Posted On: 22 May 2008 08:20 PM
Hi,

iptables appears to be broken on my vps:

# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Applying iptables firewall rules: iptables-restore v1.3.5:
iptables-restore: unable to initializetable 'raw'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more 
information.
[FAILED]

My ruleset does not reference 'raw' anywhere, but it mentioned in
/etc/init.d/iptables so i guess somethings broken.

Thanks,

Mark









Hello,

This has been fixed. Please check now and let us know.

Regards,
Sadanand









[  all they did was reset the iptables ruleset file back to default 
(accept/accept/accept) ... sigh    ]








Hi,

This is still broken;

# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Applying iptables firewall rules: iptables-restore: line 7 failed 
[FAILED]


These are valid rules from another CentOS box.


Mark









Hello,

This has been fixed. The logs are:
web1 / # /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Applying iptables firewall rules: [ OK ]

Please check now and let us know.








Hi,

That's not fixing the problem, that's doing what you did last time and
blanking the ruleset!

I have copied my rules back into /etc/sysconfig/iptables, please advise
why they are failing to load despite being entirely correct for a
CentOS/Linux system.

web1 mark # cp iptables.conf /etc/sysconfig/iptables
web1 mark # /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Applying iptables firewall rules: iptables-restore: line 7 failed
[FAILED]


Mark








Hello,

We suggest that you enter your rules by issuing iptables commands 
directly, then use iptables-save to store the result. iptables-restore 
is not guaranteed to work with files not generated by iptables-save. 
Please note this and let us know.






My rules are not generated by iptables-save, they are hand-written.








Hello,

You cannot just copy and save the rule this wont work with Iptables, You 
will need to execute the rules in the server with the iptable commands. 
Then only will the rule work properly other wise it wont work

Thank you










Hi,

No offence intended, but that is utter bullshit. I know how iptables
works as I work for an ISP and use Linux every day, and I have about 30
other CentOS servers and this ruleset works perfectly on all of them.

Iptables rule syntax does not vary between distributions of Linux. Even
if there was a syntax error in the ruleset, it would be obvious from the
error message what the problem was, but in this case it's failing on a
COMMIT statement so something is clearly wrong.

Mark






hi,

Further to my previous comments:

web2 ~ # iptables -t nat -A POSTROUTING -p tcp -m tcp -o tun0 -j 
MASQUERADE
iptables: Unknown error 4294967295


This is clearly broken, please let me know when it's fixed.

Thanks,

Mark









Hello,

None taken :), why dont you try to excute the command and check if that 
helps out with your issue, if you cannot get your IPtable rules running. 
let me know the exact command you are trying to use or execute

Thank you













I just sent you that....

web2 ~ # iptables -t nat -A POSTROUTING -p tcp -m tcp -o tun0 -j 
MASQUERADE
iptables: Unknown error 4294967295



Mark










Hi,

I've just noticed that the ip tunnel device/module is missing from my
system:

web2 mark # find /dev -name tun
web2 mark #

Please add this module as I need it to configure VPNs. modprobe is
currently without a modules.dep so I am unable to do this from within
the vps.

Thanks,

Mark











Hello Mark

can you try to execute with the snat command and see if it helps solving 
out your issue as I think this will help you out

Thank you 











Hi,

Erm.. what are you talking about? Why am I unable to modify the nat
table with iptables?

Mark













Hello,

You will have to Wait for a while while we would be investigating in 
this further, Once we do get a resolution out for you, we will update 
you back. Till then please standby

Thank you










Hi,

I think this is because the host node doesn't have the relevant iptables
modules installed.

Please can you confirm that the following iptables modules are available
to my vps:

tun
xt_state
ipt_REJECT
ipt_owner
xt_tcpudp
iptable_mangle
iptable_nat
nf_conntrack_ipv4
ipt_MASQUERADE
nf_nat
nf_conntrack
xt_state
iptable_filter
ip_tables
iptable_mangle
x_tables
xt_state

Thanks,

Mark













Hello,

Please do check now, we have fixed this issue for you. Please do confirm 
back

Thank you










Hi,

Please reboot my vps, as the iptables config is now broken to the point
where it's dropping all inbound traffic.

