?
Solved

Keep hitting numiptent hard limit on VPS. Need help debugging iptables configuration.

Posted on 2008-08-04
7
Medium Priority
?
4,563 Views
Last Modified: 2013-11-16
This posting has been a long time in the making. The root of my issue lays with the fact that my implementation of iptables loads too many values as part of its default configuration pushing my numiptent value near 128 (which is my high water limit).

I have attempted to use the firewall as part of Virtuozzo which I understand is just a UI for iptables. No success.

I have attempted to use AFP + BFP (Advanced Firewall Protection & Brute Force Protection).  I had hoped to have more control over my configuration via the intuitive afp.conf file.  No success.

My most recent attempt has been to install cfs (ConfigServer Security & Firewall). I use a cPanel Linux VPS, having the ability to manage the firewall via WHM was a plus.

Back to my problem: I am unable to start iptables without error since the CFS implementation disables the firewall on startup due to hitting the numiptent high water mark.

VPS Info:
CentOS 4.6
cPanel/WHM 11.23
iptables v.  1.2.11

I would like a couple of questions answered:

Help me to understand what settings drive numiptent.

Why is having my numiptent set at 128 not sufficient for my needs?

After several weeks of research I have come to the conclusion that my iptables configuration attempts to populate a chain with values. That population process looks to be the key to my problem. Do you concur?

PLEASE NOTE I AM NOT RUNNING AFP and CFS AT THE SAME TIME. I ATTEMPTED AFP FIRST AND AM NOW ATTEMPTING CFS.

CFS Error:

Restarting csf...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Restarting bandmin acctboth chains for cPanel
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
Error: The VPS iptables rule limit (numiptent) is too low (119/128) - stopping firewall to prevent iptables blocking all connections, at line 200

...Done.

Restarting lfd...

Stopping lfd:[  OK  ]
[  OK  ]
Starting lfd:[  OK  ]

AFP implementation error:

iptables: Memory allocation problem
iptables v1.2.11: Couldn't load target `acctboth'lib/iptables/libipt_acctboth.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Couldn't load target `acctboth'lib/iptables/libipt_acctboth.so: cannot open shared object file: No such file or directory



Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
(error repeats approx 100 times)
iptables: Table does not exist (do you need to insmod?)
iptables: Table does not exist (do you need to insmod?

The Code Snippet Contains my:

/etc/cfs/cfs.conf
/etc/afp/cong.afp
/etc/sysconfig/iptables-config

/etc/cfs/cfs.conf:
 
TESTING = "1"
TESTING_INTERVAL = "5"
AUTO_UPDATES = "0"
ETH_DEVICE = ""
ETH_DEVICE_SKIP = ""
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,7403"
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
UDP_IN = "20,21,53,953"
UDP_OUT = "20,21,53,113,123,873,953,6277"
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "1/s"
SMTP_BLOCK = "0"
SMTP_ALLOWLOCAL = "0"
MONOLITHIC_KERNEL = "1"
DROP = "DROP"
DROP_LOGGING = "1"
DROP_IP_LOGGING = "0"
DROP_ONLYRES = "0"
DROP_NOLOG = "67,68,111,113,135:139,445,513,520"
PACKET_FILTER = "1"
DROP_PF_LOGGING = "0"
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
VERBOSE = "1"
SYSLOG = "0"
DYNDNS = "0"
DYNDNS_IGNORE = "0"
RELAYHOSTS = "1"
IGNORE_ALLOW = "0"
DENY_IP_LIMIT = "100"
DENY_TEMP_IP_LIMIT = "100"
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
LF_GLOBAL = ""
LF_DAEMON = "1"
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
LF_POP3D = "10"
LF_POP3D_PERM = "1"
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
LF_CPANEL = "5"
LF_CPANEL_PERM = "1"
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"
LF_CSF = "1"
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_SCRIPT_ALERT = "0"
LF_SCRIPT_LIMIT = "100"
LF_QUEUE_ALERT = "2000"
LF_QUEUE_INTERVAL = "300"
LF_DIRWATCH = "300"
LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_FLUSH = "3600"
LF_INTEGRITY = "3600"
LF_EXPLOIT = "300"
LF_EXPLOIT_CHECK = "JS,SUPERUSER"
LF_INTERVAL = "300"
LF_PARSE = "5"
LF_EMAIL_ALERT = "1"
LT_EMAIL_ALERT = "1"
LT_POP3D = "60"
LT_IMAPD = "0"
RT_RELAY_ALERT = "1"
RT_RELAY_LIMIT = "100"
RT_RELAY_BLOCK = "0"
RT_AUTHRELAY_ALERT = "1"
RT_AUTHRELAY_LIMIT = "100"
RT_AUTHRELAY_BLOCK = "0"
RT_POPRELAY_ALERT = "1"
RT_POPRELAY_LIMIT = "100"
RT_POPRELAY_BLOCK = "0"
RT_LOCALRELAY_ALERT = "1"
RT_LOCALRELAY_LIMIT = "100"
RT_LOCALRELAY_BLOCK = "0"
LF_DSHIELD = "0"
LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
LF_SPAMHAUS = "0"
LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"
LF_BOGON = "0"
LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt"
CT_LIMIT = "0"
CT_INTERVAL = "30"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "1800"
CT_SKIP_TIME_WAIT = "0"
CT_STATES = ""
CT_PORTS = ""
PT_LIMIT = "60"
PT_INTERVAL = "60"
PT_SKIP_HTTP = "1"
PT_USERPROC = "10"
PT_USERMEM = "100"
PT_USERTIME = "1800"
PT_USERKILL = "0"
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"
PT_LOAD_ACTION = ""
PS_INTERVAL = "0"
PS_LIMIT = "10"
PS_PORTS = "0:65535"
PS_PERMANENT = "0"
PS_BLOCK_TIME = "3600"
PS_EMAIL_ALERT = "1"
AT_ALERT = "2"
AT_INTERVAL = "60"
AT_NEW = "1"
AT_OLD = "1"
AT_PASSWD = "1"
AT_UID = "1"
AT_GID = "1"
AT_DIR = "1"
AT_SHELL = "1"
IPTABLES = "/sbin/iptables"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
FUSER = "/sbin/fuser"
VMSTAT = "/usr/bin/vmstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
 
