If the csf’ compatibility test
perl /etc/csf/csftest.pl
Is returning errors like:
[box type=”warning”] Testing ip_tables/iptable_filter…OK Testing ipt_LOG…FAILED – Required for csf to function
Testing ipt_multiport/xt_multiport…FAILED [FATAL Error: iptables: Unknown error ] – Required for csf to function
Testing ipt_REJECT…OK Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: Unknown error ] – Required for csf to function
Testing ipt_limit/xt_limit…FAILED [FATAL Error: iptables: Unknown error ] – Required for csf to function
Testing ipt_recent…FAILED [Error: iptables: Unknown error ] – Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit…FAILED [Error: iptables: Unknown error ] – Required for CONNLIMIT feature
Testing ipt_owner/xt_owner…FAILED [Error: iptables: Unknown error ] – Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for csf.redirect feature
This means that your virtual machine does not have access to the kernel modules needed by csf. In order to find the cause and fix this issue we need to:
1. Access the main server (node) and check if the needed modules are loaded by entering the following command:
lsmod |grep -i ipt_LOG
In order to check all the kernel modules in the error, from the upper command ipt_LOG cand be replaced with any other kernel module returned by the error. If the commands entered display the name of the kernel module then it is installed and you can skip right to step 3. If the command does not list the kernel module, then proceed to step 2.
2. Activate the missing kernel modules by entering a specific command. Below you will find a full list with the needed commands:
modprobe ipt_helper
modprobe ipt_REDIRECT
modprobe ipt_TCPMSS
modprobe ipt_LOG
modprobe ipt_TOS
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_multiport
modprobe xt_multiport
modprobe ipt_state
modprobe xt_state
modprobe ipt_limit
modprobe xt_limit
modprobe ipt_recent
modprobe xt_connlimit
modprobe ipt_owner
modprobe xt_owner
modprobe iptable_nat
modprobe ipt_DNAT
modprobe iptable_nat
modprobe ipt_REDIRECT
modprobe ipt_length
modprobe ipt_tcpmss
modprobe iptable_mangle
modprobe ipt_tos
modprobe iptable_filter
odprobe ipt_helper
modprobe ipt_tos
modprobe ipt_ttl
modprobe ipt_SAME
modprobe ipt_REJECT
modprobe ipt_helper
modprobe ipt_owner
modprobe ip_tables
Or just one command to rule them all 😉
root@server#modprobe iptables_module ipt_helper ipt_REDIRECT ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_MASQUERADE ipt_multiport xt_multiport ipt_state xt_state ipt_limit xt_limit ipt_recent xt_connlimit ipt_owner xt_owner iptable_nat ipt_DNAT iptable_nat ipt_REDIRECT
ipt_length ipt_tcpmss iptable_mangle ipt_tos iptable_filter ipt_helper ipt_tos ipt_ttl ipt_SAME ipt_REJECT ipt_helper ipt_owner ip_tables
3. Enable the IPTables kernel modules for Openvz Containers:
On the main server (node) edit the following file:
vi /etc/vz/vz.conf
Here, search for a line that starts with IPTABLES and comment it. Below, add the following line:
IPTABLES=”ipt_REDIRECT ipt_owner ipt_recent iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc”
And restart the VPS container:
#vzctl 121 restart
— here, 121 will be replaced with your container’s CTID
After the virtual machine reboots, run the csf compatibility test again and it shoud return:
root@server [/]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OKRESULT: csf should function on this server
[sdonations]1[/sdonations]
Hi. What was the host node’s OS in this case?
thanks
Hi Andy,
In this case the host node’s OS was CentOS w/ OVZ kernel.
vzctl 121 restart – is this a standard command to all the users ?