I love Webmin - it makes admin'ing my VPS so easy. But I have had trouble using the Linux Firewall page. I wonder if Webmin is not compatible with iptables-persistent. There are several problems:
After installing (with apt install iptables-persistent) the Linux Firewall page shows that the iptables files are saved in /etc/iptables.up.rules and /etc/ip6tables.up.rules This is not correct - they're saved in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
The Activate at boot control doesn't work. a) If I click Yes, then click Activate at boot, then reboot the system, the "No" button is checked again. b) The iptables rules are not reloaded - I get a default set of rules.
The list of rules displayed does not match the active set (from /etc/iptables/rules.v4 and /etc/iptables/rules.v6). It may be the leftover rules from /etc/iptables.up.rules and /etc/ip6tables.up.rules
The help text (top of the page, second button from the left) speaks of "ipi(6)tables" - I suspect this should be "ip(6)tables"...
How can I make the Webmin page reflect the actual state of my iptables? Many thanks.
PS I also want to say something nice: Since I have chosen not to use firewalld, I removed it with sudo apt purge firewalld. Webmin DOES give a good diagnostic message if I click FirewallD (It says, "The FirewallD module cannot be used : The FirewallD control command firewall-cmd was not found on your system")
Comments
Submitted by JamieCameron on Thu, 03/18/2021 - 22:06 Comment #1
This could be an issue with Webmin's detecting of your Linux version.
What output do you get if you run
grep os_ /etc/webmin/config?Submitted by richb-hanover on Fri, 03/19/2021 - 09:17 Pro Licensee Comment #2
Thanks!
Submitted by richb-hanover on Fri, 03/19/2021 - 09:19 Pro Licensee Comment #3
NB: lsb_release shows I'm on 20.04.2...:
Submitted by richb-hanover on Fri, 03/19/2021 - 09:29 Pro Licensee Comment #4
Yet another update:
Submitted by JamieCameron on Sat, 03/20/2021 - 16:41 Comment #5
Did the latest Ubuntu release change the location of those config files? Virtualmin currently only looks in /etc/iptables.up.rules rather than /etc/iptables/rules.v4
Submitted by richb-hanover on Sun, 03/21/2021 - 07:07 Pro Licensee Comment #6
I frankly have no idea. (There doesn't seem to be a lot of documentation here...)
I do know that, after I installed iptables-persistent, my rules are being saved in /etc/iptables/rules.v4... (That's the set of rules that are being installed after a reboot...)
Submitted by richb-hanover on Sun, 03/21/2021 - 11:17 Pro Licensee Comment #7
Update: I know more now... iptables-persistent seems to have a configuration file in /etc/default/netfilter-persistent with "plugins" in /usr/share/netfilter-persistent/plugins.d/ The "plugin" file 15-ip4tables (below) does refer to the /etc/iptables/rules.v4 file... How could Webmin figure this out? Many thanks.
/etc/default/netfilter-persistent
and plugins are saved in /usr/share/netfilter-persistent/plugins.d/:
/usr/share/netfilter-persistent/plugins.d/
/usr/share/netfilter-persistent/plugins.d/15-ip4tables
The plugin file 15-ip4tables looks like this. 25-ip6tables looks similar, although I didn't check it carefully:
#!/bin/sh # This file is part of netfilter-persistent # (was iptables-persistent) # Copyright (C) 2009, Simon Richter # Copyright (C) 2010, 2014 Jonathan Wiltshire # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation, either version 3 # of the License, or (at your option) any later version. set -e PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Source configuration if [ -f "/etc/default/netfilter-persistent" ]; then . /etc/default/netfilter-persistent fi load_rules() { #load IPv4 rules if [ ! -f /etc/iptables/rules.v4 ]; then echo "Warning: skipping IPv4 (no rules to load)" else iptables-restore < /etc/iptables/rules.v4 fi } save_rules() { if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then touch /etc/iptables/rules.v4 chmod 0640 /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4 fi } flush_rules() { TABLES=$(iptables-save | sed -E -n 's/^\*//p') for table in $TABLES do CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p') for chain in $CHAINS do # policy can't be set on user-defined chains iptables -t $table -P $chain ACCEPT || true done iptables -t $table -F iptables -t $table -Z iptables -t $table -X done } case "$1" in start|restart|reload|force-reload) load_rules ;; save) save_rules ;; stop) # Why? because if stop is used, the firewall gets flushed for a variable # amount of time during package upgrades, leaving the machine vulnerable # It's also not always desirable to flush during purge echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" ;; flush) flush_rules ;; *) echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 exit 1 ;; esacSubmitted by JamieCameron on Fri, 03/26/2021 - 15:23 Comment #8
Thanks, that's useful .. I didn't have the
iptables-persistentcommand installed on my test system. I'll give that a shot.Submitted by richb-hanover on Fri, 03/26/2021 - 16:25 Pro Licensee Comment #9
NB: I am using iptables (and iptables-save, and iptables-restore) 1.8.4. Thanks!