Whatever you did has not fixed the issue, it has made it worse as the
ruleset now causes this :/

Mark










Hi,

Whatever changes you made, it didn't work as trying to apply the ruleset 
has
just locked me out of the server.

Please reboot it and/or clear the iptables rules so I can get back into 
it.

Thanks


Mark














Hello,

I have flushed the Iptable rules for you, Please confirm if you can 
login to the server

Thank you 












Hi,

No I can't. Did you set the chains to default to ACCEPT?

Mark










This is urgent, what is going on? Have you cleared the chains and set 
them back to accept or not?








Hi,

They ran the iptables --flush command on the system.








No shit sherlock, you've already told me that. I asked if they have set 
the
chains back to ACCEPT, otherwise flushing will just deny all traffic..

I'm starting to think buying this vps was a bad choice, your support 
team
doesn't really seem to know what it's doing..

Mark







Hello,

This is your current iptable rules

web1 / # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

Chain icmp_packets (0 references)
target prot opt source destination


So you will be able to login . If you cannot please provide us with your 
local IP address so that we could check if you are blocked else where

Thank you











Are you kidding me?

>> That clearly blocks all traffic. <<

Honestly, if you don't even know how iptables works I am amazed you ever 
managed to install openvz.

Set the chains to ACCEPT like I've already told you about 5 times..

Mark










Type this at the root prompt:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT









Hello,

I am amending the necessary changes for you. Please standby

Thank you 









Hello,

The command which you have provided has already been executed earlier 
but still you were unable to login in

I have again flushed the IPtables and again made changes in the Iptable 
rules please check

Thank you









Hi,

Your support is a joke, and so is your company.

You clearly have no idea what you're doing, think it's okay to bullshit
customers hoping they won't know any better and can barely form coherant
sentences so I want nothing more to do with you.

How you can expect anyone to ever trust parts of their business
infrastructure in your hands is beyond me, when you are clueless as to
how basic Linux commands and services work. I am amazed that you ever
managed to install openvz and can only assume that you must have
outsourced this to a consultancy.

I have erased all my data from the vps, and expect my money refunded in
full back to my paypal account for the piss-poor service you have
provided and the severe disruption caused to my business.

If the money I paid you is not refunded back to my paypal account within
7 days of this email this matter will be going to the county court,
together with a transcript and mail headers of the email conversation.
That will be enough to get my money back via the courts, as it will be
obvious even to non-technical minds that you are clueless and don't even
have a basic understanding of the services you're trying to provide.

A little tip for the future - don't put people with a loose
interpretation of english on your 1st-line support team. It just makes
you look like idiots and gives the impression of a 12-year-old trying to
run an internet company.

Mark








Hello Mark,

First of all I need to make my self clear to you, we are here to support 
our clients according to there needs and what they need, The issue that 
you had been
facing is with the Iptable rules, we did try to help you out in each and 
every way. On the contrary even though there were some modules which 
were not present in the
server Main host node, we did get it installed out for you.

We see to it that our client hosted out with us are served properly on 
first come basis.... Even though after getting your issue resolved you 
seem to be facing problems with your own Iptable rules which you have 
been trying to ammend, and you have been blocked by your own server.

Implemnting a rule is fine, but you have to make sure that whatever rule 
you ammend works properly and does not cause a problem to you. Even 
though as requested by you which if you see in the trouble ticket that 
you had clearly stated that you need to either reboot the server and get 
your iptables cleared.

As we were logged into your server, we thought that rebooting a server 
is not the solution, instead we did flush the iptables for you as you 
did want it...
Still you did mention that you were unable to access the server, and you 
felt like the incomming packets were dropped.

We did make the necessary changes for you so that you could login to the 
server, Even though you seem to face problems, as you were complaining 
stating that you still cannot login..

We have tried our level best to be supportive with you and provide you 
with the best of assistance we can even when everything is working fine 
in the server now.
This company and our support means a lot to us, we have given first 
preference to our clients to see that they dont face any problems, even 
though how harsh the client may be we try our very best to cope up with 
them and see to it that their issues is resolved in timely manner.