# Log files
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/exim_mainlog"
SMTPRELAY_LOG = "/var/log/exim_mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
SCRIPT_LOG = "/var/log/exim_mainlog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
 
 
/etc/afp/conf.afp:
 
#!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
# Copyright (C) 1999-2007, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2007, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
#       if your using pico/nano please start it with the -w switch
#       (e.g: pico -w filename)
# NOTE: All options in this file are integer values unless otherwise
#       indicated. This means value of 0 = disabled and 1 = enabled.
 
DEVEL_MODE="0"
INSTALL_PATH="/etc/apf"
IFACE_IN="venet0" 
IFACE_OUT="venet0"
IFACE_TRUSTED=""
SET_VERBOSE="1"
SET_FASTLOAD="0"
SET_VNET="0"
SET_ADDIFACE="0"
SET_MONOKERN="1"
SET_REFRESH="10"
SET_TRIM="50"
VF_ROUTE="1"
VF_CROND="1"
VF_LGATE=""
RAB="0"
RAB_SANITY="1"
RAB_PSCAN_LEVEL="2"
RAB_HITCOUNT="1"
RAB_TIMER="300"
RAB_TRIP="1"
RAB_LOG_HIT="1"
RAB_LOG_TRIP="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
ALL_STOP="DROP"
PKT_SANITY="1"
PKT_SANITY_INV="0"
PKT_SANITY_FUDP="1"
PKT_SANITY_PZERO="1"
PKT_SANITY_STUFFED="0"
TOS_DEF="0"
TOS_DEF_RANGE="512:65535"
TOS_0=""
TOS_2=""
TOS_4=""
TOS_8="21,20,80"
TOS_16="25,110,143"
TCR_PASS="1"		TCR_PORTS="33434:33534"
ICMP_LIM="30/s"
RESV_DNS="1"
RESV_DNS_DROP="1"
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
BLK_MCATNET="0"
BLK_PRVNET="0"
BLK_RESNET="1"
BLK_IDENT="0"
SYSCTL_CONNTRACK="34576"
SYSCTL_TCP="1"
SYSCTL_SYN="1"
SYSCTL_ROUTE="0"
SYSCTL_LOGMARTIANS="0"
SYSCTL_ECN="0"
SYSCTL_SYNCOOKIES="1"
SYSCTL_OVERFLOW="0"
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="1"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
IG_TCP_CPORTS="20,22,25,26,53,80,110,143,443,465,587,995,7403,2082,2083,2086,2087,2095,2096,3000_3500,4643,6666"
IG_UDP_CPORTS="53,465,2077,20"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="1"
EG_TCP_CPORTS="22,25,26,37,43,53,80,110,443,465,2089,4643"
EG_UDP_CPORTS="20,53,465"
EG_ICMP_TYPES="all"
EG_TCP_UID=""
EG_UDP_UID=""
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
USE_DS="1"
DS_URL="feeds.dshield.org/top10-2.txt" 	     # block.txt url (no *://)
DS_URL_PROT="http"                           # protocol to use for wget
USE_DROP="1"
DROP_URL="www.spamhaus.org/drop/drop.lasso"     # drop.lasso url (no *://)
DROP_URL_PROT="http"                            # protocol to use for wget 
USE_ECNSHAME="1"
ECNSHAME_URL="r-fx.ca/downloads/ecnshame.lst"   # url (no *://)
ECNSHAME_URL_PROT="http"                        # protocol to use for wget
USE_RD="1"
RD_URL="r-fx.ca/downloads/reserved.networks" # reserved.networks url
RD_URL_PROT="http"			     # protocol to use for wget
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules"       # glob_allow.rules url (no *://)
GA_URL_PROT="http" 			     # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules"        # glob_deny.rules url (no *://)
GD_URL_PROT="http"			     # protocol for use with wget
LOG_DROP="0"
LOG_LEVEL="crit"
LOG_TARGET="LOG"
LOG_IA="1"
LOG_LGATE="0"
LOG_EXT="0"
LOG_RATE="30"
LOG_APF="/var/log/apf_log"
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
 