Submitted by JamieCameron on Fri, 03/26/2021 - 18:23 Comment #10
Ok, the next release of Webmin will support this configuration properly.
Submitted by KitchM on Wed, 03/31/2021 - 11:00 Comment #11
I just wanted to mention that I also have this problem on Debian 10. From what I can tell, it is now netfilter-persistence. To get started one can run "sudo service netfilter-persistent save". Still Webmin does not see these settings.
I hope this helps.
Submitted by KitchM on Wed, 03/31/2021 - 11:23 Comment #12
Does this help you, Jamie? The command appears to be:
sudo service netfilter-persistent save
which returns:
[….] Saving netfilter rules...run-parts: executing /user/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
done.
Submitted by KitchM on Wed, 03/31/2021 - 11:48 Comment #13
sudo systemctl status netfilter-persistent
shows that the system loads:
/user/share/netfilter-persistent/plugins.d/15-ip4tables
/usr/share/netfilter-persistent/plugins.d/25-ip6tables
as it stated before.
Submitted by KitchM on Wed, 03/31/2021 - 12:59 Comment #14
So right now I have Webmin able to Activate at boot - Yes. However, applying any rules makes no difference to the tables. Therefore doing anything with them thru Webmin is non-functional.
Thanks for your efforts.
Submitted by KitchM on Wed, 03/31/2021 - 13:51 Comment #15
Next boot up I noticed error:
Iptables failed to load, or words to that effect. Uses systemctl status webmin.iptables.service to check it out.
Unit webmin.iptables.service could not be found
Unit service.service could not be found
So I just turned off Activate at boot and we're back to the way it was.
Thanks.
Submitted by JamieCameron on Sat, 04/03/2021 - 21:07 Comment #16
These issues should all be fixed in Webmin 1.974
Submitted by KitchM on Sun, 04/04/2021 - 09:56 Comment #17
Thank you, Jamie. It is very much appreciated.
Submitted by richb-hanover on Sun, 04/04/2021 - 10:28 Pro Licensee Comment #18
Thanks!
How soon will this be available from the Webmin GUI dashboard? (I clicked "Refresh Available Packages" and it's not listed.) Thanks again...
We should release next Webmin 1.974 within next week.
If you feel comfortable, you could try applying relevant patch and see if it works for you.
Submitted by richb-hanover on Mon, 04/05/2021 - 13:56 Pro Licensee Comment #20
Cool! I'll wait for the official update
Submitted by KitchM on Mon, 04/12/2021 - 14:39 Comment #21
I would go for the patch but have no idea how to get or apply it. When will the new version be available?
Submitted by KitchM on Fri, 04/16/2021 - 10:05 Comment #22
Can you please update the release date? Thank you.
Submitted by JamieCameron on Fri, 04/16/2021 - 23:41 Comment #23
We don't have a planned release date yet, sorry.
Submitted by KitchM on Sun, 04/18/2021 - 09:17 Comment #24
"We should release next Webmin 1.974 within next week."
That's why I wondered.
Do you need help testing? I have a Debian 10 server and am willing and able. Like I said before, I don't know how to apply the patch. Are there simple steps?
Submitted by KitchM on Wed, 04/21/2021 - 10:42 Comment #25
Please supply method of applying patch.
Please check comment #19 above.
The patch can be applied by replacing local copy of a file with modified version.
Submitted by KitchM on Mon, 04/26/2021 - 10:45 Comment #27
I was able to use the file manager in Webmin to copy-in the patch. It said "merge" so I assumed it was doing whatever it needed to do.
When I went to use the iptables editing, I found I could not combine multiple IP addresses in one rule.
I also noted that it appended /32 to all rule addresses it imported.
When I went to apply my IPv4 rules, I got the error: Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found.
I have no idea why ipv6 came into the picture.
Submitted by KitchM on Mon, 04/26/2021 - 10:55 Comment #28
https://askubuntu.com/questions/1043508/how-can-i-start-the-ip-tables-se...
Submitted by KitchM on Mon, 04/26/2021 - 11:00 Comment #29
Is there a problem because Debian now uses nftables?