It seems you are not satified with our support or you have double 
thoughts on what we can offer you. Ofcourse its your decesion in the end 
we cannot force you for that, if you are planning to cancel its your 
choice.....

Below are some cancelllation details please go through them also .

If you still wish to terminate your service please make sure that you 
reply to this ticket with your IP and root password. You should tell us 
when you would like your services terminated . immediately, or at the 
end of your billing cycle. Note that no other forms of cancellation can 
be accepted.

Please remember that you have agreed to our Terms of Service. Our terms 
state that all cancellations must be received at least 10 days prior to 
your next package billing renewal date. If your cancellation request is 
submitted less than 10 days before this date, the monthly fees/invoice 
will be considered due and must be paid before we can accept 
cancellation.

Thank you.









Hi,

> First of all I need to make my self clear to you, we are here to
> support our clients according to there needs and what they need,

Shame you're so crap at this then really isn't it?

> The issue that you had been facing is with the Iptable rules, we did
> try to help you out in each and every way.

Except the way that's technically correct?

> On the contrary even though there were some modules which were not
> present in the server Main host node, we did get it installed out for
> you.

Indeed, after several pigeon-english emails telling me to type each rule
out manually into the shell. You fucking idiots.

> We see to it that our client hosted out with us are served properly on
> first come basis.... Even though after getting your issue resolved you
> seem to be facing problems with your own Iptable rules which you have
> been trying to ammend, and you have been blocked by your own server.

You told me the issue was resolved, I applied my perfectly valid ruleset
and it switched the chains to DROP and then failed to add any of the
other rules. You are clearly idiots with no idea how Linux or iptables
works.

> Implemnting a rule is fine, but you have to make sure that whatever
> rule you ammend works properly and does not cause a problem to you.
> Even though as requested by you which if you see in the trouble ticket
> that you had clearly stated that you need to either reboot the server
> and get your iptables cleared.

God knows what you mean by that paragraph. Let me take a wild guess...
you're based in india?

> As we were logged into your server, we thought that rebooting a server
> is not the solution, instead we did flush the iptables for you as you
> did want it...

Lol i don't even know how to respond to such stupid sentences. Are you
actually really 12 years old?

> Still you did mention that you were unable to access the server, and
> you felt like the incomming packets were dropped.

I felt like I was unable to access the server? wtf is wrong with you?

> We did make the necessary changes for you so that you could login to
> the server, Even though you seem to face problems, as you were
> complaining stating that you still cannot login..

Whatever, you did fuck all until after I told you several times to reset
the chains back to ACCEPT. You're so unbelievably indept that you can't
even fix a basic problem when you're told exactly how to do it.

> We have tried our level best to be supportive with you and provide you
> with the best of assistance we can even when everything is working
> fine in the server now.

Your level best? If this is your best then I definitely don't want
anything to do with you. Your support is pathetic and it's very obvious
you don't know what you're doing.

> This company and our support means a lot to us

I'd strongly recommend finding something else in your life then, perhaps
take up golf?

> we have given first preference to our clients to see that they dont
> face any problems

What the hell does that mean? First preference to your clients? The
phrase "First preference" implies one person or company or entity
receiving preference over another, how the hell can every single
customer be your "first preference" ? I think you really must be 12
years old..

> even though how harsh the client may be we try our very best to cope
> up with them and see to it that their issues is resolved in timely
> manner.

If you fancy having some distant chance of acheiving this miracle, try
hiring some technical staff.

> It seems you are not satified with our support or you have double
> thoughts on what we can offer you. Ofcourse its your decesion in the
> end we cannot force you for that, if you are planning to cancel its
> your choice.....

You're damn right I want to cancel, and like I said I expect the paypal
refund to be completed within 7 days of my last email or I will be
taking this matter to the county court.

I sincerely hope you get no further business and your entire company
fails, as I would never wish this terrible service on any other vps
customer trying to earn a living with technology.

Goodbye.

Mark












Hello,

I will be escalating this trouble ticket the the billing department who 
will assist you further with the cancellation procedure.

Thank you











This has been refunded and your account removed
--
Rus Foster