csf + lfd firewall configuration in vps (virtuozzo /openvz)


In general csf is giving good compatibility with cpanel servers . But in a vps (openvz or Virtuzzo) the csf configuration is something different.

Sometimes you may get an error as follow after the csf installation in vps

Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit –limit 30/m –limit-burst 5 -j LOG –log-prefix ‘Firewall: *TCP_IN Blocked* ‘] failed, at line 196

So how to resolve this issue. Let us do it as follows,

There are two steps to configure the csf in vps

  • Main vps server ( The host server ,in which the vps nodes are running) configuration
  • Vps node configuration.

Main vps serverconfiguration

Before starting the csf installation in a node login to the main server (host server) and check whether the following modules are inserted in to the kernel


You can check it as follows

# lsmod |grep -i <module-name>

If not please insert these modules into the kernel.

#modprob <module-name>
eg: modprob ipt_conntrack

Now add these modules to iptable configuration as follows.

# vi /etc/sysconfig/iptables-config
Add the following in this file
IPTABLES_MODULES=”ipt_conntrack ipt_LOG ipt_owner ipt_state ip_conntrack_ftp”

Now edit the vps configuration file from /etc/sysconfig/vz-scripts/ Let 101 is the VEID, add the above inserted modules in to the IPTABLE section in this configuration file.

# vi /etc/sysconfig/vz-scripts/101.conf
IPTABLES=”iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ipt_state
iptable_nat ip_nat_ftp ipt_owner ip_conntrack_ftp”

Here we completed the main vps server configuration . So now reboot the child node (not main server) as follows

# vzctl restart <veid>

eg: vzctl restart 101

ii) Vps node configuration.

Now ssh /enter your child vps node

Now download and install the csf . You can download the csf fromhere

Before restarting the csf let us do some configurations as follows , Edit the file /etc/csf/csf.conf .Then set the following variables

ETH_DEVICE = “venet0″ #from ifconfig you can see the n/w device
VERBOSE = “0″ # will disable the verbose output during start

Now start the csf and lfd .

/etc/init.d/csf start

/etc/init.d/lfd start

Note: If it is cpanel server go to whm and configure the firewall settings