Submitted by KitchM on Mon, 04/26/2021 - 11:10 Comment #30
I also see this at the top of the page where IPv4 is selected: "Rules file /etc/iptables/rules.v4 WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.2 (legacy): unknown option "--state" Error occurred at line: 22 "
Submitted by KitchM on Mon, 04/26/2021 - 12:12 Comment #31
Earlier I wrote: "I also noted that it appended /32 to all rule addresses it imported." That was incorrect. That info was imported that way from the iptables.
Submitted by KitchM on Mon, 04/26/2021 - 14:16 Comment #32
I was able to manually edit the file at /etc/iptables/rules.v4. After verifying with sudo iptables-restore -t /etc/iptables/rules.v4, I was able to reboot and all was good.
When opening Webmin and going to Networking>Linux Firewall, all looked good. At least it can read the file now.
I guess the problem with Webmin and iptables on Debian is not yet fixed.
Jamie, what do you think of using
iptables-translatecommand to supportnftableswithout extra hassle inside standard Linux Firewall module?Submitted by JamieCameron on Tue, 04/27/2021 - 17:56 Comment #34
What value would that give us over just using iptables directly though?
Debian recommends using nftables over iptables.
Submitted by KitchM on Fri, 04/30/2021 - 09:15 Comment #36
IMHO, iptables-translate is just a way to convert iptables to nftables. Perhaps it has no bearing since Debian can still evidently use iptables. My Debian 10 is working with it. (I suppose that at some point iptables will be ignored in favor of nftables, but that may be near-future.)
My issue appears to be that, while Webmin can now accurately read and display the settings, I have to manually use nano to make the settings in /etc/iptables/rules.v4.
Is it just that Webmin does not know how to interact with rules.v4 and rules.v6?
We just released Webmin 1.974 and it will fix this issue.
Submitted by richb-hanover on Sat, 05/01/2021 - 06:27 Pro Licensee Comment #38
I'm (sort of) a newbie to Webmin/Virtualmin... How do I get Webmin to update automatically through the dashboard (and Virtualmin, for that matter)? My /etc/apt/sources.list contains this... Thanks!
more /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu focal-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu focal partner
deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
# deb-src [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
Submitted by richb-hanover on Sat, 05/01/2021 - 06:49 Pro Licensee Comment #39
PS I also found this page that talks about installing via apt.
https://www.webmin.com/deb.html
Thanks!
Submitted by KitchM on Sun, 05/02/2021 - 11:55 Comment #40
Yes, it is odd that it does not upgrade with the rest of the updates waiting in the queue. However, you can select Webmin>Webmin Configuration>Upgrade Webmin to get the job done.
As to if it will work on ubuntu, I would suggest that the upgrade would be beneficial to all Debian-based offshoots. A little trial and error will tell you if you can now do what you wanted.
We can ignore the copyright date, as some programmers may forget to upgrade it.
I'm going to try mine now and see if things are working better.
Good luck, Buddy.
Submitted by richb-hanover on Sun, 05/02/2021 - 12:26 Pro Licensee Comment #41
Odd. I have two Webmin installations, both were on 1.973. One offered the Webmin>Webmin Configuration>Upgrade Webmin choice (a tile, with an upward arrow). Clicking it did in fact upgrade to Webmin 1.974 as desired.
The other Webmin instance (also 1.973) does not offer that Upgrade Webmin icon. Thoughts? Thanks.
Submitted by KitchM on Sun, 05/02/2021 - 12:29 Comment #42
Fascinating. I'm wondering which operating systems you are using.
Submitted by richb-hanover on Sun, 05/02/2021 - 13:26 Pro Licensee Comment #43
The system that did offer the Webmin Upgrade is Ubuntu 18.04.5.
The system that did not offer that choice is Ubuntu 20.04.2
Submitted by KitchM on Sun, 05/02/2021 - 13:54 Comment #44
Well, I have Debian 10 and it did not offer the upgrade in the rest of the upgrades, but did offer it from Upgrade Webmin.
What we know for sure is that consistency is gained when all comparisons are of the same OS version. No one knows what the distro creators might do with the environment. They may even tweak the kernel.
You will find this in many places in the computer environment. We are always dealing with little niggling problems which refuse to be easily tracked down. One programmer's habits do not coincide with another's.
Please do not post to existing threads, with completely different topic.
https://github.com/virtualmin/virtualmin-gpl/issues/285
If you installed Virtualmin using
install.shscript Virtualmin repos must be set on the following file:Submitted by KitchM on Tue, 05/04/2021 - 17:25 Comment #46
I just did some configuration consolidation in the rules and found it configured correctly as displayed.
