Fix: openvz, iptables, csf and errors

CSF has been one of the first choice for years now for me to secure server with a easily usable iptables manager. More than that it works as “A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers”.

While using csf on OpenVZ vps systems we end up facing lots of issues with respect to iptables modules. If you’re a sysadmin managing hardware nodes it might not be easy though it has got to do something quite simple. I’m pasting the similar issue once again here for a reference and let us recheck what we normally oversee.

Error received during csf test:

:~# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…FAILED [Error: iptables: No chain/target/match by that name.] – Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit…FAILED [Error: iptables: No chain/target/match by that name.] – Required for CONNLIMIT feature
Testing ipt_owner/xt_owner…FAILED [Error: iptables: No chain/target/match by that name.] – Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf will function on this server but some features will not work due to some missing iptable modules

Now, the quick remedy that we get to resolve this issue is to enable all the iptable modules in /etc/vz/vz.conf of the OpenVZ hardware node as follows:

IPTABLES=”ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner ipt_conntrack ipt_helper ipt_REDIRECT ipt_recent ipt_owner”

and restart all VM’s etc using  “service vz restart” to activate all modules to all VPS systems.

The other options we have is to enable these modules for a specific VPS/VM as follows: (PS: here 100 is a VPS id)

vzctl set 100 –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –iptables ipt_owner –iptables ipt_recent –save

If you run the above command with –setmode option, the modules will be applied.

Or you can add the IPTABLES line mentioned earlier (vz.conf entry) to VPS configuration file  (/etc/vz/conf/100.conf for the above example VPS) and restart VPS with the following command to make it effective.

vzctl restart 100

This was quite simple and known answer. But I have always found that it doesn’t go so smooth. This might be because of one simple reason that I quote here:

We keep removing OLD kernel packages etc and install the new ones to ensure that we have secure system with latest kernel and packages. During this process we end up loosing kernel modules required for the new modules. I figure this out once again while working on my hardware node just by typing the find command as follows under /lib

find /lib –name *ipt*

I was expecting the iptables modules to be listed under my current kernel but to my surprise I didn’t find them. I found them in one of the very old kernel that was installed on the box. Crazy. So, I decided to jump in and reinstall iptables packages quickly on the machine:

yum reinstall iptables-devel.i686 iptables-devel.x86_64 iptables-ipv6.x86_64 iptables.i686 iptables.x86_64

Here is the final output of my csf test after restarting my VM.

~# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf should function on this server

That’s it. Now you know why iptables doesn’t work even if you had not changed anything recently on hardware node (and forgotten that you restarted your system with a new kernel). Verify the iptables modules with lsmod and reinstall the packages if required.

RAID1 – Boot from second drive after disk failure

RAID1 Drives allow you to have a redundant solution to bring back system with a mirrored drive during disk failures.

Let us look at a disk failure in one of the linux machines.

Run

cat /proc/mdstat

This will show the current raid statistics as as follows:

server1:~# cat /proc/mdstat
Personalities : [raid1]
md2 : active raid1 sdb3[1]
4594496 blocks [2/1] [_U]

md1 : active raid1 sdb2[1]
497920 blocks [2/1] [_U]

md0 : active raid1 sdb1[1]
144448 blocks [2/1] [_U]

unused devices:

The current output shows that the primary drive has gone bad (Observe [_U]).

You can further investigate this using mdadm command as follows:

# mdadm --detail /dev/md0

# mdadm -D /dev/md0

The output would confirm the drive which has gone bad.

If your server is unstable, you might think of removing the bad drive and boot it back temporarily from the second drive in place. For this you should ensure that the grub is installed on the second drive as well so that it boots without any trouble. It is a best practice to install the grub on both drives after configuring RAID1. If it is not done, Not an issue, its not too late to configure that before rebooting the machine for disk removal. Even otherwise through rescue mode grub can be installed easily.

