Iptables problems on VPSes

Written by Sarath | September 7, 2013September 12, 2021
You might have come across issues with csf on VPSes.

CSF requires at least these iptables modules to work properly:    
ip_tables 
ipt_state 
ipt_multiport 
iptable_filter 
ipt_limit 
ipt_LOG 
ipt_REJECT 
ipt_conntrack 
ip_conntrack 
ip_conntrack_ftp 
iptable_mangle

Other modules for additional functionality:  
ipt_owner 
ipt_recent 
iptable_nat 
ipt_REDIRECT 

You can check the hosting environment using :  

/etc/csf/csftest.pl

This should run without any FATAL errors. If any such errors are present, check the module failed and see if it is installed on node. You can use “lsmod” command for that. 

Eg : 
# lsmod | grep ipt_limit 

If any of the modules is not present on the node, install it using modprobe command. 

Eg : 
# modprobe ipt_limit 

Then to enable modules in VPS :  

# vzctl set CT_ID --iptables ip_tbales ipt_multiport --iptables ipt_REJECT 
--iptables ipt_recent --iptables xt_connlimit --iptables ipt_owner --iptables 
ip_conntrack --iptables iptable_nat --iptables iptable_mangle --iptables 
ipt_state --iptables ipt_limit --iptables ipt_LOG --iptables ipt_owner --save

(Replace CT_ID with container ID) 

These changes will be applied after the container restart. 

If you get any “memory allocation” errors with iptables on a VPS, make sure that your numiptent setting is set sufficiently high.  Set numiptent  to at least 1000.  

# vzctl set CT_ID --numiptent 1000 --save

(Replace CT_ID with container ID).

About Sarath

A Techie from Kochi, India with 8+ years of experience in Linux and Windows server administration. I learn new things almost everyday and I enjoy the fun of learning and sharing my knowledge.

View all posts by Sarath

Related Posts

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *