LXC Container CSF

Flegma

New Member
Jan 18, 2014
16
0
1
Hello,
on Proxmox 3 node i could load CSF by editing /etc/vz/vz.conf and loading correct modules to IPTABLES, but is there a way to do it with LXC containers on Proxmox 4?
When i install CSF i get the same errors that modules are not loaded, so i tried loading them to /etc/modules but it appears that they are not loaded correctly.

Thanks for a suggestion.
 
Was about to ask the same question myself. I have not upgraded to Proxmox 4 because of uncertainty around this issue. Would be nice to know if anybody can help us with this?
 
CSF and UFW works out of the box in LXC, no special settings needed
When i try to test the CSF installation with
perl /usr/local/csf/bin/csftest.pl
it says that it wont probably work on my server.



Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: FATAL: Could not load /lib/modules/4.2.3-2-pve/modules.dep: No such file or directory] - Required for csf to function
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: FATAL: Could not load /lib/modules/4.2.3-2-pve/modules.dep: No such file or directory] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will not function on this server due to FATAL errors from missing modules [1]
 
Try again after loading the requested modules on the host:
Code:
# modprobe xt_multiport
# modprobe xt_connlimit
# modprobe xt_owner
 
Again,
perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: FATAL: Could not load /lib/modules/4.2.3-2-pve/modules.dep: No such file or directory] - Required for csf to function
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: FATAL: Could not load /lib/modules/4.2.3-2-pve/modules.dep: No such file or directory] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will not function on this server due to FATAL errors from missing modules [1]


Also, lsmod on host says:

