iptables failed to start on new Centos 7 server

[rolinger]

@drenton - I am having the same issue as you were having, however I have the full GoDaddy VPS solution which doesnt provide any support. So calling them doesn't help.

Not certain why, but my VSF is Centos 6...I would think it should be Centos 7, however, the fix is probably going to be the same:

2.6.32-042stab103.6 #1 SMP Wed Jan 21 13:07:39 MSK 2015 x86_64 x86_64 x86_64 GNU/Linux

From the csftest.pl script I am getting the following:

Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: No chain/target/match by that name.] - Required for csf to function
Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature

What can I do to get this corrected?

[rolinger]

ack...what happened to my post...posting again.

I am having same problem as David above.

Centos: 2.6.32-042stab103.6 #1 SMP Wed Jan 21 13:07:39 MSK 2015 x86_64 x86_64 x86_64 GNU/Linux

Errors from csftest.pl:

./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: No chain/target/match by that name.] - Required for csf to function
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature

RESULT: csf will not function on this server due to FATAL errors from missing modules [1]

When I run: lsmod I get an empty response,

# lsmod
Module Size Used by

However, CSF appears to almost be running, because from the CSF cPanel GUI I get the following:

Firewall Status: Enabled and Running

- and at the same time I don't think its running I am getting lots of

iptables: No chain/target/match by that name.

in the restart of the CSF:

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:23
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:23
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:500
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:500
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
iptables: No chain/target/match by that name.
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
iptables: No chain/target/match by that name.
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT tcp opt -- in !lo out * 178.255.81.12 -> 0.0.0.0/0 tcp dpt:80
ACCEPT tcp opt -- in !lo out * 178.255.81.12 -> 0.0.0.0/0 tcp dpt:443
ACCEPT tcp opt -- in !lo out * 178.255.81.13 -> 0.0.0.0/0 tcp dpt:80
ACCEPT tcp opt -- in !lo out * 178.255.81.13 -> 0.0.0.0/0 tcp dpt:443
ACCEPT tcp opt -- in !lo out * 91.199.212.132 -> 0.0.0.0/0 tcp dpt:80
ACCEPT tcp opt -- in !lo out * 91.199.212.132 -> 0.0.0.0/0 tcp dpt:443
ACCEPT tcp opt -- in !lo out * 199.66.201.132 -> 0.0.0.0/0 tcp dpt:80
ACCEPT tcp opt -- in !lo out * 199.66.201.132 -> 0.0.0.0/0 tcp dpt:443
iptables: No chain/target/match by that name.
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
iptables: No chain/target/match by that name.
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:143
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:587
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2077
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2078
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2079
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2080
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2082
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2083
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2086
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2087
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2095
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2096
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:37
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:43
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:113
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:587
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:873
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2086
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2087
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2089
iptables: No chain/target/match by that name.
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2703
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:113
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:873
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:6277
iptables: No chain/target/match by that name.
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:24441
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 11
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 3
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 11
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 3
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in !lo out * 208.109.96.1 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in !lo out * 208.109.96.1 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in !lo out * 208.109.96.1 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in !lo out * 208.109.96.1 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.1 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.1 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.1 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.1 tcp dpt:53
ACCEPT udp opt -- in !lo out * 208.109.96.2 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in !lo out * 208.109.96.2 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in !lo out * 208.109.96.2 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in !lo out * 208.109.96.2 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.2 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.2 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.2 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.109.96.2 tcp dpt:53
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0

[TrevorH]

You're running an openvz container and not a CentOS system. You have no control over what kernel modules are loaded and you must speak to your hoster to get them to load the modules for you. It's not something you (or us) can fix.