However, when I selected to activate at boot = Yes, and Apply Configuration, I got an error message that states "Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found." That is weird because IPv6 is not involved.
Please keep in mind that the top of the screen shows: Change IP protocol version: with IPv4 highlighted, and Rules file /etc/iptables/rules.v4
Your thoughts?
Something is trying to restart
ip6tables.servicewhich was manually incorrectly removed? Check forip4tables.serviceor run test search through out all configs to get more details:Submitted by richb-hanover on Wed, 05/05/2021 - 07:53 Pro Licensee Comment #48
Having upgraded to 1.974, I have some questions about the operation of the iptables firewall. I will start a new topic since this one's getting pretty long. Thanks!
Submitted by KitchM on Wed, 05/05/2021 - 11:37 Comment #49
The command results were that there was no such file or directory.
Are you taking into consideration the information in #3 of the original post?
Submitted by KitchM on Wed, 05/05/2021 - 11:59 Comment #50
Further problems with Webmin is that it sees the information in /etc/iptables/rules.v4, but translates it incorrectly.
Here is an example. The rule in the rules file shows:
*Accept all from NTP pool
-A INPUT -p udp -m udp -s 71.252.219.43,162.159.200.12 ,38.229.71.1,66.228.58.20 --deport 123 -j ACCEPT
Webmin shows: https://ibb.co/7gtrZtd
You will also find that when created a rule with multiple IP addresses, the standard is to separate with a comma and no spaces, but Webmin wants a space and no commas.
PS: The interface looks great! Thanks.
Submitted by KitchM on Thu, 05/06/2021 - 09:11 Comment #51
Does anyone know when this issue will finally be resolved? Thanks.
Submitted by KitchM on Fri, 05/07/2021 - 13:42 Comment #52
@Jamie, @Ilia, is there anything I can do to help with this? Testing perhaps?
Submitted by JamieCameron on Sat, 05/08/2021 - 19:34 Comment #53
Regarding comment #50 - I tested, and multiple comma-separated IPs work fine in Webmin and are shown in the UI.
Is
deportthe correct flag though? Shouldn't it bedport?Submitted by KitchM on Sun, 05/09/2021 - 16:03 Comment #54
Yes, it should be dport. Sorry about the typo.
I know that I tried a number of different times. It did not take commas, but took spaces or carriage returns.
So I tried again. I set this:
71.252.219.43,38.229.71.1
and got this when I tried to save:
Failed to save rule : Missing or invalid source address or network
Then I tried this:
71.252.219.43 38.229.71.1
and then it saved. No comma and only a space.
Finally I tried this format:
71.252.219.43
CR
38.229.71.1
and it also saved just fine.
I also noticed that I could find any way to set "-m state" and things like that. I believe this has to do with the extensions not being available from the iptables extra modules.
Submitted by JamieCameron on Sun, 05/09/2021 - 18:31 Comment #55
So it's expected that in the UI, addresses are space or newline separated. In the next release we'll allow commas as well though.
Submitted by KitchM on Mon, 05/10/2021 - 11:53 Comment #56
Thanks, Jamie. That's going to be solving a big confusion.
Now, I am not sure we need to worry about nftables, but perhaps that is coming down the road.
In any case, I believe you do need to make sure the stateful features set of conntrack, which as you know is the command for using the conntrack-tools or “connection tracking tools" tied into the iptables-extensions, is available for use.
When I imported my manually created rules, it saw my comments but not my rules sections for state or ctstate settings.
I hope that these will be included too so that we can use all the features of iptables.
Submitted by JamieCameron on Tue, 05/11/2021 - 00:11 Comment #57
There was a bug related to creation of conntrack rules that should be fixed in the 1.974 release, which should be available to Virtualmin uses shortly.
Submitted by KitchM on Tue, 05/11/2021 - 10:33 Comment #58
Since 1.974 has just been released, did you mean 1.975?
Submitted by JamieCameron on Tue, 05/11/2021 - 23:53 Comment #59
No, I meant 1.974. Is the problem that Webmin is using the --state flag when it should be --cstate? If so, does this happen even for newly created rules?
Submitted by KitchM on Wed, 05/12/2021 - 12:42 Comment #60
That's a good question, but one you would be better able to answer.
Also, if something is missing in 1.974, how will 1.974 be upgraded? You do remember that it has already been released?
I did run across some information that may help and will post it soon.
Submitted by KitchM on Thu, 05/13/2021 - 14:39 Comment #61
I admit to being confused. Not because I can't understand, but because of the extremely poor documentation and syntax used in articles on the subject.
