Webmin Linux Firewall gives incorrect information when using iptables-persistent

I love Webmin - it makes admin'ing my VPS so easy. But I have had trouble using the Linux Firewall page. I wonder if Webmin is not compatible with iptables-persistent. There are several problems:

  1. After installing (with apt install iptables-persistent) the Linux Firewall page shows that the iptables files are saved in /etc/iptables.up.rules and /etc/ip6tables.up.rules This is not correct - they're saved in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

  2. The Activate at boot control doesn't work. a) If I click Yes, then click Activate at boot, then reboot the system, the "No" button is checked again. b) The iptables rules are not reloaded - I get a default set of rules.

  3. The list of rules displayed does not match the active set (from /etc/iptables/rules.v4 and /etc/iptables/rules.v6). It may be the leftover rules from /etc/iptables.up.rules and /etc/ip6tables.up.rules

  4. The help text (top of the page, second button from the left) speaks of "ipi(6)tables" - I suspect this should be "ip(6)tables"...

How can I make the Webmin page reflect the actual state of my iptables? Many thanks.

PS I also want to say something nice: Since I have chosen not to use firewalld, I removed it with sudo apt purge firewalld. Webmin DOES give a good diagnostic message if I click FirewallD (It says, "The FirewallD module cannot be used : The FirewallD control command firewall-cmd was not found on your system")

Status: 
Needs review
Virtualmin version: 
6.14
Webmin version: 
1.962

Comments

This could be an issue with Webmin's detecting of your Linux version.

What output do you get if you run grep os_ /etc/webmin/config ?

$ grep os_ /etc/webmin/config
os_type=debian-linux
os_version=11.0
real_os_type=Ubuntu Linux
real_os_version=20.04.1

Thanks!

NB: lsb_release shows I'm on 20.04.2...:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:    20.04
Codename:   focal

Yet another update:

  • Webmin called for a bunch of package upgrades, including Webmin (to 1.973) and Virtualmin (to 6.15)
  • I allowed those to proceed. In so doing...
  • Webmin noticed that I'm actually on 20.04.2, and so I clicked the "Update version" or whatever it's called
  • Now the dashboard shows 20.04.2
  • Linux Firewall still shows the rules in the incorrect location /etc/iptables.up.rules
$ grep os_ /etc/webmin/config
os_version=11.0
real_os_type=Ubuntu Linux
os_type=debian-linux
real_os_version=20.04.2

Did the latest Ubuntu release change the location of those config files? Virtualmin currently only looks in /etc/iptables.up.rules rather than /etc/iptables/rules.v4

I frankly have no idea. (There doesn't seem to be a lot of documentation here...)

I do know that, after I installed iptables-persistent, my rules are being saved in /etc/iptables/rules.v4... (That's the set of rules that are being installed after a reboot...)

Update: I know more now... iptables-persistent seems to have a configuration file in /etc/default/netfilter-persistent with "plugins" in /usr/share/netfilter-persistent/plugins.d/ The "plugin" file 15-ip4tables (below) does refer to the /etc/iptables/rules.v4 file... How could Webmin figure this out? Many thanks.

/etc/default/netfilter-persistent

# Configuration for netfilter-persistent
# Plugins may extend this file or have their own

FLUSH_ON_STOP=0

# Set to yes to skip saving rules/sets when netfilter-persistent is called with
# the save parameter
# IPTABLES_SKIP_SAVE=yes
# IP6TABLES_SKIP_SAVE=yes
# IPSET_SKIP_SAVE=yes

and plugins are saved in /usr/share/netfilter-persistent/plugins.d/:

/usr/share/netfilter-persistent/plugins.d/

ls -al /usr/share/netfilter-persistent/plugins.d/
total 16
drwxr-xr-x 2 root root 4096 Mar 17 07:39 ./
drwxr-xr-x 3 root root 4096 Mar 17 07:39 ../
-rwxr-xr-x 1 root root 2024 Sep 13  2019 15-ip4tables*
-rwxr-xr-x 1 root root 1983 Sep 13  2019 25-ip6tables*

/usr/share/netfilter-persistent/plugins.d/15-ip4tables

The plugin file 15-ip4tables looks like this. 25-ip6tables looks similar, although I didn't check it carefully:

