Server is cpanel/centos on php 4.4.8 with mod suphp, apache 2.2
.htaccess file shows
php_value allow_url_fopen 0
[PHP Modules]
bcmath
calendar
ctype
curl
domxml
eAccelerator
exif
ftp
gd
imap
ionCube Loader
mbstring
mcrypt
mhash
mysql
openssl
overload
pcre
pdf
pgsql
posix
pspell
session
sockets
standard
tokenizer
xml
xmlrpc
Zend Optimizer
zlib
[Zend Modules]
Zend Extension Manager
Zend Optimizer
the ionCube PHP Loader
View 2 Replies
View Related
Apr 1, 2008
i am getting error when i trying to send mail out to external email address like gmail, hotmail, msn, yahoo
The error says 550 invalid recipent : user@domain.com
so to make sure that the mail server is working i tried sending mail to local address
which is local@nameoftheserver.com it works but when i try to send mail to external address it get error listed above.
so i added my email sales@domainname.com to gmail to test whether the mail server is working correctly from gmail i can send email from sales@domainname.com and recieve both but when i try that from my server it doesnot work
my server is offshore and i am using enom mail server to send email?
View 1 Replies
View Related
