Advertisement

08.04.2008 at 07:09PM PDT, ID: 23620974
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.1

Keep hitting numiptent hard limit on VPS. Need help debugging iptables configuration.

Asked by copeasetic in IP Tables/IP Chains, Linux Network Security

Tags: , , , ,

This posting has been a long time in the making. The root of my issue lays with the fact that my implementation of iptables loads too many values as part of its default configuration pushing my numiptent value near 128 (which is my high water limit).

I have attempted to use the firewall as part of Virtuozzo which I understand is just a UI for iptables. No success.

I have attempted to use AFP + BFP (Advanced Firewall Protection & Brute Force Protection).  I had hoped to have more control over my configuration via the intuitive afp.conf file.  No success.

My most recent attempt has been to install cfs (ConfigServer Security & Firewall). I use a cPanel Linux VPS, having the ability to manage the firewall via WHM was a plus.

Back to my problem: I am unable to start iptables without error since the CFS implementation disables the firewall on startup due to hitting the numiptent high water mark.

VPS Info:
CentOS 4.6
cPanel/WHM 11.23
iptables v.  1.2.11

I would like a couple of questions answered:

Help me to understand what settings drive numiptent.

Why is having my numiptent set at 128 not sufficient for my needs?

After several weeks of research I have come to the conclusion that my iptables configuration attempts to populate a chain with values. That population process looks to be the key to my problem. Do you concur?

PLEASE NOTE I AM NOT RUNNING AFP and CFS AT THE SAME TIME. I ATTEMPTED AFP FIRST AND AM NOW ATTEMPTING CFS.

CFS Error:

Restarting csf...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Restarting bandmin acctboth chains for cPanel
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
Error: The VPS iptables rule limit (numiptent) is too low (119/128) - stopping firewall to prevent iptables blocking all connections, at line 200

...Done.

Restarting lfd...

Stopping lfd:[  OK  ]
[  OK  ]
Starting lfd:[  OK  ]

AFP implementation error:

iptables: Memory allocation problem
iptables v1.2.11: Couldn't load target `acctboth'lib/iptables/libipt_acctboth.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Couldn't load target `acctboth'lib/iptables/libipt_acctboth.so: cannot open shared object file: No such file or directory



Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
(error repeats approx 100 times)
iptables: Table does not exist (do you need to insmod?)
iptables: Table does not exist (do you need to insmod?

The Code Snippet Contains my:

/etc/cfs/cfs.conf
/etc/afp/cong.afp
/etc/sysconfig/iptables-config
Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:

/etc/cfs/cfs.conf:
 