My current understanding is that we are forced to consider the use of iptables extensions to get things done as we wish. No doubt you understand that.
However, it appears that there is some confusion about the extensions as to their relationship to the connection tracking module, aka conntrack . The iptables-extension man page shows conntrack as a subset, It also shows state as a subset, but then specifies that it is a subset of conntrack. Go figure.
Therefore, we need to know what each option does.
--state state can specify the second "state" as INVALID, ESTABLISHED, NEW, RELATED or UNTRACKED.
The --cstate does not exist in the man page, but --ctstate statelist does. In this case "statelist" uses INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED, SNAT or DNAT.
So, what I can determine is that one can use either/or and so Webmin must recognize them and categorize them appropriately.
Outside the man pages from netfilter.org, there is a nice discussion and explanation https://unix.stackexchange.com/questions/108169/what-is-the-difference-b...
With all that said, I strongly suggest that Webmin>Linux Firewall lists the iptables in this format. First, display the full pathname to the tables file. Second, show the name of the table. Then show from left to right, the rule details, including the details of the extensions.
Submitted by KitchM on Thu, 05/13/2021 - 15:04 Comment #62
@Ilia, It may be that I am incorrect in understanding the display. I do know that the Action column is way too wide, and I cannot resize it.
Maybe you put everything into the Condition column. That's fine if everything is there.
I do know that the Move and Add columns can be eliminated in favor of a move or add option at the bottom which would apply to the row selected.
In my case, the display shows: If protocol is UDP and source is 71.252.219.43/32 and destination port is 123 Accept all from NTP pool
The funny thing is that the Action is Do Nothing, which is not what the file says.
Do you get the same problem using Gray Theme?
How can I reproduce an issue? Can you provide a screenshot?
Submitted by KitchM on Fri, 05/14/2021 - 16:25 Comment #64
Here's the screenshot. I used the framed grey theme as you mentioned, instead of the default one. It looked basically the same either way. Hope it is what you wanted. https://ibb.co/MC8TSDd
There really is no way to change the width of the columns to make them more useful.
Thanks for looking at it.
Submitted by JamieCameron on Sat, 05/15/2021 - 16:49 Comment #65
Regarding the --state and --ctstate flags - Webmin tries to select the right one based on your kernel version.
What does the
uname -rcommand output on your system?Submitted by KitchM on Sun, 05/16/2021 - 10:06 Comment #66
Really? That is very neat. Does it use a table or a range of settings? What about distro version differences?
Another thing I can't figure out is when something is using iptables or nftables. Of if it is using iptables-persistent or the nftables-persistent. Isn't one build-in to the kernel by default, ie. nftables-persistent in Debian 10?
Mine is: 4.19.0-16-amd64
Submitted by JamieCameron on Sun, 05/16/2021 - 16:14 Comment #67
Ok, with that kernel version, Webmin should be only using the --ctstate flag and not --state
Submitted by KitchM on Sun, 05/16/2021 - 17:17 Comment #68
So if I use -state am I doing wrong for your program?
Submitted by KitchM on Mon, 05/17/2021 - 11:48 Comment #69
I have learned that nftables keeps its tables in /etc/nftables.conf, whereas iptables are found in /etc/iptables/, if iptables-persistent is used. That must make it necessary for you to search two places.
In any case, I understand your programming problems with regard to that. I do not know about you, but logic would therefore say to check for /etc/iptables/ first. If it exists, then Webmin falls back to iptables mode. Else, go with nftables and assume nftables-persistent exists.
If iptables-persistent exists, it alone would not be a good test because it might not have been used to create /etc/iptables/ yet.
If iptables, then conntrack is optional and only used if the rules.v4 and rules.v6 showed references to it or the rest of the extensions.
If nftables, then conntrack is in the kernel by default. However, Debian 10 has nftables and conntrack on by default, and still offers iptables-legacy, or so I understand.
With that said, both -state and -ctstate are active as legitimate options at all times.
Submitted by KitchM on Mon, 05/17/2021 - 11:58 Comment #70
As to the display, I suggest a change to show the basic important things for which the user will be looking: First, place the default policy at the top of the chain. Second, make the action column fit only the widest word option. Third, expand Condition column to include space released from above change. Fourth, include all conditions, not just some. For instance, you are not displaying RELATED or ESTABLISHED rules.
Submitted by r4p70r on Fri, 05/21/2021 - 09:06 Comment #71
I am using Debian 9 with Webmin 1.974. and iptables v1.6.0
The firewall module still does not work properly. I can neither apply changes nor set the configuration to be applied at boot time.