#!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter 
# Copyright (C) 2010, 2014 Jonathan Wiltshire 
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

set -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Source configuration
if [ -f "/etc/default/netfilter-persistent" ]; then
    . /etc/default/netfilter-persistent
fi

load_rules()
{
    #load IPv4 rules
    if [ ! -f /etc/iptables/rules.v4 ]; then
        echo "Warning: skipping IPv4 (no rules to load)"
    else
        iptables-restore < /etc/iptables/rules.v4
    fi
}

save_rules()
{
    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
        touch /etc/iptables/rules.v4
        chmod 0640 /etc/iptables/rules.v4
        iptables-save > /etc/iptables/rules.v4
    fi
}

flush_rules()
{
    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
    for table in $TABLES
    do
        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
        for chain in $CHAINS
        do
            # policy can't be set on user-defined chains
            iptables -t $table -P $chain ACCEPT || true
        done
        iptables -t $table -F
        iptables -t $table -Z
        iptables -t $table -X
    done
}

case "$1" in
start|restart|reload|force-reload)
    load_rules
    ;;
save)
    save_rules
    ;;
stop)
    # Why? because if stop is used, the firewall gets flushed for a variable
    # amount of time during package upgrades, leaving the machine vulnerable
    # It's also not always desirable to flush during purge
    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
    ;;
flush)
    flush_rules
    ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac

Thanks, that's useful .. I didn't have the iptables-persistent command installed on my test system. I'll give that a shot.

NB: I am using iptables (and iptables-save, and iptables-restore) 1.8.4. Thanks!

$ iptables --version
iptables v1.8.4 (legacy)

Ok, the next release of Webmin will support this configuration properly.

I just wanted to mention that I also have this problem on Debian 10. From what I can tell, it is now netfilter-persistence. To get started one can run "sudo service netfilter-persistent save". Still Webmin does not see these settings.

I hope this helps.

Does this help you, Jamie? The command appears to be:

sudo service netfilter-persistent save

which returns:

[….] Saving netfilter rules...run-parts: executing /user/share/netfilter-persistent/plugins.d/15-ip4tables save

run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

done.

sudo systemctl status netfilter-persistent

shows that the system loads:

/user/share/netfilter-persistent/plugins.d/15-ip4tables

/usr/share/netfilter-persistent/plugins.d/25-ip6tables

as it stated before.

So right now I have Webmin able to Activate at boot - Yes. However, applying any rules makes no difference to the tables. Therefore doing anything with them thru Webmin is non-functional.

Thanks for your efforts.

Next boot up I noticed error:

Iptables failed to load, or words to that effect. Uses systemctl status webmin.iptables.service to check it out.

Unit webmin.iptables.service could not be found

Unit service.service could not be found

So I just turned off Activate at boot and we're back to the way it was.

Thanks.

These issues should all be fixed in Webmin 1.974

Thank you, Jamie. It is very much appreciated.

These issues should all be fixed in Webmin 1.974

Thanks!

How soon will this be available from the Webmin GUI dashboard? (I clicked "Refresh Available Packages" and it's not listed.) Thanks again...

Ilia's picture
Submitted by Ilia on Mon, 04/05/2021 - 13:53

We should release next Webmin 1.974 within next week.

If you feel comfortable, you could try applying relevant patch and see if it works for you.

Cool! I'll wait for the official update

I would go for the patch but have no idea how to get or apply it. When will the new version be available?

Can you please update the release date? Thank you.

We don't have a planned release date yet, sorry.

"We should release next Webmin 1.974 within next week."

That's why I wondered.

Do you need help testing? I have a Debian 10 server and am willing and able. Like I said before, I don't know how to apply the patch. Are there simple steps?

Please supply method of applying patch.

Ilia's picture
Submitted by Ilia on Wed, 04/21/2021 - 18:11

Please supply method of applying patch.

Please check comment #19 above.

The patch can be applied by replacing local copy of a file with modified version.

I was able to use the file manager in Webmin to copy-in the patch. It said "merge" so I assumed it was doing whatever it needed to do.

When I went to use the iptables editing, I found I could not combine multiple IP addresses in one rule.

I also noted that it appended /32 to all rule addresses it imported.

When I went to apply my IPv4 rules, I got the error: Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found.

I have no idea why ipv6 came into the picture.

Is there a problem because Debian now uses nftables?

I also see this at the top of the page where IPv4 is selected: "Rules file /etc/iptables/rules.v4 WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.2 (legacy): unknown option "--state" Error occurred at line: 22 "

Earlier I wrote: "I also noted that it appended /32 to all rule addresses it imported." That was incorrect. That info was imported that way from the iptables.