 
/etc/stsconfig/iptables-config: 
 
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"

Open in new window

0
Comment
Question by:copeasetic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 2000 total points
ID: 22158291
I see your firewall is not the problem.

128 rules for iptables is a very very low limit.

this is not a problem for iptables. I have done firewalls with thousands of lines before I learned ipsets :-)

The problem resides in the configuration of your VPS (Virtual Server). you are using Virtuozzo to create virtual servers, and this is one configuration for the vserver.

You can check it by looking at /proc/user_beancounters. The entry should be at the bottom called numiptent.

Increase the value for numiptent or ask your VPS provider to increase the value for you.

See here:
http://forum.openvz.org/index.php?t=msg&goto=2006&
NUMIPTENT="128:256"

you can increase it to say, to "512:1024"


mmhh... after checking your firewall I see you can make it much less complicated too. how many services you have?

you can create very simple rules in very few lines, but creating the firewall shell script by hand
0
 

Author Comment

by:copeasetic
ID: 22162835
I have asked my VPS provider to increase my numiptent to 1024. I doubt they will. I have asked before, but they have ignored my requests in the past. If I am unable to get my host to make my requested changes how do I configure CFS so that it will run without hitting the numiptent limit?

My services:
exim
httpd
named
pure-ftpd
saslauthd
sshd
syslogd

I believe those are all the services running at the moment...

I am interested in creating a simple firewall. Please advise how to accomplish this.

Thanks!
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22163053
hey I was just starting to write something but alas, there are some resources on the internet from good people:

http://www.groovygrails.de/blog/groovygrails/entry/secure_your_vps_with_a

I saw many more using
http://www.google.com.mx/search?q=very+simple+firewall+for+vps

the first script will do what you actually do but on less than a hundred lines :-)
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:copeasetic
ID: 22163252
Thank you very much for the links. I appreciate it.

It is unfortunate that I can not use the more advanced scripting implemented by tools like AFP and CFS. This is simply a limitation of my VPS host not allocating enough resources to each individual VPS.

So, in conclusion, since my VPS is not configured to allow more than 128 rules I am relegated to implementing a very simple iptables rules configuration.

So, in the end, I suppose I need to look for a VPS host who provides more kernel level support. Perhaps they have too many VPSs installed on a single hardware node?

Please advise if my assumptions are correct...
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22163337
hi copeasetic

no, I really do not think you are loosing too much with the simpler rules. if you check the apf firewall, many of the rules there are for log and checking. if you implement your firewall correctly, as in the past link, you can have, say 99% the protection. in fact, the apf firewall does not protect you of the brute-force ssh attacks. you need a separate script to do that, like the denyhosts script.

in short: you are loosing rules that are not met anyway. you loose some unnecessary logs, but you keep the protection.

is unfortunate your provider is not allowing you more iptables rules, but I doubt you will find a provider that allows you much more than that.

Regards
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22244564
hi copeasetic any news?
0
 

Author Comment

by:copeasetic
ID: 22248555
After much coaxing my ISP raised my numiptent value on the hardware node level of Virtuozzo from 128 to 1024.

The root of my issue was caused by, in this users opinion, an improper Virtuozzo configuration. IPTABLES can not be expected to function properly without at setting of 400 or more. I was fortunate to have 1024 allocated to my VPS and have seen a high water mark of around 350 or so. Keep in mind that I have not had an opportunity to examine the kinds of attacks I have been subject to and not crafted any new filters other than the default configuration.

Thanks for the input. Your feedback reinforced my belief that the config was wrong.

0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Fine Tune your automatic Updates for Ubuntu / Debian
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question