When I try to apply the changes I get the following error message in Webmin: "Failed to apply configuration : Failed to restart iptables.service: Unit iptables.service not found."
When I try to set Activate at boot to Yes I get: "Bootup action iptables does not exist"
When I change the Option "Always start firewall from init script on Debian" to Yes in the global options then the rules file changes to /etc/iptables/rules.v4 and i get: "Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found." and "Bootup action ip6tables does not exist"
For ipv6 the rules file remains at /etc/ip6tables.up.rules
Submitted by maddkorben on Sat, 05/22/2021 - 05:21 Comment #72
Same problem here like r4p70r has when applying rules: "Failed to restart iptables.service: Unit iptables.service not found."
cat /etc/debian_version10.9
dpkg -l | grep webminii webmin 1.974
Tried to install netfilter-persistent but didn't help.
Jamie has already fixed this issue for the next Webmin release.
Submitted by KitchM on Mon, 05/24/2021 - 09:48 Comment #74
Ilia, that was the issue I asked about earlier and got no explanation. If the current one is 1.974, why would there be another with the same version number?
What would be another with the same version number?
Submitted by KitchM on Mon, 05/24/2021 - 14:10 Comment #76
Comment #10 goes from 1.973 to 1.974. Comment #57 seems to indicate a new update. Comment #58 points out that we already had 1.974. Comment #73 says there is another fix. 1.975?
Comment #73 refers to the following -
Submitted by KitchM on Mon, 05/24/2021 - 15:32 Comment #78
But you said "next". Do you mean 1.945?
Next Webmin versions is planned to be 1.975.
Submitted by KitchM on Mon, 05/24/2021 - 15:35 Comment #80
So the problems still existing with the iptables will be included in that version?
I am sorry but which problem you are talking about exactly? I expect that Jamie addressed all know issues. I haven't tested.
What Webmin version you're on at the moment? Did you try applying the linked patch/patches and see if that addresses your issue exactly?
Submitted by KitchM on Mon, 05/24/2021 - 15:57 Comment #82
I am on 1.974.
From #27: When I went to use the iptables editing, I found I could not combine multiple IP addresses in one rule.
When I went to apply my IPv4 rules, I got the error: Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found.
From #32-36: I am confused about iptables versus nftables.
From #46: Evidently there is a problem with a cross issue between v4 and v6. These should be separate at all times.
From #50, 54: Incorrect layout.
From #55: Next release mentioned. Assume 1.975.
From #70: Can you do anything about the layout?
Submitted by KitchM on Tue, 05/25/2021 - 17:22 Comment #83
@Ilia, I should first have asked you if you are working on the Webmin interface? Particularly how it displays the netfilter rules. (As that was regarding my references to #50 and #70 above.)
I am also working on the UI, yes. I remember in the past I made some patches to display large amount of IPs nicely for Firewall module. I am not sure, perhaps that is the problem? If you switch to Gray Theme do you get different output?
Could you just attach the list of rules which I could easily load and try it out?
Speaking about splitting on the comma, I saw few days ago, Jamie made a commit in this regard but I am not sure if that is related. The same about --state option.
If you are an advanced user could you just grab from Webmin Git repo firewall directory and try it out locally? I assume that most issues you're talking about were addressed by Jamie already.
Submitted by KitchM on Tue, 05/25/2021 - 19:31 Comment #85
Well, as a preface to the whole issue, I understand that the format of nftables rules is different from iptables rules, so that will require an automated choice of display formats.
With that said, the fact is that I cannot see the details of each iptables rule on a line by line basis as Webmin currently displays it. (I do not want to go into nftables, as I do not understand that format yet.)
Here is a list of some rules to try:
These are from a current iptables, and in Webmin they look like this screenshot: https://ibb.co/qdKkSdC https://ibb.co/YT6fw5b
Please note that the layout is not matching the items and does not have the correct settings for each rule.
I would also say to get rid of Webmin>Networking>LInux IPv6 Firewall. It is already under Linux Firewall by just selecting a button at the top for IPv6. No need to confuse things.
Yes, I too am not sure if the next release will fix the comma, space, line return option
Yes, I am an advanced user, but unfamiliar with your processes. I can do anything if someone simply tells me the specific steps to take, and I will be able to recognized results and offer feedback.
Thank you.