I was able to manually edit the file at /etc/iptables/rules.v4. After verifying with sudo iptables-restore -t /etc/iptables/rules.v4, I was able to reboot and all was good.

When opening Webmin and going to Networking>Linux Firewall, all looked good. At least it can read the file now.

I guess the problem with Webmin and iptables on Debian is not yet fixed.

Ilia's picture
Submitted by Ilia on Tue, 04/27/2021 - 04:25

Assigned: Unassigned »

Is there a problem because Debian now uses nftables?

Jamie, what do you think of using iptables-translate command to support nftables without extra hassle inside standard Linux Firewall module?

What value would that give us over just using iptables directly though?

IMHO, iptables-translate is just a way to convert iptables to nftables. Perhaps it has no bearing since Debian can still evidently use iptables. My Debian 10 is working with it. (I suppose that at some point iptables will be ignored in favor of nftables, but that may be near-future.)

My issue appears to be that, while Webmin can now accurately read and display the settings, I have to manually use nano to make the settings in /etc/iptables/rules.v4.

Is it just that Webmin does not know how to interact with rules.v4 and rules.v6?

Ilia's picture
Submitted by Ilia on Fri, 04/30/2021 - 17:57

Is it just that Webmin does not know how to interact with rules.v4 and rules.v6?

We just released Webmin 1.974 and it will fix this issue.

I'm (sort of) a newbie to Webmin/Virtualmin... How do I get Webmin to update automatically through the dashboard (and Virtualmin, for that matter)? My /etc/apt/sources.list contains this... Thanks!

more /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu focal-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu focal partner

deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
# deb-src [arch=amd64] https://download.docker.com/linux/ubuntu focal stable

PS I also found this page that talks about installing via apt.

https://www.webmin.com/deb.html

  1. It talks about Debian. Is this correct for Ubuntu?
  2. Is it up to date? (For example, the copyright date at the bottom of the page is "© 2006-2016".)

Thanks!

Yes, it is odd that it does not upgrade with the rest of the updates waiting in the queue. However, you can select Webmin>Webmin Configuration>Upgrade Webmin to get the job done.

As to if it will work on ubuntu, I would suggest that the upgrade would be beneficial to all Debian-based offshoots. A little trial and error will tell you if you can now do what you wanted.

We can ignore the copyright date, as some programmers may forget to upgrade it.

I'm going to try mine now and see if things are working better.

Good luck, Buddy.

However, you can select Webmin>Webmin Configuration>Upgrade Webmin to get the job done.

Odd. I have two Webmin installations, both were on 1.973. One offered the Webmin>Webmin Configuration>Upgrade Webmin choice (a tile, with an upward arrow). Clicking it did in fact upgrade to Webmin 1.974 as desired.

The other Webmin instance (also 1.973) does not offer that Upgrade Webmin icon. Thoughts? Thanks.

Fascinating. I'm wondering which operating systems you are using.

The system that did offer the Webmin Upgrade is Ubuntu 18.04.5.

The system that did not offer that choice is Ubuntu 20.04.2

Well, I have Debian 10 and it did not offer the upgrade in the rest of the upgrades, but did offer it from Upgrade Webmin.

What we know for sure is that consistency is gained when all comparisons are of the same OS version. No one knows what the distro creators might do with the environment. They may even tweak the kernel.

You will find this in many places in the computer environment. We are always dealing with little niggling problems which refuse to be easily tracked down. One programmer's habits do not coincide with another's.

Ilia's picture
Submitted by Ilia on Mon, 05/03/2021 - 14:20

Please do not post to existing threads, with completely different topic.

The other Webmin instance (also 1.973) does not offer that Upgrade Webmin icon. Thoughts? Thanks.

https://github.com/virtualmin/virtualmin-gpl/issues/285

My /etc/apt/sources.list contains this... Thanks!

If you installed Virtualmin using install.sh script Virtualmin repos must be set on the following file:

/etc/apt/sources.list.d/virtualmin.list

I just did some configuration consolidation in the rules and found it configured correctly as displayed.

However, when I selected to activate at boot = Yes, and Apply Configuration, I got an error message that states "Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found." That is weird because IPv6 is not involved.

Please keep in mind that the top of the screen shows: Change IP protocol version: with IPv4 highlighted, and Rules file /etc/iptables/rules.v4

Your thoughts?

Ilia's picture
Submitted by Ilia on Wed, 05/05/2021 - 04:39

Your thoughts? - Failed to restart ip6tables.service: Unit ip6tables.service not found." That is weird because IPv6 is not involved.

