CSF has been one of the first choice for years now for me to secure server with a easily usable iptables manager. More than that it works as “A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers”.
While using csf on OpenVZ vps systems we end up facing lots of issues with respect to iptables modules. If you’re a sysadmin managing hardware nodes it might not be easy though it has got to do something quite simple. I’m pasting the similar issue once again here for a reference and let us recheck what we normally oversee.
Error received during csf test:
Testing ipt_recent…FAILED [Error: iptables: No chain/target/match by that name.] – Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit…FAILED [Error: iptables: No chain/target/match by that name.] – Required for CONNLIMIT feature
Testing ipt_owner/xt_owner…FAILED [Error: iptables: No chain/target/match by that name.] – Required for SMTP_BLOCK and UID/GID blocking features
RESULT: csf will function on this server but some features will not work due to some missing iptable modules
Now, the quick remedy that we get to resolve this issue is to enable all the iptable modules in /etc/vz/vz.conf of the OpenVZ hardware node as follows:
IPTABLES=”ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner ipt_conntrack ipt_helper ipt_REDIRECT ipt_recent ipt_owner”
and restart all VM’s etc using “service vz restart” to activate all modules to all VPS systems.
The other options we have is to enable these modules for a specific VPS/VM as follows: (PS: here 100 is a VPS id)
vzctl set 100 –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –iptables ipt_owner –iptables ipt_recent –save
If you run the above command with –setmode option, the modules will be applied.
Or you can add the IPTABLES line mentioned earlier (vz.conf entry) to VPS configuration file (/etc/vz/conf/100.conf for the above example VPS) and restart VPS with the following command to make it effective.
vzctl restart 100
This was quite simple and known answer. But I have always found that it doesn’t go so smooth. This might be because of one simple reason that I quote here:
We keep removing OLD kernel packages etc and install the new ones to ensure that we have secure system with latest kernel and packages. During this process we end up loosing kernel modules required for the new modules. I figure this out once again while working on my hardware node just by typing the find command as follows under /lib
find /lib –name *ipt*
I was expecting the iptables modules to be listed under my current kernel but to my surprise I didn’t find them. I found them in one of the very old kernel that was installed on the box. Crazy. So, I decided to jump in and reinstall iptables packages quickly on the machine:
yum reinstall iptables-devel.i686 iptables-devel.x86_64 iptables-ipv6.x86_64 iptables.i686 iptables.x86_64
Here is the final output of my csf test after restarting my VM.
RESULT: csf should function on this server
That’s it. Now you know why iptables doesn’t work even if you had not changed anything recently on hardware node (and forgotten that you restarted your system with a new kernel). Verify the iptables modules with lsmod and reinstall the packages if required.
You might get to see the above error while booting your VM’s on VMWare Workstation 9.x on Ubuntu.
This issue might get sorted by adding the following line to .vmx line of the VM.
mks.gl.allowBlacklistedDrivers = TRUE
Read the further discussion on this topic at vmware forum.
If you’re unable to enter the license key for VMWare workstation version 8 or 9 on your Debian/Ubuntu based machines try the following command:
sudo /usr/lib/vmware/bin/vmware-vmx --new-sn
Note: Replace with the serial number.
This should fix the issue.
RAID1 Drives allow you to have a redundant solution to bring back system with a mirrored drive during disk failures.
Let us look at a disk failure in one of the linux machines.
This will show the current raid statistics as as follows:
server1:~# cat /proc/mdstat
Personalities : [raid1]
md2 : active raid1 sdb3
4594496 blocks [2/1] [_U]
md1 : active raid1 sdb2
497920 blocks [2/1] [_U]
md0 : active raid1 sdb1
144448 blocks [2/1] [_U]
The current output shows that the primary drive has gone bad (Observe [_U]).
You can further investigate this using mdadm command as follows:
# mdadm --detail /dev/md0
# mdadm -D /dev/md0
The output would confirm the drive which has gone bad.