lsmod
Module Size Used by
xt_nat 16384 0
xt_REDIRECT 16384 0
nf_nat_redirect 16384 1 xt_REDIRECT
xt_recent 20480 0
xt_limit 16384 0
nf_log_ipv4 16384 2
nf_log_common 16384 1 nf_log_ipv4
xt_LOG 16384 2
xt_owner 16384 1
xt_connlimit 16384 0
iptable_nat 16384 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat 24576 3 nf_nat_redirect,nf_nat_ipv4,xt_nat
xt_state 16384 50
veth 16384 0
ip6t_REJECT 16384 1
nf_reject_ipv6 16384 1 ip6t_REJECT
nf_conntrack_ipv6 20480 33
nf_defrag_ipv6 36864 1 nf_conntrack_ipv6
ip6table_filter 16384 2
ip6_tables 28672 1 ip6table_filter
xt_mac 16384 6
ipt_REJECT 16384 4
nf_reject_ipv4 16384 1 ipt_REJECT
xt_physdev 16384 16
nf_conntrack_ipv4 20480 36
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
xt_comment 16384 50
xt_tcpudp 16384 235
xt_set 16384 8
xt_addrtype 16384 7
xt_multiport 16384 9
xt_conntrack 16384 18
xt_mark 16384 28
ip_set_hash_net 36864 2
ip_set 45056 2 ip_set_hash_net,xt_set
iptable_filter 16384 3
ip_tables 28672 2 iptable_filter,iptable_nat
x_tables 36864 23 xt_physdev,ip6table_filter,xt_mark,xt_comment,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_owner,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_mac,xt_nat,xt_set,xt_multiport,iptable_filter,ipt_REJECT,xt_REDIRECT,ip6_tables,xt_addrtype,ip6t_REJECT
nfsd 319488 2
auth_rpcgss 61440 1 nfsd
nfs_acl 16384 1 nfsd
nfs 258048 0
lockd 94208 2 nfs,nfsd
grace 16384 2 nfsd,lockd
fscache 65536 1 nfs
sunrpc 331776 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
ib_iser 53248 0
rdma_cm 45056 1 ib_iser
iw_cm 45056 1 rdma_cm
ib_cm 45056 1 rdma_cm
ib_sa 32768 2 rdma_cm,ib_cm
ib_mad 49152 2 ib_cm,ib_sa
ib_core 102400 6 rdma_cm,ib_cm,ib_sa,iw_cm,ib_mad,ib_iser
ib_addr 20480 2 rdma_cm,ib_core
iscsi_tcp 20480 0
libiscsi_tcp 24576 1 iscsi_tcp
libiscsi 57344 3 libiscsi_tcp,iscsi_tcp,ib_iser
scsi_transport_iscsi 98304 4 iscsi_tcp,ib_iser,libiscsi
nfnetlink_log 20480 1
nfnetlink 16384 3 nfnetlink_log,ip_set
intel_rapl 20480 0
iosf_mbi 16384 1 intel_rapl
x86_pkg_temp_thermal 16384 0
intel_powerclamp 16384 0
coretemp 16384 0
kvm_intel 167936 0
kvm 512000 1 kvm_intel
crct10dif_pclmul 16384 0
crc32_pclmul 16384 0
snd_pcm 102400 0
ghash_clmulni_intel 16384 0
aesni_intel 167936 0
snd_timer 32768 1 snd_pcm
aes_x86_64 20480 1 aesni_intel
lrw 16384 1 aesni_intel
i915 1138688 1
snd 86016 2 snd_timer,snd_pcm
gf128mul 16384 1 lrw
mei_me 36864 0
iTCO_wdt 16384 1
mxm_wmi 16384 0
iTCO_vendor_support 16384 1 iTCO_wdt
glue_helper 16384 1 aesni_intel
i2c_i801 24576 0
ppdev 20480 0
drm_kms_helper 126976 1 i915
ablk_helper 16384 1 aesni_intel
drm 356352 3 i915,drm_kms_helper
8250_fintek 16384 0
ie31200_edac 16384 0
i2c_algo_bit 16384 1 i915
input_leds 16384 0
serio_raw 16384 0
cryptd 20480 3 ghash_clmulni_intel,aesni_intel,ablk_helper
soundcore 16384 1 snd
pcspkr 16384 0
mei 102400 1 mei_me
lpc_ich 24576 0
shpchp 36864 0
parport_pc 32768 0
mac_hid 16384 0
parport 49152 2 ppdev,parport_pc
edac_core 53248 1 ie31200_edac
wmi 20480 1 mxm_wmi
video 36864 1 i915
tpm_infineon 20480 0
vhost_net 20480 0
vhost 36864 1 vhost_net
macvtap 20480 1 vhost_net
macvlan 24576 1 macvtap
nf_conntrack_ftp 20480 0
nf_conntrack 106496 8 nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6
autofs4 40960 2
raid1 36864 2
ahci 36864 4
libahci 32768 1 ahci
r8169 81920 0
mii 16384 1 r8169
 
Do you get an error when you try this command manually in the container as root?
Code:
# iptables -I OUTPUT -p tcp -m multiport --dports 9998,9999 -j LOG
As far as I can see that's what it does for the ipt_multiport test. This works here for me inside containers, and it still looks like there are just some missing modules...
 
[root@bucko-dev csf]# iptables -I OUTPUT -p tcp -m multiport --dports 9998,9999 -j ACCEPT
FATAL: Could not load /lib/modules/4.2.3-2-pve/modules.dep: No such file or directory

Yes, theres an error.
 
Have you upgraded the kernel, deleted the old and not rebooted? This file should be in pve-kernel-4.2.3-2-pve.
 
Yes, i have rebooted several times.

The kernel is:
root@hibrid:~# uname -a
Linux hibrid 4.2.3-2-pve #1 SMP Sun Nov 15 16:08:19 CET 2015 x86_64 GNU/Linux
 
Try reinstalling the package, it looks like you're missing some files for some reason...
 
Could that also be a reason why my containers are working every second reboot?
Example: I have container ID 100 running in subnet and when i start it - i cant access internet from inside, nor can i ping it from the outside.
But as soon as i reboot the container from Proxmox GUI console, i can access internet and i can ping it.
If i reboot the container once again - i cant ping it or ping outside of it. After reboot its fine again. So basically every second reboot my CentOS container gets "offline" state for some reason. This is not the issue with Ubuntu containers, they are always available and working like they should.

