CSF dont ban the IP and if manually it is done I get following error.
----------------
csf -d 195.88.65.47
Adding 195.88.65.47 to csf.deny and iptables DROP...
iptables: Index of insertion too big
DROP all opt -- in !lo out * 195.88.65.47 -> 0.0.0.0/0
Error: iptables command [/sbin/iptables -v -I INPUT 2 -i ! lo -s 195.88.65.47 -j DROP] failed, at line 864
-------------------
Also iptables is not running on server.
If status is checked it says its stopped.
I have many sites on my server I dont want to get any downtime.
Please let us know how can we fix this issue as soon as possible.
I have tried reinstall CSF but still the issue remains same.
After I start iptables: service iptables start There is not any message coming up. When use service iptables status, It said: iptables: Firewall is not running.
60.216.238.212 still has 301 connection, any idea.
Basically, I use ddos-deflate to block ddos attack. I already set the max conection to 25. But it seems not working. all the connections over 25 have not been blocked. Did I miss something? I mean after I issue
connection state ESTABLISHED,RELATED is not working in my iptaables...?
Accept If input interface is lo Accept If state of connection is ESTABLISHED,RELATED Drop If protocol is ICMP Accept If protocol is TCP and destination port is 80 Accept If protocol is TCP and destination port is 99 Accept If protocol is TCP and destination port is 25 Accept If protocol is TCP and destination port is 110 Accept If protocol is TCP and destination port is 10000 Accept If protocol is TCP and destination port is 21 Accept If protocol is TCP and destination port is 30000:30500 Accept If protocol is UDP and destination port is 53 Accept If protocol is UDP and source port is 53 Accept If protocol is TCP and destination port is 445 Accept If protocol is TCP and destination port is 2390
this in my Incoming packets rules..
Outgoing packets are all accepted..
so if i made connection from the server the input rules shuld accept them because it is established and related connection.. But it wont work.. any ideas about it..? my vps is running on cent os 5.2 final..
I temporarily enabled and activated Plesk firewall module (which I wish I didn't the first time) and for some reason it seems to have overwritten the default iptables configuration that was set, leaving my ftp unable to be logged into. I tried to disable the firewall module and reboot the server. It didn't work.
I also noticed that it somehow seem to have changed my hostname to my previous server hostname as well
Is there any way to completely revert back to original iptables settings before enabling the Firewall module?
I have a domain with a few forwarding email accounts that forward to mac.com email accounts... for some reason every once in a while these accounts stop working...
This is the error I get when I email to that account:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: ...
I am experiencing a strange problem with iptables: after in activate them, they are gone in a few minutes. For example, I drop traffic from an ip and after few seconds, all rules are flushed without touching anything!
If I keep getting spam from a certain IP, can I add that IP to Iptables? Will it stop me receiving spam from that IP? I'm not quite sure how it all works.
Or what is the most effective method to stop spam?
EG_UDP_CPORTS="53,465,873,6277" Whenever I turn EGF to 1 my VPS locks me out of everything, I need togo into hyperVM to turn it off and restart my firewall.
What would cause this?
It's Fedora Core 5 on OpenVZ i've googled and cannot seem to find a reason why it would do that. Could be something in the host node kernel that may need adjusting?
Do you find iptables enough or do you use a hardware firewall for linux? I haven't used anything less than hardware firewalls for years but I gather than most simply rely on iptables. Is that a smart choice?
# iptables -D INPUT -s 25.55.55.55 -j DROP iptables v1.3.8: Couldn't load target `standard':/usr/local/lib/iptables/libipt_standard.so: cannot open shared object file: No such file or directory What is going on? The libipt_standard.so file is located in /lib/iptables, but not /usr/local/lib/iptables. I tried moving all of the libipt files into the /usr/local/lib/iptables directory, but I got segmentation errors.
[root@localhost ~]# service iptables status Firewall is stopped. [root@localhost ~]# service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: mangle filter [ OK ] Unloading iptables modules: ^[[A [ OK ] [root@localhost ~]# service iptables status Firewall is stopped.
it said iptables is stop...even I start manually...
I am not sure APF is running correctly because of iptables..
I keep trying to flush my iptables on my linux server but every time i try to do so my server seems to freeze (i lose access and have to reboot it for it to come back online), how can I go about deleting those ips manually rather than executing the flushing command? what options do I have?
root@xxxx[~]# service iptables status Firewall is stopped. root@xxxx[~]# service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] root@xxxx[~]# service iptables status Firewall is stopped.
i create a template for xen ( hypervm ) from jailtime site. now i install iptables , but iptables do not work and when i enter " service iptables restart" , iptables do not start. ( i check it from "service iptables status" )
I used a script to block some unwanted countries from accessing my site. In total I had about 3000 lines with ipranges. Now I just went ahead and put this on one of the servers, one that I really don't need the traffic on. But I am wondering what kind of affect this may have on the speeds. Will it really affect it more then a few ms? And anything else I should maybe worry about? Except maybe the loading time at reboots.
I upgraded to the 2.6.27 kernel and iptables to 1.4.2 but can't seem to get CSF to run and i believe its because of conntrack not being found:
Code: error: "net.netfilter.nf_conntrack_icmp_timeout" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_close" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_last_ack" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_established" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_syn_recv" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_syn_sent" is an unknown key error: "net.netfilter.nf_conntrack_udp_timeout" is an unknown key error: "net.netfilter.nf_conntrack_udp_timeout_stream" is an unknown key net.netfilter.nf_conntrack_max = 262144 kernel config:
Code: # # Core Netfilter Configuration # CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NF_CONNTRACK=m CONFIG_NF_CT_ACCT=y CONFIG_NF_CONNTRACK_MARK=y # CONFIG_NF_CONNTRACK_SECMARK is not set # CONFIG_NF_CONNTRACK_EVENTS is not set CONFIG_NF_CT_PROTO_DCCP=m CONFIG_NF_CT_PROTO_SCTP=m # CONFIG_NF_CT_PROTO_UDPLITE is not set # CONFIG_NF_CONNTRACK_AMANDA is not set CONFIG_NF_CONNTRACK_FTP=m # CONFIG_NF_CONNTRACK_H323 is not set # CONFIG_NF_CONNTRACK_IRC is not set # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set # CONFIG_NF_CONNTRACK_PPTP is not set # CONFIG_NF_CONNTRACK_SANE is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_TFTP is not set # CONFIG_NF_CT_NETLINK is not set CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m # CONFIG_NETFILTER_XT_TARGET_DSCP is not set CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m # CONFIG_NETFILTER_XT_TARGET_NFLOG is not set CONFIG_NETFILTER_XT_TARGET_NOTRACK=m # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set # CONFIG_NETFILTER_XT_TARGET_TRACE is not set CONFIG_NETFILTER_XT_TARGET_SECMARK=m # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m....