Something is trying to restart ip6tables.service which was manually incorrectly removed? Check for ip4tables.service or run test search through out all configs to get more details:

grep -Ril ip6tables /etc

Having upgraded to 1.974, I have some questions about the operation of the iptables firewall. I will start a new topic since this one's getting pretty long. Thanks!

The command results were that there was no such file or directory.

Are you taking into consideration the information in #3 of the original post?

Further problems with Webmin is that it sees the information in /etc/iptables/rules.v4, but translates it incorrectly.

Here is an example. The rule in the rules file shows:

*Accept all from NTP pool

-A INPUT -p udp -m udp -s 71.252.219.43,162.159.200.12 ,38.229.71.1,66.228.58.20 --deport 123 -j ACCEPT

Webmin shows: https://ibb.co/7gtrZtd

You will also find that when created a rule with multiple IP addresses, the standard is to separate with a comma and no spaces, but Webmin wants a space and no commas.

PS: The interface looks great! Thanks.

Does anyone know when this issue will finally be resolved? Thanks.

@Jamie, @Ilia, is there anything I can do to help with this? Testing perhaps?

Regarding comment #50 - I tested, and multiple comma-separated IPs work fine in Webmin and are shown in the UI.

Is deport the correct flag though? Shouldn't it be dport ?

Yes, it should be dport. Sorry about the typo.

I know that I tried a number of different times. It did not take commas, but took spaces or carriage returns.

So I tried again. I set this:

71.252.219.43,38.229.71.1

and got this when I tried to save:

Failed to save rule : Missing or invalid source address or network

Then I tried this:

71.252.219.43 38.229.71.1

and then it saved. No comma and only a space.

Finally I tried this format:

71.252.219.43

CR

38.229.71.1

and it also saved just fine.

I also noticed that I could find any way to set "-m state" and things like that. I believe this has to do with the extensions not being available from the iptables extra modules.

So it's expected that in the UI, addresses are space or newline separated. In the next release we'll allow commas as well though.

Thanks, Jamie. That's going to be solving a big confusion.

Now, I am not sure we need to worry about nftables, but perhaps that is coming down the road.

In any case, I believe you do need to make sure the stateful features set of conntrack, which as you know is the command for using the conntrack-tools or “connection tracking tools" tied into the iptables-extensions, is available for use.

When I imported my manually created rules, it saw my comments but not my rules sections for state or ctstate settings.

I hope that these will be included too so that we can use all the features of iptables.

There was a bug related to creation of conntrack rules that should be fixed in the 1.974 release, which should be available to Virtualmin uses shortly.

Since 1.974 has just been released, did you mean 1.975?

No, I meant 1.974. Is the problem that Webmin is using the --state flag when it should be --cstate? If so, does this happen even for newly created rules?

That's a good question, but one you would be better able to answer.

Also, if something is missing in 1.974, how will 1.974 be upgraded? You do remember that it has already been released?

I did run across some information that may help and will post it soon.

I admit to being confused. Not because I can't understand, but because of the extremely poor documentation and syntax used in articles on the subject.

My current understanding is that we are forced to consider the use of iptables extensions to get things done as we wish. No doubt you understand that.

However, it appears that there is some confusion about the extensions as to their relationship to the connection tracking module, aka conntrack . The iptables-extension man page shows conntrack as a subset, It also shows state as a subset, but then specifies that it is a subset of conntrack. Go figure.

Therefore, we need to know what each option does.

--state state can specify the second "state" as INVALID, ESTABLISHED, NEW, RELATED or UNTRACKED.

The --cstate does not exist in the man page, but --ctstate statelist does. In this case "statelist" uses INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED, SNAT or DNAT.

So, what I can determine is that one can use either/or and so Webmin must recognize them and categorize them appropriately.

Outside the man pages from netfilter.org, there is a nice discussion and explanation https://unix.stackexchange.com/questions/108169/what-is-the-difference-b...

With all that said, I strongly suggest that Webmin>Linux Firewall lists the iptables in this format. First, display the full pathname to the tables file. Second, show the name of the table. Then show from left to right, the rule details, including the details of the extensions.

@Ilia, It may be that I am incorrect in understanding the display. I do know that the Action column is way too wide, and I cannot resize it.

Maybe you put everything into the Condition column. That's fine if everything is there.

I do know that the Move and Add columns can be eliminated in favor of a move or add option at the bottom which would apply to the row selected.