To install grub when you’re on working server:

With (Grub v1.x), Goto grub prompt
grub>>
Find existing grub setups using find command
grub>> find /grub/stage1
If you have any you will find
root (hd0,0)
otherwise you will have to continue with the grub setup as follows,
grub>> root(hd0,0)
grub>> setup(hd0)
grub>> root(hd1,0)
grub>> setup(hd1)

The above lines setup grub on MBR of both the drives. Depending on the drives currently available on the machine/status of your raid you can follow the above instrutions to recover the GRUB while troubleshooting RAID1 setup’s.

If you’re on (Grub v2.x) grub-install /dev/sdX (PS: X in /dev/sdX is drive letter. eg: if you want to install grub on first drive ie sda, then change X with a) command should do all the work.

Once you have the grub installed on drive, you can remove the bad drive from the RAID array using mdadm commands.

In our case (from the initial mdstats output), we should mark bad drive as fail and remove it from the RAID array as follows:
mdadm --manage /dev/md0 --fail /dev/sda1
mdadm --manage /dev/md0 --remove /dev/sda1

Repeat this command for other arrays’s too.

Now you’re good to go ahead shutdown the system and remove the drive. If you have a replacement drive, better add it before rebooting and follow the instructions required to rebuild the RAID arrays.

Copy or Mirror partition table from one drive to another

Use the following command to copy the partition table from sda to sdb.

sfdisk -d /dev/sda | sfdisk -f /dev/sdb

sfdisk -d dumps the partition table on to stdout. This is being piped to sfdisk /dev/sdb with the –force to write it on /dev/sdb.

You can use dd to copy the Master Boot Record (MBR) from one device to another (or to a file). For example, copying the MBR from sda to sdb would be done with

dd if=/dev/sda of=/dev/sdb bs=512 count=1
The flags are

if, input file (either device or ordinary file)
of, output file (either device or ordinary file)
bs, block size in bytes
count, number of blocks to copy.
The MBR contains the partition table for the four primary partitions, so this solution alone will not copy the definition for the extended partitions.

Reference: http://serverfault.com/questions/54797/mirroring-partition-table

Arivina Alegalu 2012 released

Arivina Alegalu sees its second release on August 15th as expected. You can now download the book from project page (http://arivu.sanchaya.net/ebook).   10 articles from enthusiasts have participated in our program to spread the waves of Knowledge for Common Man.

2012 release saw a change in the subjects that were covered. We have articles talking about nature, science, society, community, hacking, technology and our favorite subject FOSS.

“Arivina Alegalu” is now available on Android phones and Tablets. Don’t forget to download them via Google Play!

Cover Images were contributed by Pavithra and Mansore (http://belakindi.com) gives it a pleasant look.

Senior Journalist and writer Shri Chamaraj Savadi writes forward for the issue and encourages new writers to continue writing.

E-Book is released under Creative Commons. So go ahead, read, share and distribute….

You’re also welcome to write articles to Arivina Alegalu to spread your knowledge to other Kannadiga’s.

 

Read Arivina Alegalu on Android

 Arivina Alegalu (http://arivu.sanchaya.net) – Project to spread knowledge to common man in Kannada started in 2011 had released its first e-Book last year on  15th August. Thousands of people read through articles on our website and also downloaded PDF to share among friends.

Spreading the real meaning of freedom of knowledge sharing, free content was released through this initiative by our team at http://www.sanchaya.net

Many people had requested for ebook in various version including mobile solutions. It took us a while to realize that we could do it and here is an app on Android!

Go ahead, download and start reading Arivina Alegalu on your android phone. Yes, read this Kannada Ebook on your android mobile or tablet.

The project has come back to life again this year and expecting its second ebook release in few hours to come. Until then, start getting used to android app with 2011 eBook contents. Share it with your friends and We encourage Free and Open Source activities around Kannada. Get in touch with us to explore more opportunities to get involved in community activities.

 

We thank all writers for their contribution for this project!