Submitted by KitchM on Tue, 05/25/2021 - 19:43 Comment #86
That should have been: -A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -i lo -m comment --comment "Accept all loopback interface" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Accept all having a matching outgoing connection" -j ACCEPT
-A INPUT -s 71.252.219.43,162.159.200.123,38.229.71.1,66.228.58.20 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"
-A INPUT -s 199.180.220.89, 199.180.220.91,208.89.104.3,45.33.71.83, 45.33.70.196,157.230.238.197,45.55.33.77,199.180.223.109 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
This is so much simpler and cleaner.
Submitted by JamieCameron on Wed, 05/26/2021 - 21:40 Comment #87
Regarding comment #85 - if the active rules and what you see in webmin are totally different, are you sure webmin is looking at the correct config file?
Submitted by KitchM on Thu, 05/27/2021 - 09:53 Comment #88
The user would have no control over that. Webmin does what it does.
Submitted by JamieCameron on Fri, 05/28/2021 - 13:15 Comment #89
Ok, let's look at some specific rules from your screenshot .. for example :
I don't see a
-j acceptin there, so it's unclear why this would cause iptables to accept matching traffic?Submitted by KitchM on Fri, 05/28/2021 - 14:36 Comment #90
Bloody hell, Jamie. You are correct. How the heck did that happen? Now I have to go over everything again. Something did not get copied correctly or formatted correctly initially.
I'll try again and see what happens.
By the way, that must be why the Webmin display shows "Do nothing".
Submitted by JamieCameron on Sun, 05/30/2021 - 01:00 Comment #91
Yeah, if there's no
-jaction, Webmin assumes that the rule doesn't block or accept the packet.Submitted by KitchM on Sun, 05/30/2021 - 11:14 Comment #92
Yeah, what it says on those is "Do nothing".
Submitted by papampi on Thu, 06/03/2021 - 02:26 Comment #93
I still have this problem on ubuntu 20.04 and 16.04 with latest webmin 1.974 When I click apply configuration firewall it gives: Failed to apply configuration : Failed to restart iptables.service: Unit iptables.service not found.
Hello Debian 10.9 Webmin 1.974
I just upgraded the server and I cannot apply iptables 4 rules I get "Failed to apply configuration : Failed to restart iptables.service: Unit iptables.service not found. "
Same to have it run at boot, I get "Bootup action iptables does not exist"
Iptables rules are active because they are launched via the network/interface file at start. post-up iptables-restore < xxxxx
I see that in #73 issue is fixed on next update, is this on 1.975 ? or was supposed to be fixed in 1.974?
If 1.975, how can we get it as right now the highest propose is 1.974?
Thank you
Submitted by KitchM on Thu, 06/03/2021 - 14:32 Comment #95
From what I can determine, we are awaiting the release of 1.975. At that point, we will see how things shake out before we test it again for ourselves. I am sure Jamie is working on that release now.
Please note that while I share the error you guys found, mine is a little different as mentioned before:
Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found.
As you know, and as I've pointed out before, Debian 10 uses nftables by default, but accommodates iptables. However, we must remember that they are two separate systems which are trying to use some crossover in the available services.
While nftables is automatically persistent by original programming, iptables is not. It therefore appears to need iptables-persistent installed. During or after the installation, one must perform a save function to create the /etc/iptables/ directory and save the settings there in files rules.v4 and rules.v6.
Webmin creates a file /etc/iptables.up.rules. (I do not know when it does this. nftables has its info in /etc/nftables.conf. Which is used by Webmin, and how does it know which to choose? I am unclear about that.
At least, that's how I understand it now.
Submitted by KitchM on Fri, 06/04/2021 - 13:33 Comment #96
Here is an interesting and specific issue related to this subject. In my /etc/iptables/rules.v4, my third line states:
A -INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Accept all having a matching outgoing connection" -j ACCEPT
In Webmin, that same lines reads:
Action Condition Comment
Accept Always Accept all having a matching out going connection.
Not only is that not very descriptive, but is wrong in a basic sense.
Ilia, IMHO this has part of the problem having to do with layout.
Submitted by JamieCameron on Sat, 06/05/2021 - 18:08 Comment #97
OK, I see the bug that causes that - it will be fixed in the next release.
Submitted by KitchM on Sun, 06/06/2021 - 14:36 Comment #98
Thank you, Jamie. I look forward to the next release.
Submitted by KitchM on Sun, 06/06/2021 - 14:39 Comment #99
By the way, does Condition = Always actually mean "All Ways", as in all ports, protocols, addresses, etc.?
Submitted by JamieCameron on Tue, 06/08/2021 - 23:44 Comment #100
Yes, it means that the rule will match all packets.
Submitted by KitchM on Wed, 06/09/2021 - 12:04 Comment #101
Thanks for that, Jamie.
