0

I managed to configure CSF on my three VM inside OpenVZ, but when I try to run it on the host, all the VMs become unreachable. I can see that the host is been attacked, and it would be critical if it gets invaded.

Below is the result of iptables status on the host after stopping csf:

[root@CentOS-55-64-minimal ~]# service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destinatio
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

If I try to just start iptables directly it also blocks all VMs

Here is the iptable config of the server: more /etc/sysconfig/iptables-config

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns ipt_conntrack ipt_LOG ipt_owner ipt_state ip_conntrack_ftp iptable_nat xt_connlimit ipt_recent ipt_REDIRECT"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

ANd here the csftest.pl result (same on the vms):

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

CSF seems to be working fine onthe VMs

Here is the result of uname -a:

Linux server.com 2.6.18-348.16.1.el5.028stab108.1 #1 SMP Tue Aug 27 13:02:53 MSD 2013 i686 i686 i386 GNU/Linux

Thanks for the help

user180065
  • 31
  • 2
  • You do know that VZ containers aren't true virtualization and that they're all individual processes on the host machine, right? Containers != Virtual Machines. – Magellan Feb 07 '14 at 18:00
  • Right, thanks for the tip. And what about the question? – user180065 Feb 08 '14 at 01:40

1 Answers1

2

On the Host, you need to add this into the /etc/csf/csfpost.sh file (if that file does not exist, create it and chmod +x it.)

#!/bin/bash
IPT=/sbin/iptables
$IPT -F FORWARD
$IPT -P FORWARD ACCEPT

Save it and restart csf with

csf -r
Tolsadus
  • 1,183
  • 11
  • 23
Michael
  • 21
  • 2