So i can try doing
apt-get update && apt-get dist-upgrade

for update and than remove old Debian kernel with
apt-get remove linux-image-amd64 linux-image-3.16.0-4-amd64 linux-base

Right?
 
You can upgrade or just directly install the missing package. Removing the debian and other older kernels is optional.
As for the network issue - seems unlikely that it is related, but can't rule it out. Possibly some saved state inside centos messes up every other start?
 
You can upgrade or just directly install the missing package. Removing the debian and other older kernels is optional.
As for the network issue - seems unlikely that it is related, but can't rule it out. Possibly some saved state inside centos messes up every other start?
How can i install the missing package, can you provide me with the info (link or something)? Thanks.

Other issue - dont know, i have downloaded the template from within the proxmox GUI. If that template is installed on some IP thats not on a subnet template works every reboot, but if its in subnet, its working every second time.
Cant exactly pinpoint the issue, but i would say thats a template issue, since ubuntu is working fine.


*EDIT*
I have run
apt-get update && apt-get dist-upgrade
and after that
apt-get remove linux-image-amd64 linux-image-3.16.0-4-amd64 linux-base
apt-get autoremove
and now on kernel 4.2.6-1-pve this stuff with container being "offline" every second time is gone. I tried rebooting the server for a few times and i can ping it every time, and ping the internet from the inside, so i guess its fine now.
Ill test CSF in few minutes and let you know.
 
Last edited:
No, i have tried once again on this kernel:

modprobe xt_multiport
modprobe xt_connlimit
modprobe xt_owner

but the problem in the container stays the same. It appears as those modules are loaded when i check with lsmod, but somehow the container doesnt see it?

