• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue: insertion too big. CSF el5 plesk 8.3

K

kazodev

Guest
I am seeing an issue with a new install of CSF on a
CPU GenuineIntel, Intel® Pentium® 4 CPU 3.00GHz
Operating system Linux 2.6.18-53.1.13.el5PAE
Plesk version psa v8.3.0_build83080131.20 os_RedHat el5

I was adding to the whitelist.. and got a iptables: Index of insertion too big

[root@ns1 csf]# /usr/sbin/csf -a 222.222.222.222
Adding 222.222.222.222 to csf.allow and iptables ACCEPT...
iptables: Index of insertion too big
ACCEPT all opt -- in eth0 out * 222.222.222.222 -> 0.0.0.0/0
Error: iptables command [/sbin/iptables -v -I INPUT 2 -i eth0 -s 222.222.222.222 -j ACCEPT] failed, at line 864

yet CSF shows it was added

[root@ns1 csf]# cat csf.allow
222.222.222.222 # Manually allowed - Mon Mar 3 22:28:54 2008

I tried...

[root@ns1 csf]# iptables -v -I INPUT -s 1.1.1.1 -j DROP
DROP all opt -- in * out * 1.1.1.1 -> 0.0.0.0/0

and I checked...

[root@ns1 csf]# /etc/init.d/iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination


I tried this deny but got an iptables: Index of insertion too big again

[root@ns1 csf]# /usr/sbin/csf -d 1.1.1.2
Adding 1.1.1.2 to csf.deny and iptables DROP...
DROP all opt -- in eth0 out * 1.1.1.2 -> 0.0.0.0/0
iptables: Index of insertion too big
DROP all opt -- in * out eth0 0.0.0.0/0 -> 1.1.1.2
Error: iptables command [/sbin/iptables -v -I OUTPUT 2 -o eth0 -d 1.1.1.2 -j DROP] failed, at line 865

looking at csf.deny I see

1.1.1.2 # Manually denied - Mon Mar 3 23:13:45 2008

restarting I see both the allow 222.222.222.222 and deny 1.1.1.2

but not the 1.1.1.1 added using...
[root@ns1 csf]# iptables -v -I INPUT -s 1.1.1.1 -j DROP

restarting CSF...

[root@ns1 csf]# /usr/sbin/csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in eth0 out * 1.1.1.2 -> 0.0.0.0/0
DROP all opt -- in * out eth0 0.0.0.0/0 -> 1.1.1.2
ACCEPT all opt -- in eth0 out * 222.222.222.222 -> 0.0.0.0/0
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 222.222.222.222
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:8443
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:8443
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
LOGDROPIN all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
csf: TESTING mode is enabled - don't forget to disable it in the configuration

It seem to be working... but why the error?

Also while I'm at it how does this look for a "plesk" conf


# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,993,995,8443"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,443,8443"

# Allow incoming UDP ports
UDP_IN = "20,21,53,8443"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,123,8443"

I'm not sure if I needed to add anything other than
DNS 53 tp UDP inbound

I'm not sure if I needed to add the plesk 8443 to the UDP outbound

nor 20 ftp-data to TCP inbound or outbound and UDP inbound

============
My Reference:
20=ftp-data
21=ftp command
22=ssh and sftp
25=smtp
53=dns
80=http
110=pop3
113=ident ???? turned off
123=ntp - time server
143=imap
443=https - ssl
465=smtp - ssl
993=imap -ssl
995=pop3 -ssl
8443=plesk -ssl
===============

I did also notice that I had to define
ETH_DEVICE = ""
as
ETH_DEVICE = "eth0"

as /etc/wwwacct.conf file does not exist

Also a last relatively obscure question,
I when accessing the Internet from home I do not have a dedicated IP with my
ADSL service " a C&Worthless $100 a month extra..! - another no competition pillage"

The question is, lets say they are using a IP range of 222.222.222.2 to 222.222.222.253

Is there a correct way to add a range of IP's to csf.allow ??
 
"When csf is in TESTING mode it will flush iptables after 5 minutes. When iptables is flushed, the iptables insert command doesn't work (as you cannot insert above a rule that doesn't exist). Once you take csf out of TESTING mode (in csf.conf) and restart csf, it should work without problems."

ahhhgh.. I forgot the logic that its a cover of the iptables script,,, even though it adds and remembers in CSF.. maybe this should be noted in the readme or conf to avoid any end user concern

also note in general non-cpanel install to set ETH_DEVICE = ""

A Question:

I'm not sure if I needed to add anything other than
DNS 53 tp UDP inbound
I'm not sure if I needed to add the plesk 8443 to the UDP outbound
nor 20 ftp-data to TCP inbound or outbound and UDP inbound
 
Back
Top