Page 1 of 1

Bird BGP Not working when CSF Enabled

Posted: 08 Dec 2022, 19:29
by EntrepreneurAJ
Hi all,
I am rebuilding my infrastructure and those services facing the public, I am opting to use CSF instead of vanilla IPTables.

I am having a bit of an issue when CSF is active Bird2 is failing to work properly, I was wondering if anyone else has had this issue before and solved it.

The error I get is:
bird[972]: ospf1: Socket error on enp6s0: Operation not permitted
Setup is Vultr VPS with public and private interface.
Announcing my own IPV4 and IPV6 ranges from another VPS on the private lan.
enp1s0 is public net enp6s0 is private net

contents of /usr/local/csf/bin/csfpost.sh
#!/bin/bash
/usr/sbin/iptables -I INPUT 8 -i enp6s0 -p ospf -j ACCEPT
/usr/sbin/ip6tables -I INPUT 6 -i enp6s0 -p ospf -j ACCEPT
BOGON filtering is disabled on enp6s0 as it runs on the 10.8.96.0/20 range.

iptables -n -L -v --line-numbers shows that the rule is getting added in a different place than anticipated, so maybe that's the cause.
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 3845 1283K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
2 115 9898 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 1442 1109K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
4 2 68 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
5 0 0 LOGDROPIN icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8
6 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0
7 1492 1114K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
9 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
10 981 70684 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
11 0 0 ACCEPT 89 -- enp6s0 * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2865 452K LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 27 2154 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53
5 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53
6 115 9898 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
7 1029 177K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0
8 2 68 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0
9 963 172K ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
10 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
11 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
12 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
13 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
14 55 4180 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123
15 395 24840 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0

Chain ALLOWIN (1 references)
num pkts bytes target prot opt in out source destination
1 1222 89674 ACCEPT tcp -- !lo * 185.6.153.43 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src

Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 54 6495 ACCEPT tcp -- * !lo 0.0.0.0/0 10.8.96.8 tcp dpt:389
2 1364 241K ACCEPT tcp -- * !lo 0.0.0.0/0 10.8.96.4 tcp dpt:5432
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW dst

Chain BDEALL (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_BDEALL src

Chain BFB (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_BFB src

Chain BOGON (1 references)
num pkts bytes target prot opt in out source destination
1 2376 1176K RETURN all -- enp6s0 * 0.0.0.0/0 0.0.0.0/0
2 58 4176 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_BOGON src

Chain CIARMY (1 references)
num pkts bytes target prot opt in out source destination
1 38 1700 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_CIARMY src

Chain DENYIN (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_DENY src

Chain DENYOUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOGDROPOUT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_DENY dst

Chain DSHIELD (1 references)
num pkts bytes target prot opt in out source destination
1 34 1364 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_DSHIELD src

Chain GREENSNOW (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_GREENSNOW src

Chain HONEYPOT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_HONEYPOT src

Chain INVALID (2 references)
num pkts bytes target prot opt in out source destination
1 2 104 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
10 19 2453 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW

Chain INVDROP (10 references)
num pkts bytes target prot opt in out source destination
1 21 2557 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOCALINPUT (1 references)
num pkts bytes target prot opt in out source destination
1 3845 1283K ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
2 2623 1193K DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
3 2623 1193K BFB all -- !lo * 0.0.0.0/0 0.0.0.0/0
4 2623 1193K DSHIELD all -- !lo * 0.0.0.0/0 0.0.0.0/0
5 2589 1192K BDEALL all -- !lo * 0.0.0.0/0 0.0.0.0/0
6 2589 1192K HONEYPOT all -- !lo * 0.0.0.0/0 0.0.0.0/0
7 2589 1192K CIARMY all -- !lo * 0.0.0.0/0 0.0.0.0/0
8 2551 1190K BOGON all -- !lo * 0.0.0.0/0 0.0.0.0/0
9 2493 1186K STOPFORUMSPAMV6 all -- !lo * 0.0.0.0/0 0.0.0.0/0
10 2493 1186K GREENSNOW all -- !lo * 0.0.0.0/0 0.0.0.0/0
11 2493 1186K SPAMDROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
12 2493 1186K SPAMDROPV6 all -- !lo * 0.0.0.0/0 0.0.0.0/0
13 2493 1186K MAXMIND all -- !lo * 0.0.0.0/0 0.0.0.0/0
14 2493 1186K STOPFORUMSPAM all -- !lo * 0.0.0.0/0 0.0.0.0/0
15 2493 1186K SPAMEDROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
16 2493 1186K TOR all -- !lo * 0.0.0.0/0 0.0.0.0/0

Chain LOCALOUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 2865 452K ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
2 1447 205K DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPIN (2 references)
num pkts bytes target prot opt in out source destination
1 2 80 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
6 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
7 1 44 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
8 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
10 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113
11 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
12 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
13 3 156 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
14 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
16 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
17 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
18 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
19 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
20 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
21 8 380 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
22 1 392 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
23 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
24 975 70404 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (2 references)
num pkts bytes target prot opt in out source destination
1 57 3456 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
2 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
4 395 24840 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain MAXMIND (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_MAXMIND src

Chain SPAMDROP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_SPAMDROP src

Chain SPAMDROPV6 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_SPAMDROPV6 src

Chain SPAMEDROP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_SPAMEDROP src

Chain STOPFORUMSPAM (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_STOPFORUMSPAM src

Chain STOPFORUMSPAMV6 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_STOPFORUMSPAMV6 src

Chain TOR (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_TOR src
Any hints would be apreciated I need to be able to anycast the service on this machine.