Join Log in
Score:1
Ahmed Suror avatar Server

Failed to start IPv4 firewall with iptables

uz flag
Ahmed Suror

I'm running CentOS 8 Webserver and recently I had some issues with the CSF Firewall, the CSF Service is running but the LFD is failed.

I did some research and I was able to fix it by doing iptables --flush (I'm not sure it was the problem however!).

Yet, it seems that there is a problem with iptables service, when I start it I get this error:

iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-06-22 23:46:44 EET; 13min ago
  Process: 11362 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
 Main PID: 11362 (code=exited, status=1/FAILURE)

Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: Starting IPv4 firewall with iptables...
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: iptables: Applying firewall rules: iptables-restore v1.8.4 (nf_tables): Chain 'INVDROP' does not exist
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: Error occurred at line: 5
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun 22 23:46:44 server.ahmedsuror.com iptables.init[11362]: [FAILED]
Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: iptables.service: Main process exited, code=exited, status=1/FAILURE
Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: iptables.service: Failed with result 'exit-code'.
Jun 22 23:46:44 server.ahmedsuror.com systemd[1]: Failed to start IPv4 firewall with iptables.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

I've revised the /etc/sysconfig/iptables file and it seems that the INVDROP chain is the problem, but after a long research I found that this chain is created and managed by CSF.

What is the problem, and if the CSF and LFD are working correctly should I bother?

Also, I've tested the iptables using the Perl script at /etc/csf/csftest.pl and all are OK:

[root@server csf]# perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Any help is greatly appreciated...

511
0 + 10
csf
lfd
A.B avatar
cl flag
A.B
Not helping the question, just a rant, but anyway, looks like this rules generator generates a lot of unneeded rules. the --ctstate INVALID already checks for invalid TCP combos: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v4.18#n729 . It rejects 23 out of 32 combos of FIN|SYN|RST|ACK|URG . I don't see 23 INVDROP rules here (and the ctstate NEW one has a special switch: `sysctl net.netfilter.nf_conntrack_tcp_loose`)
0
Reply
Ahmed Suror avatar
uz flag
Ahmed Suror
` I don't see 23 INVDROP rules here` The file is truncated due to pastbin.com limits of 512 KB for free users, and yes, there are many INVDROP rules through the file may be 23, I didn't count!
0
Reply
A.B avatar
cl flag
A.B
Looks the file is missing important parts... conntrack shouldn't be seen in the raw table. So a mangle or filter section is missing.
0
Reply
Ahmed Suror avatar
uz flag
Ahmed Suror
The file wasn't edited manually, it may have been edited by CSF when I made a reboot, also I made `iptables-save` and it is the same result with a warning says: "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
0
Reply
Ahmed Suror avatar
uz flag
Ahmed Suror
Also the save file is somehow different (not totally) look at the filter: https://pastebin.com/dJGsF0KG
0
Reply
Ahmed Suror avatar
uz flag
Ahmed Suror
`but no line starting with :INVDROP` there are lines started with it at the filter
0
Reply
A.B avatar
cl flag
A.B
I'd think you shouldn't use the iptables service at all and leave csf handle things. But you'd better have to wait somebody who knows about csf, I don't.
0
Reply
Ahmed Suror avatar
uz flag
Ahmed Suror
I agree, it seems that CSF is handling this and the proof is that iptable testing was successful, also it seems that CSF is using `nft netfilter` which replaces the old `iptables`. Anyway, I really appreciate your help, thanks very much.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Are you trying to use csf/lfd or the old-style system iptables scripts?? These are not compatible and cannot be run simultaneously.
0
Reply
Ahmed Suror avatar
uz flag
Ahmed Suror
@MichaelHampton I'm using **CSF/LFD** but iptables anyway should start normally, I'm wondering how you say: " `These are not compatible and cannot be run simultaneously` "! I know that CSF or FirewallD are somehow like a GUI tools used to deal with iptables... I've solved the problem by making iptables file empty, however, I'm not sure it is the best solution.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.