If the csf’ compatibility test

perl /etc/csf/csftest.pl

Is returning errors like:

[box type=”warning”] Testing ip_tables/iptable_filter…OK Testing ipt_LOG…FAILED – Required for csf to function

Testing ipt_multiport/xt_multiport…FAILED [FATAL Error: iptables: Unknown error ] – Required for csf to function

Testing ipt_REJECT…OK Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: Unknown error ] – Required for csf to function

Testing ipt_limit/xt_limit…FAILED [FATAL Error: iptables: Unknown error ] – Required for csf to function

Testing ipt_recent…FAILED [Error: iptables: Unknown error ] – Required for PORTFLOOD and PORTKNOCKING features

Testing xt_connlimit…FAILED [Error: iptables: Unknown error ] – Required for CONNLIMIT feature

Testing ipt_owner/xt_owner…FAILED [Error: iptables: Unknown error ] – Required for SMTP_BLOCK and UID/GID blocking features

Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for MESSENGER feature

Testing iptable_nat/ipt_DNAT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for csf.redirect feature

This means that your virtual machine does not have access to the kernel modules needed by csf. In order to find the cause and fix this issue we need to:

1. Access the main server (node) and check if the needed modules are loaded by entering the following command:

lsmod |grep -i ipt_LOG

In order to check all the kernel modules in the error, from the upper command ipt_LOG cand be replaced with any other kernel module returned by the error. If the commands entered display the name of the kernel module then it is installed and you can skip right to step 3. If the command does not list the kernel module, then proceed to step 2.

2. Activate the missing kernel modules by entering a specific command. Below you will find a full list with the needed commands:

modprobe ipt_helper

modprobe ipt_REDIRECT

modprobe ipt_TCPMSS

modprobe ipt_LOG

modprobe ipt_TOS

modprobe iptable_nat

modprobe ipt_MASQUERADE

modprobe ipt_multiport

modprobe xt_multiport

modprobe ipt_state

modprobe xt_state

modprobe ipt_limit

modprobe xt_limit

modprobe ipt_recent

modprobe xt_connlimit

modprobe ipt_owner

modprobe xt_owner

modprobe iptable_nat

modprobe ipt_DNAT

modprobe iptable_nat

modprobe ipt_REDIRECT

modprobe ipt_length

modprobe ipt_tcpmss

modprobe iptable_mangle

modprobe ipt_tos

modprobe iptable_filter

odprobe ipt_helper

modprobe ipt_tos

modprobe ipt_ttl

modprobe ipt_SAME

modprobe ipt_REJECT

modprobe ipt_helper

modprobe ipt_owner

modprobe ip_tables

Or just one command to rule them all 😉

root@server#modprobe iptables_module ipt_helper ipt_REDIRECT ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_MASQUERADE ipt_multiport xt_multiport ipt_state xt_state ipt_limit xt_limit ipt_recent xt_connlimit ipt_owner xt_owner iptable_nat ipt_DNAT iptable_nat ipt_REDIRECT
ipt_length ipt_tcpmss iptable_mangle ipt_tos iptable_filter ipt_helper ipt_tos ipt_ttl ipt_SAME ipt_REJECT ipt_helper ipt_owner ip_tables

3. Enable the IPTables kernel modules for Openvz Containers:

On the main server (node) edit the following file:

vi /etc/vz/vz.conf

Here, search for a line that starts with IPTABLES and comment it. Below, add the following line:

IPTABLES=”ipt_REDIRECT ipt_owner ipt_recent iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc”

And restart the VPS container:

#vzctl 121 restart

— here, 121 will be replaced with your container’s CTID

After the virtual machine reboots, run the csf compatibility test again and it shoud return:

root@server [/]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf should function on this server


Leave a Reply