apf – Platonic

Fix: iptables: Unknown error 4294967295

Following error is noticed when you are running apf in the OpenVZ VM.

iptables: Unknown error 4294967295

Main reason for this error iptables support missing in OpenVZ.

Here are the quick steps to resolve this issue permanently:

1. Define which iptables modules are available for VEs.

a)
Edit /etc/sysconfig/iptables-config file on a OpenVZ hardware node:

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

b)
Edit /etc/sysconfig/vz file on a OpenVZ hardware node:

IPTABLES=”ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Note:– iptables modules list in IPTABLES and IPTABLES_MODULES parameters in /etc/sysconfig/vz and /etc/sysconfig/iptables-config files should be placed in one single line, no linebreaks is allowed in this parameter.

Restart OpenVZ server
# service vz restart

2. Increase ‘numiptent’ parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~400 rules. Lets set it to 400 in the example below for VE #101:

# vzctl set 101 --numiptent 400 --save

3. Start APF inside the VE:
# /etc/init.d/apf start

Tags: apf, iptables, OpenVZ

apf fix: unable to load iptables module (ip_tables)

While working with APF on servers, you might normally get to see the following error,

# apf -r
apf(2042): {glob} flushing & zeroing chain policies
apf(2042): {glob} firewall offline
apf(3179): {glob} activating firewall
apf(3284): {glob} unable to load iptables module (ip_tables), aborting.
apf(3179): {glob} firewall initalized
apf(3179): {glob} fast load snapshot saved

Your kernel is compiled with iptables statically instead of as a module, to resolve this you will need to change a small configuration in /etc/apf/conf.apf

SET_MONOKERN=”0″ Set it to “1″

Once this is done, restart apf to see the error vanishing.

SET_MONOKERN
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.

iptables: Memory allocation problem

Unable to block ips using iptables on your VPS? Is your APF installation failing to work?

[email protected] [~]# iptables -I INPUT -s 123.123.123.123 -j DROP
iptables: Memory allocation problem

Resolution:

If you’re using OpenVZ for virtualization, you might have exceeded the limit of ‘numiptent’ parameter value. You may check if there are non-zero failcounts for the ‘numiptent’ parameter inside VPS:

# egrep "failcnt|numiptent" /proc/user_beancounters

If you’re an admin with the access to hardware node, increase a bit parameter value using following command. (Following command won’t work inside the VPS node)
#vzctl set VPS_ID --save --numiptent NEW_BARRIER:NEW_LIMIT
This should resolve the issue.