Code:
root@hibrid:~# lsmod
Module                  Size  Used by
xt_nat                 16384  0
xt_REDIRECT            16384  0
nf_nat_redirect        16384  1 xt_REDIRECT
xt_owner               16384  1
xt_connlimit           16384  0
xt_recent              20480  0
nf_log_ipv4            16384  2
nf_log_common          16384  1 nf_log_ipv4
xt_LOG                 16384  2
xt_limit               16384  0
iptable_nat            16384  0
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 24576  3 nf_nat_redirect,nf_nat_ipv4,xt_nat
xt_state               16384  50
veth                   16384  0
ip6t_REJECT            16384  1
nf_reject_ipv6         16384  1 ip6t_REJECT
nf_conntrack_ipv6      20480  33
nf_defrag_ipv6         36864  1 nf_conntrack_ipv6
ip6table_filter        16384  2
ip6_tables             28672  1 ip6table_filter
xt_mac                 16384  6
ipt_REJECT             16384  4
nf_reject_ipv4         16384  1 ipt_REJECT
xt_physdev             16384  16
nf_conntrack_ipv4      20480  36
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
xt_comment             16384  50
xt_tcpudp              16384  235
xt_set                 16384  8
xt_addrtype            16384  7
xt_multiport           16384  9
xt_conntrack           16384  18
xt_mark                16384  28
ip_set_hash_net        36864  2
ip_set                 45056  2 ip_set_hash_net,xt_set
iptable_filter         16384  3
ip_tables              28672  2 iptable_filter,iptable_nat
x_tables               36864  23 xt_physdev,ip6table_filter,xt_mark,xt_comment,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_owner,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_mac,xt_nat,xt_set,xt_multiport,iptable_filter,ipt_REJECT,xt_REDIRECT,ip6_tables,xt_addrtype,ip6t_REJECT
nfsd                  319488  2
auth_rpcgss            61440  1 nfsd
nfs_acl                16384  1 nfsd
nfs                   258048  0
lockd                  94208  2 nfs,nfsd
grace                  16384  2 nfsd,lockd
fscache                65536  1 nfs
sunrpc                331776  6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
ib_iser                53248  0
rdma_cm                45056  1 ib_iser
iw_cm                  45056  1 rdma_cm
ib_cm                  45056  1 rdma_cm
ib_sa                  32768  2 rdma_cm,ib_cm
ib_mad                 49152  2 ib_cm,ib_sa
ib_core               102400  6 rdma_cm,ib_cm,ib_sa,iw_cm,ib_mad,ib_iser
ib_addr                20480  2 rdma_cm,ib_core
iscsi_tcp              20480  0
libiscsi_tcp           24576  1 iscsi_tcp
libiscsi               57344  3 libiscsi_tcp,iscsi_tcp,ib_iser
scsi_transport_iscsi    98304  4 iscsi_tcp,ib_iser,libiscsi
nfnetlink_log          20480  1
nfnetlink              16384  3 nfnetlink_log,ip_set
i915                 1138688  1
intel_rapl             20480  0
iosf_mbi               16384  1 intel_rapl
x86_pkg_temp_thermal    16384  0
intel_powerclamp       16384  0
coretemp               16384  0
drm_kms_helper        126976  1 i915
kvm_intel             167936  0
kvm                   516096  1 kvm_intel
drm                   356352  3 i915,drm_kms_helper
mei_me                 36864  0
crct10dif_pclmul       16384  0
crc32_pclmul           16384  0
mei                   102400  1 mei_me
aesni_intel           167936  0
ppdev                  20480  0
i2c_algo_bit           16384  1 i915
aes_x86_64             20480  1 aesni_intel
lrw                    16384  1 aesni_intel
mxm_wmi                16384  0
gf128mul               16384  1 lrw
glue_helper            16384  1 aesni_intel
ablk_helper            16384  1 aesni_intel
i2c_i801               24576  0
ie31200_edac           16384  0
snd_pcm               102400  0
edac_core              53248  1 ie31200_edac
shpchp                 36864  0
snd_timer              32768  1 snd_pcm
lpc_ich                24576  0
cryptd                 20480  2 aesni_intel,ablk_helper
snd                    86016  2 snd_timer,snd_pcm
input_leds             16384  0
soundcore              16384  1 snd
tpm_infineon           20480  0
serio_raw              16384  0
parport_pc             32768  0
parport                49152  2 ppdev,parport_pc
mac_hid                16384  0
8250_fintek            16384  0
pcspkr                 16384  0
video                  36864  1 i915
wmi                    20480  1 mxm_wmi
vhost_net              20480  0
vhost                  36864  1 vhost_net
macvtap                20480  1 vhost_net
macvlan                24576  1 macvtap
nf_conntrack_ftp       20480  0
nf_conntrack          106496  8 nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6
autofs4                40960  2
raid1                  36864  2
ahci                   36864  4
libahci                32768  1 ahci
r8169                  81920  0
mii                    16384  1 r8169

I will try to enable those modules in /etc/modules so that they are loaded on boot. Maybe it will help..
 
Last edited:
*update*
Its giving the error:

[root@bucko-dev ~]# iptables -I OUTPUT -p tcp -m multiport --dports 9998,9999 -j ACCEPT
FATAL: Could not load /lib/modules/4.2.6-1-pve/modules.dep: No such file or directory

But when i check, that file is there on a host machine. Could it be that some permissions are wrong or something?
 
I just tested with centos (iptables v1.4.7) and get the same error. Works in an arch container (iptables v1.4.21). Perhaps you need a newer iptables?
 
When i run yum update iptables on a container it says that they are already on a newest version.

I tried with CentOS 7 template, and it appears to be working.

[root@test csf]# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

So the problem is in older iptables version apparently. Can i install them from source on CentOS 6 or should i upgrade all of the containers to CentOS7?
 
Apparently its not just iptables version. I have installed iptables v1.4.21 from source on CentOS6 and still getting the error.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!