How to Enable CSF on OpenVZ Container


On the node server :
Modify IPTABLES_MODULES on /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ipt_conntrack ipt_LOG ipt_owner ipt_state ip_conntrack_ftp iptable_nat ip_nat_ftp ip_tables ipt_multiport iptable_filter ipt_limit"

then launch : service iptables restart
to restart iptables services

Then modify IPTABLES on /etc/vz/vz.conf

IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ip_tables ipt_conntrack ip_conntrack_ftp ipt_LOG ipt_owner"

then launch : /etc/init.d/vz restart

Advertisements

About piyecarane

Bla bla bla about me
This entry was posted in Linux and tagged , , , . Bookmark the permalink.

14 Responses to How to Enable CSF on OpenVZ Container

  1. endang says:

    I was looking for something like this but finally found it, my openvz container works with csf

  2. Pingback: Csf installatie probleem

  3. Benjamin says:

    It worked on my Proxmox 2.3 server. My cPanel VZ is fully working with csf.

    • Junaid says:

      Hello Dear,
      I am using openvz but csf firewall is not working when i test the iptables in csf firewall this is giving me error..
      Please tell me what should i do now?

      Testing iptables…

      Testing ip_tables/iptable_filter…OK
      Testing ipt_LOG…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
      Testing ipt_multiport/xt_multiport…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
      Testing ipt_REJECT…OK
      Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
      Testing ipt_limit/xt_limit…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
      Testing ipt_recent…FAILED [Error: iptables: No chain/target/match by that name.] – Required for PORTFLOOD and PORTKNOCKING features
      Testing xt_connlimit…FAILED [Error: iptables: No chain/target/match by that name.] – Required for CONNLIMIT feature
      Testing ipt_owner/xt_owner…FAILED [Error: iptables: No chain/target/match by that name.] – Required for SMTP_BLOCK and UID/GID blocking features
      Testing iptable_nat/ipt_REDIRECT…OK
      Testing iptable_nat/ipt_DNAT…OK

      RESULT: csf will not function on this server due to FATAL errors from missing modules [4]

      Thanks

      Regards
      M Junaid
      Email : dhjunaid@hotmail.com
      Skype id : junaid_ashraf_2010

      I am waiting your answer

      • piyecarane says:

        Have you try loading the iptable module on the hardware node side via modprobe?
        My current config now is :
        IPTABLES=”ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_recent xt_connlimit ipt_owner xt_owner ipt_REDIRECT”

        Sorry that this post may be outdated and now I use Virtuozzo (I have no OpenVZ anymore) so I don’t know if it works with OpenVZ or not 😦

      • Benjamin says:

        Hello Junaid,

        Try to put the

        IPTABLES=”iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT”

        lines to your vz conf, here: /etc/vz/vz.conf and maybe the container conf. (100.conf)
        Then restart: /etc/init.d/vz restart

        I don’t remember well, this wasn’t today.

  4. Mohammad says:

    Not working!

  5. Junaid says:

    Csf is not working.

    Testing iptables…

    Testing ip_tables/iptable_filter…OK
    Testing ipt_LOG…OK
    Testing ipt_multiport/xt_multiport…OK
    Testing ipt_REJECT…OK
    Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
    Testing ipt_limit/xt_limit…OK
    Testing ipt_recent…OK
    Testing xt_connlimit…FAILED [Error: iptables: No chain/target/match by that name.] – Required for CONNLIMIT feature
    Testing ipt_owner/xt_owner…OK
    Testing iptable_nat/ipt_REDIRECT…FAILED [Error: FATAL: Module ip_tables not found.] – Required for MESSENGER feature
    Testing iptable_nat/ipt_DNAT…FAILED [Error: FATAL: Module ip_tables not found.] – Required for csf.redirect feature

    RESULT: csf will not function on this server due to FATAL errors from missing modules [1]
    …Done.

    You should restart csf after having run this test.

    i am waiting answer.

    thanks
    Regards
    Junaid

    • piyecarane says:

      Try this setting:
      IPTABLES=”ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_recent xt_connlimit ipt_owner xt_owner ipt_REDIRECT”

      • Junaid says:

        No Dear Same issue is coming i have edit this in vz.cnf
        IPTABLES=”ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_recent xt_connlimit ipt_owner xt_owner ipt_REDIRECT”

        I am using Openvz and i created Vps. on All Vps iptables are missing.
        when i use this command on modprobe ip_tables on main dedictaed server then it’s ok. and when i use this command any openvz vps then error is coming on every iptables.
        Fatal : moudle ip_tables not found.

        Give me idea how can i fix this issue.

      • Junaid says:

        No issue is not resolving.any other way.

  6. Phil says:

    I am having the same problem:

    root@xxxx[~]# perl /usr/local/csf/bin/csftest.pl
    Testing ip_tables/iptable_filter…OK
    Testing ipt_LOG…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
    Testing ipt_multiport/xt_multiport…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
    Testing ipt_REJECT…OK
    Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
    Testing ipt_limit/xt_limit…FAILED [FATAL Error: iptables: No chain/target/match by that name.] – Required for csf to function
    Testing ipt_recent…FAILED [Error: iptables: No chain/target/match by that name.] – Required for PORTFLOOD and PORTKNOCKING features
    Testing xt_connlimit…FAILED [Error: iptables: No chain/target/match by that name.] – Required for CONNLIMIT feature
    Testing ipt_owner/xt_owner…FAILED [Error: iptables: No chain/target/match by that name.] – Required for SMTP_BLOCK and UID/GID blocking features
    Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables: No chain/target/match by that name.] – Required for MESSENGER feature
    Testing iptable_nat/ipt_DNAT…OK

    RESULT: csf will not function on this server due to FATAL errors from missing modules [4]

  7. Junaid says:

    I am facing this issue .Please read this and tell me solution.i have same this issue.
    http://forum.configserver.com/viewtopic.php?f=6&t=7589

  8. piyecarane says:

    Hi,
    I’m not using OpenVZ anymore and using Parallels Cloud Server instead. I just realized that on the lastest update loading ipt modules via /etc/vz/vz.conf configuration is deprecated.
    It said:
    ## WARNING: The IPTABLES parameter is deprecated. Please use the per-Container –netfilter parameter instead.

    I found a very simple solution. Put all modules required on /etc/rc.modules:
    /sbin/modprobe tun
    /sbin/modprobe fuse
    /sbin/modprobe ip_tables
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_multiport
    /sbin/modprobe iptable_filter
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_ACCEPT
    /sbin/modprobe ipt_REDIRECT
    /sbin/modprobe ipt_conntrack
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ipt_owner
    /sbin/modprobe ipt_recent
    /sbin/modprobe ipt_tos
    /sbin/modprobe iptable_mangle
    /sbin/modprobe iptable_nat
    /sbin/modprobe ipt_TCPMSS
    /sbin/modprobe ipt_tcpmss
    /sbin/modprobe ipt_ttl
    /sbin/modprobe ipt_length
    /sbin/modprobe ipt_iprange
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe xt_state
    /sbin/modprobe xt_connlimit
    /sbin/modprobe iptable_nat/ipt_DNAT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s