As you probably have thought about, it is nice if the GUI does some interpretation to put things into simple English usage. IMHO, regardless of what iptables or nftables does, it is preferable to say what is actually meant.
Maybe this is something that Ilia can address, but I would like to see something like "All Ways", or "All Ports", or "All Protocols", or "All IP's", just to be more specific as to what a given rule is allowing. Otherwise, I am not sure what information "Condition" is providing.
This might be handled by something as simple as a few If/Then statements in the programming.?.?
Does that make sense?
Thanks.
Submitted by JamieCameron on Fri, 06/11/2021 - 00:09 Comment #102
Maybe if the condition said "All traffic" or something like that?
Submitted by KitchM on Fri, 06/11/2021 - 11:15 Comment #103
Great idea. I totally agree with you. (That's why good ideas come from many minds.)
So if it was only partial, it might display something like: "All traffic on UDP" "All traffic on ports 5060-5060" "All traffic from 192.167.1.25" or similar ideas.
Is this too much programming?
Submitted by KitchM on Sun, 06/20/2021 - 14:25 Comment #104
Okay, I was surprised to learn that a new Webmin was available. Woo hoo! Thank you, Jamie.
I look forward to trying it out this week.
What really surprised me was that the version jumped a few, from 1.974 to 1.979. Wow! Why the big jump?
Submitted by KitchM on Fri, 06/25/2021 - 18:42 Comment #105
@Jamie, I loaded the latest version and tried to set up a ruleset. They worked flawlessly.
After creating the rules, I selected to Apply Configuration. I then selected Activate at boot.
Next I rebooted the server. However, when I ran sudo iptables -L, there were no items present. But it said that there were some under legacy. So I ran sudo iptables-legacy -L and got a strange listing that did not match my entries.
For one thing, it listed the IP addresses as domain names. Translation seems like a mistake. IP addresses don't need translation. I think this is a problem related to iptables-legacy in Raspbian.
Another thing is that it should have displayed from iptables and not iptables-legacy. Since Webmin created /etc/iptables.up.rules, it should have displayed the file with the command sudo iptables -L.
When iptables is created to persist, iptables-presistent creates /etc/iptables/rules.v4 and /etc/iptables/rules.v6. Shouldn't Webmin have used that method since nftables does not exsit?
BTW, restarting Webmin does show that the rules are still correct after the server reboot. I remain confused as to what to expect from the server commandline.
Submitted by JamieCameron on Sat, 06/26/2021 - 00:15 Comment #106
Listing the rules with IPs is expected, because hostnames get resolved to IPs when the rules are loaded into the kernel.
Submitted by KitchM on Sun, 06/27/2021 - 10:04 Comment #107
But, Jamie, wasn't that my point? Why are the IP addresses being converted to hostnames and then saved in the file? They then have to be converted back to IP addresses to be useful. I definitely entered them as IP addresses. Was it Webmin the did the unnecessary conversion?
Submitted by JamieCameron on Sun, 06/27/2021 - 12:47 Comment #108
Oh I see - that conversion must be done by the
iptablescomand, via a reverse lookup.Since in the kernel the rule are only stored as IPs, we don't know if they were originally entered as an IP or a hostname.
Submitted by KitchM on Mon, 06/28/2021 - 15:53 Comment #109
Jamie, I always look up hostnames and enter them as their appropriate IP addresses. I found that the iptables -L command does a reverse lookup, as you surmised. One must use the -n option with it so as to suppress that function. Also, I failed to actually view the /etc/iptables.up.rules file which showed the IP addresses as they should be. My mistake. Webmin does correctly view and display it. Many thanks for a job well done.
@Ilia, the latest version of Webmin has lost the comments column. Was that intentional?
Not at all. I assume that you have mistakenly disabled comments in Linux Firewall ⇾ Configuration: Configurable global options with Display comment in rules list option set to No.
Submitted by KitchM on Tue, 06/29/2021 - 10:15 Comment #111
It was unchecked. Thanks for that. However, I did not do it, as I had no reason to do so that I can imagine. Strange.
By the way, is there a way to improve the column layout? The Action column is way too wide and need shrinking. The other two need to be expanded to the left. Even the Move column can be shrunk slightly to the right.
I'd also like to remind you to get rid of the separate menu item for Linux IPv6 Firewall since it is redundant. All one has to do is select the button at the top of the Linux Firewall page to see the same thing.
What do you think?
Thank you.
Submitted by JamieCameron on Fri, 07/02/2021 - 22:39 Comment #112
Good suggestion, I'll remove that redundant version switcher.