iptables -L invdrop
Cpanel 11.80.0.15 on Centos 7.
I am seeing the following errors when doing iptables -L
INVDROP all -- anywhere anywhere ctstate INVALID
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
INVDROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
INVDROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
INVDROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
INVDROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW
To the newbie eyes this looks like "invalid" drop. Or is that something else?
-
This thread on Configserver forums might be of some use: CSF Fails to start - ConfigServer Community Forum Note the code output in first post, scroll to bottom of it to see this message: Error: iptables command [/sbin/iptables -v -A INVALID -m state --state INVALID -j INVDROP] failed, you appear to be missing a required iptables module, at line 1457
If that's of no use, maybe one of these search results is:0 -
I apologize in advance I don't quite know what you are driving at: It is one post without any follow up solution. The error message: "INVDROP] failed, you appear to be missing a required iptables module, at line 1457" Is of no concrete use to me. What am I supposed to do to solve this? No reference to the actual missing module, and even if there was, shouldn't cpanel be upgrading iptables as part of the standard install? 0 -
My apologies. I assume you have ConfigServer firewall installed. If you do: WebHost Manager "Plugins "ConfigServer Security & Firewall, scroll to the bottom of that main page to find the "Test IP Tables" button. You might run that and see what the result is. Be sure to restart firewall there right after. cPanel doesn't manage CSF, no. Again, assuming you do have CSF installed. 0 -
Yes I have the csf module installed in cpanel/WHM. I ran the test firewall and have the following results: Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server However, I also have in the detailed output as it runs, the following errors: Flushing chain `INVALID' (this error shown 4X) INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt in !lo out * ::/0 -> ::/0 INVALID tcp opt in * out !lo ::/0 -> ::/0 0 -
Hello @jeffschips, It appears to relate to the conntrack iptables extension discussed and documented on the links below: Man page of iptables-extensions Let me know if this helps. Thank you. 0 -
Perfect! Thank you! 0
Please sign in to leave a comment.
Comments
6 comments