If your server is unstable, you might think of removing the bad drive and boot it back temporarily from the second drive in place. For this you should ensure that the grub is installed on the second drive as well so that it boots without any trouble. It is a best practice to install the grub on both drives after configuring RAID1. If it is not done, Not an issue, its not too late to configure that before rebooting the machine for disk removal. Even otherwise through rescue mode grub can be installed easily.
To install grub when you’re on working server:
With (Grub v1.x), Goto grub prompt
Find existing grub setups using find command
grub>> find /grub/stage1
If you have any you will find
otherwise you will have to continue with the grub setup as follows,
The above lines setup grub on MBR of both the drives. Depending on the drives currently available on the machine/status of your raid you can follow the above instrutions to recover the GRUB while troubleshooting RAID1 setup’s.
If you’re on (Grub v2.x) grub-install /dev/sdX (PS: X in /dev/sdX is drive letter. eg: if you want to install grub on first drive ie sda, then change X with a) command should do all the work.
Once you have the grub installed on drive, you can remove the bad drive from the RAID array using mdadm commands.
In our case (from the initial mdstats output), we should mark bad drive as fail and remove it from the RAID array as follows:
mdadm --manage /dev/md0 --fail /dev/sda1
mdadm --manage /dev/md0 --remove /dev/sda1
Repeat this command for other arrays’s too.
Now you’re good to go ahead shutdown the system and remove the drive. If you have a replacement drive, better add it before rebooting and follow the instructions required to rebuild the RAID arrays.
Use the following command to copy the partition table from sda to sdb.
sfdisk -d /dev/sda | sfdisk -f /dev/sdb
sfdisk -d dumps the partition table on to stdout. This is being piped to sfdisk /dev/sdb with the –force to write it on /dev/sdb.
You can use dd to copy the Master Boot Record (MBR) from one device to another (or to a file). For example, copying the MBR from sda to sdb would be done with
dd if=/dev/sda of=/dev/sdb bs=512 count=1
The flags are
if, input file (either device or ordinary file)
of, output file (either device or ordinary file)
bs, block size in bytes
count, number of blocks to copy.
The MBR contains the partition table for the four primary partitions, so this solution alone will not copy the definition for the extended partitions.
Arivina Alegalu sees its second release on August 15th as expected. You can now download the book from project page (http://arivu.sanchaya.net/ebook). 10 articles from enthusiasts have participated in our program to spread the waves of Knowledge for Common Man.
2012 release saw a change in the subjects that were covered. We have articles talking about nature, science, society, community, hacking, technology and our favorite subject FOSS.
“Arivina Alegalu” is now available on Android phones and Tablets. Don’t forget to download them via Google Play!
Cover Images were contributed by Pavithra and Mansore (http://belakindi.com) gives it a pleasant look.
Senior Journalist and writer Shri Chamaraj Savadi writes forward for the issue and encourages new writers to continue writing.
E-Book is released under Creative Commons. So go ahead, read, share and distribute….
You’re also welcome to write articles to Arivina Alegalu to spread your knowledge to other Kannadiga’s.
Arivina Alegalu (http://arivu.sanchaya.net) – Project to spread knowledge to common man in Kannada started in 2011 had released its first e-Book last year on 15th August. Thousands of people read through articles on our website and also downloaded PDF to share among friends.
Spreading the real meaning of freedom of knowledge sharing, free content was released through this initiative by our team at http://www.sanchaya.net
Many people had requested for ebook in various version including mobile solutions. It took us a while to realize that we could do it and here is an app on Android!
Go ahead, download and start reading Arivina Alegalu on your android phone. Yes, read this Kannada Ebook on your android mobile or tablet.
The project has come back to life again this year and expecting its second ebook release in few hours to come. Until then, start getting used to android app with 2011 eBook contents. Share it with your friends and We encourage Free and Open Source activities around Kannada. Get in touch with us to explore more opportunities to get involved in community activities.
We thank all writers for their contribution for this project!