TESTING = "1"
TESTING_INTERVAL = "5"
AUTO_UPDATES = "0"
ETH_DEVICE = ""
ETH_DEVICE_SKIP = ""
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,7403"
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
UDP_IN = "20,21,53,953"
UDP_OUT = "20,21,53,113,123,873,953,6277"
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "1/s"
SMTP_BLOCK = "0"
SMTP_ALLOWLOCAL = "0"
MONOLITHIC_KERNEL = "1"
DROP = "DROP"
DROP_LOGGING = "1"
DROP_IP_LOGGING = "0"
DROP_ONLYRES = "0"
DROP_NOLOG = "67,68,111,113,135:139,445,513,520"
PACKET_FILTER = "1"
DROP_PF_LOGGING = "0"
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
VERBOSE = "1"
SYSLOG = "0"
DYNDNS = "0"
DYNDNS_IGNORE = "0"
RELAYHOSTS = "1"
IGNORE_ALLOW = "0"
DENY_IP_LIMIT = "100"
DENY_TEMP_IP_LIMIT = "100"
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
LF_GLOBAL = ""
LF_DAEMON = "1"
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
LF_POP3D = "10"
LF_POP3D_PERM = "1"
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
LF_CPANEL = "5"
LF_CPANEL_PERM = "1"
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"
LF_CSF = "1"
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_SCRIPT_ALERT = "0"
LF_SCRIPT_LIMIT = "100"
LF_QUEUE_ALERT = "2000"
LF_QUEUE_INTERVAL = "300"
LF_DIRWATCH = "300"
LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_FLUSH = "3600"
LF_INTEGRITY = "3600"
LF_EXPLOIT = "300"
LF_EXPLOIT_CHECK = "JS,SUPERUSER"
LF_INTERVAL = "300"
LF_PARSE = "5"
LF_EMAIL_ALERT = "1"
LT_EMAIL_ALERT = "1"
LT_POP3D = "60"
LT_IMAPD = "0"
RT_RELAY_ALERT = "1"
RT_RELAY_LIMIT = "100"
RT_RELAY_BLOCK = "0"
RT_AUTHRELAY_ALERT = "1"
RT_AUTHRELAY_LIMIT = "100"
RT_AUTHRELAY_BLOCK = "0"
RT_POPRELAY_ALERT = "1"
RT_POPRELAY_LIMIT = "100"
RT_POPRELAY_BLOCK = "0"
RT_LOCALRELAY_ALERT = "1"
RT_LOCALRELAY_LIMIT = "100"
RT_LOCALRELAY_BLOCK = "0"
LF_DSHIELD = "0"
LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
LF_SPAMHAUS = "0"
LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"
LF_BOGON = "0"
LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt"
CT_LIMIT = "0"
CT_INTERVAL = "30"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "1800"
CT_SKIP_TIME_WAIT = "0"
CT_STATES = ""
CT_PORTS = ""
PT_LIMIT = "60"
PT_INTERVAL = "60"
PT_SKIP_HTTP = "1"
PT_USERPROC = "10"
PT_USERMEM = "100"
PT_USERTIME = "1800"
PT_USERKILL = "0"
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"
PT_LOAD_ACTION = ""
PS_INTERVAL = "0"
PS_LIMIT = "10"
PS_PORTS = "0:65535"
PS_PERMANENT = "0"
PS_BLOCK_TIME = "3600"
PS_EMAIL_ALERT = "1"
AT_ALERT = "2"
AT_INTERVAL = "60"
AT_NEW = "1"
AT_OLD = "1"
AT_PASSWD = "1"
AT_UID = "1"
AT_GID = "1"
AT_DIR = "1"
AT_SHELL = "1"
IPTABLES = "/sbin/iptables"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
FUSER = "/sbin/fuser"
VMSTAT = "/usr/bin/vmstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
 
# Log files
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/exim_mainlog"
SMTPRELAY_LOG = "/var/log/exim_mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
SCRIPT_LOG = "/var/log/exim_mainlog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
 
 
/etc/afp/conf.afp:
 
#!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
# Copyright (C) 1999-2007, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2007, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
#       if your using pico/nano please start it with the -w switch
#       (e.g: pico -w filename)
# NOTE: All options in this file are integer values unless otherwise
#       indicated. This means value of 0 = disabled and 1 = enabled.
 
