You may get the following error while restarting csf on a vps server

Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, at line 280

In a vps (openvz or Virtuzzo) the csf configuration is something different. Lets see how we can make csf work with vps .

Before starting the installation of csf, you should confirm the following modules are installed on the main VPS.

ipt_conntrack

ipt_LOG

ipt_owner

ipt_state

ip_conntrack_ftp

iptable_filter

You can confirm whether these modules are already loaded using

# lsmod |grep -i <module-name>

If its not installed you can install this using modprob

modprob ipt_conntrack

After that you should add these modules to the iptables configuration as follows

# vi /etc/sysconfig/iptables-config

IPTABLES_MODULES=”ipt_conntrack ipt_LOG ipt_owner ipt_state ip_conntrack_ftp”

You need to edit the vps client node configuration file as follows ( example node is 101 )

# vi /etc/sysconfig/vz-scripts/101.conf

IPTABLES=”iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ipt_state iptable_nat ip_nat_ftp ipt_owner ip_conntrack_ftp”

Restart the client node .

# vzctl restart 101

Now login to your client node and install csf . Before restarting csf let us edit the configuration file .

# /etc/csf/csf.conf

ETH_DEVICE = “venet0″ # from ifconfig you will get the ethernet device
MONOLITHIC_KERNEL = “1″
VERBOSE = “0″

Restart csf

# csf -r

If you have followed the above steps properly then it should start without any errors . In case if you get error , some of the modules I find necessary are

ipt_MASQUERADE

ipt_helper

ipt_REDIRECT

ipt_state

ipt_TCPMSS

ipt_LOG

ipt_SAME

ipt_TOS

iptable_nat

ipt_length

ipt_tcpmss

iptable_mangle

ipt_limit

ipt_tos

iptable_filter

ipt_helper

ipt_tos

ipt_ttl

ipt_REJECT

ip_conntrack

ip_multiport

ip_nat_ftp

ipt_owner

ipt_recent

ipt_REDIRECT

Now if you can start csf without any error but it blocks all connections to site when enabled. If you disable csf it starts working . If so , make sure that you have opened all ports in csf configuration file and then execute the below commands from the client node (101 in our case)

iptables -A INPUT -i venet0 -j ACCEPT

iptables -A OUTPUT -o venet0 -j ACCEPT

iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0

iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

Or else you can add the above iptables rules to ” vi /etc/csf/csfpre.sh ” and restart csf

Other issues related to csf in a vps can be caused by “numiptent”

Run the below command from your vps node (101) and see if there are any failcounts .

cat /proc/user_beancounters

numiptent should be set to at least 1000

You can increase the values of these parameters as discussed here .