DEVEL_MODE="0"
INSTALL_PATH="/etc/apf"
IFACE_IN="venet0" 
IFACE_OUT="venet0"
IFACE_TRUSTED=""
SET_VERBOSE="1"
SET_FASTLOAD="0"
SET_VNET="0"
SET_ADDIFACE="0"
SET_MONOKERN="1"
SET_REFRESH="10"
SET_TRIM="50"
VF_ROUTE="1"
VF_CROND="1"
VF_LGATE=""
RAB="0"
RAB_SANITY="1"
RAB_PSCAN_LEVEL="2"
RAB_HITCOUNT="1"
RAB_TIMER="300"
RAB_TRIP="1"
RAB_LOG_HIT="1"
RAB_LOG_TRIP="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
ALL_STOP="DROP"
PKT_SANITY="1"
PKT_SANITY_INV="0"
PKT_SANITY_FUDP="1"
PKT_SANITY_PZERO="1"
PKT_SANITY_STUFFED="0"
TOS_DEF="0"
TOS_DEF_RANGE="512:65535"
TOS_0=""
TOS_2=""
TOS_4=""
TOS_8="21,20,80"
TOS_16="25,110,143"
TCR_PASS="1"		TCR_PORTS="33434:33534"
ICMP_LIM="30/s"
RESV_DNS="1"
RESV_DNS_DROP="1"
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
BLK_MCATNET="0"
BLK_PRVNET="0"
BLK_RESNET="1"
BLK_IDENT="0"
SYSCTL_CONNTRACK="34576"
SYSCTL_TCP="1"
SYSCTL_SYN="1"
SYSCTL_ROUTE="0"
SYSCTL_LOGMARTIANS="0"
SYSCTL_ECN="0"
SYSCTL_SYNCOOKIES="1"
SYSCTL_OVERFLOW="0"
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="1"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
IG_TCP_CPORTS="20,22,25,26,53,80,110,143,443,465,587,995,7403,2082,2083,2086,2087,2095,2096,3000_3500,4643,6666"
IG_UDP_CPORTS="53,465,2077,20"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="1"
EG_TCP_CPORTS="22,25,26,37,43,53,80,110,443,465,2089,4643"
EG_UDP_CPORTS="20,53,465"
EG_ICMP_TYPES="all"
EG_TCP_UID=""
EG_UDP_UID=""
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
USE_DS="1"
DS_URL="feeds.dshield.org/top10-2.txt" 	     # block.txt url (no *://)
DS_URL_PROT="http"                           # protocol to use for wget
USE_DROP="1"
DROP_URL="www.spamhaus.org/drop/drop.lasso"     # drop.lasso url (no *://)
DROP_URL_PROT="http"                            # protocol to use for wget 
USE_ECNSHAME="1"
ECNSHAME_URL="r-fx.ca/downloads/ecnshame.lst"   # url (no *://)
ECNSHAME_URL_PROT="http"                        # protocol to use for wget
USE_RD="1"
RD_URL="r-fx.ca/downloads/reserved.networks" # reserved.networks url
RD_URL_PROT="http"			     # protocol to use for wget
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules"       # glob_allow.rules url (no *://)
GA_URL_PROT="http" 			     # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules"        # glob_deny.rules url (no *://)
GD_URL_PROT="http"			     # protocol for use with wget
LOG_DROP="0"
LOG_LEVEL="crit"
LOG_TARGET="LOG"
LOG_IA="1"
LOG_LGATE="0"
LOG_EXT="0"
LOG_RATE="30"
LOG_APF="/var/log/apf_log"
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
 
 
/etc/stsconfig/iptables-config: 
 
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
 
Keywords: Keep hitting numiptent hard limit on VPS…
Title
1 IPTables, DNAT, SSH forwarding - …
2 IPTables
3 Trouble patching iptables for IMQ
4 what wrong on my iptables setting?
5 iptables ftpd
6 iptables routing troubles
 
Loading Advertisement...
 
[+][-]08.04.2008 at 10:12PM PDT, ID: 22158291

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: IP Tables/IP Chains, Linux Network Security
Tags: iptables, iptables, 1.2.11, CentOS 4.6, cPanel 11.23, Linux 2.6, Error: The VPS iptables rule limit (numiptent) is too low (119/128) - stopping firewall to prevent iptables blocking all connections, at line ....
Sign Up Now!
Solution Provided By: Redimido
Participating Experts: 1
Solution Grade: A
 
 
[+][-]08.05.2008 at 10:00AM PDT, ID: 22162835

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.05.2008 at 10:22AM PDT, ID: 22163053

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.05.2008 at 10:45AM PDT, ID: 22163252

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.05.2008 at 10:57AM PDT, ID: 22163337

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.16.2008 at 10:11AM PDT, ID: 22244564

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.17.2008 at 04:03PM PDT, ID: 22248555

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628