In my case, the display shows: If protocol is UDP and source is 71.252.219.43/32 and destination port is 123 Accept all from NTP pool

The funny thing is that the Action is Do Nothing, which is not what the file says.

Ilia's picture
Submitted by Ilia on Fri, 05/14/2021 - 13:39

Do you get the same problem using Gray Theme?

How can I reproduce an issue? Can you provide a screenshot?

Here's the screenshot. I used the framed grey theme as you mentioned, instead of the default one. It looked basically the same either way. Hope it is what you wanted. https://ibb.co/MC8TSDd

There really is no way to change the width of the columns to make them more useful.

Thanks for looking at it.

Regarding the --state and --ctstate flags - Webmin tries to select the right one based on your kernel version.

What does the uname -r command output on your system?

Really? That is very neat. Does it use a table or a range of settings? What about distro version differences?

Another thing I can't figure out is when something is using iptables or nftables. Of if it is using iptables-persistent or the nftables-persistent. Isn't one build-in to the kernel by default, ie. nftables-persistent in Debian 10?

Mine is: 4.19.0-16-amd64

Ok, with that kernel version, Webmin should be only using the --ctstate flag and not --state

So if I use -state am I doing wrong for your program?

I have learned that nftables keeps its tables in /etc/nftables.conf, whereas iptables are found in /etc/iptables/, if iptables-persistent is used. That must make it necessary for you to search two places.

In any case, I understand your programming problems with regard to that. I do not know about you, but logic would therefore say to check for /etc/iptables/ first. If it exists, then Webmin falls back to iptables mode. Else, go with nftables and assume nftables-persistent exists.

If iptables-persistent exists, it alone would not be a good test because it might not have been used to create /etc/iptables/ yet.

If iptables, then conntrack is optional and only used if the rules.v4 and rules.v6 showed references to it or the rest of the extensions.

If nftables, then conntrack is in the kernel by default. However, Debian 10 has nftables and conntrack on by default, and still offers iptables-legacy, or so I understand.

With that said, both -state and -ctstate are active as legitimate options at all times.

As to the display, I suggest a change to show the basic important things for which the user will be looking: First, place the default policy at the top of the chain. Second, make the action column fit only the widest word option. Third, expand Condition column to include space released from above change. Fourth, include all conditions, not just some. For instance, you are not displaying RELATED or ESTABLISHED rules.

I am using Debian 9 with Webmin 1.974. and iptables v1.6.0

The firewall module still does not work properly. I can neither apply changes nor set the configuration to be applied at boot time.

When I try to apply the changes I get the following error message in Webmin: "Failed to apply configuration : Failed to restart iptables.service: Unit iptables.service not found."

When I try to set Activate at boot to Yes I get: "Bootup action iptables does not exist"

When I change the Option "Always start firewall from init script on Debian" to Yes in the global options then the rules file changes to /etc/iptables/rules.v4 and i get: "Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found." and "Bootup action ip6tables does not exist"

For ipv6 the rules file remains at /etc/ip6tables.up.rules

Same problem here like r4p70r has when applying rules: "Failed to restart iptables.service: Unit iptables.service not found."

cat /etc/debian_version

10.9

dpkg -l | grep webmin

ii webmin 1.974

Tried to install netfilter-persistent but didn't help.

Ilia, that was the issue I asked about earlier and got no explanation. If the current one is 1.974, why would there be another with the same version number?

Ilia's picture
Submitted by Ilia on Mon, 05/24/2021 - 14:01

Ilia, that was the issue I asked about earlier and got no explanation. If the current one is 1.974, why would there be another with the same version number?

What would be another with the same version number?

Comment #10 goes from 1.973 to 1.974. Comment #57 seems to indicate a new update. Comment #58 points out that we already had 1.974. Comment #73 says there is another fix. 1.975?

Ilia's picture
Submitted by Ilia on Mon, 05/24/2021 - 14:44

Comment #73 refers to the following -

Same problem here like r4p70r has when applying rules: "Failed to restart iptables.service: Unit iptables.service not found."

But you said "next". Do you mean 1.945?

Ilia's picture
Submitted by Ilia on Mon, 05/24/2021 - 15:34

Next Webmin versions is planned to be 1.975.

So the problems still existing with the iptables will be included in that version?

Ilia's picture
Submitted by Ilia on Mon, 05/24/2021 - 15:38

So the problems still existing with the iptables will be included in that version?

I am sorry but which problem you are talking about exactly? I expect that Jamie addressed all know issues. I haven't tested.

What Webmin version you're on at the moment? Did you try applying the linked patch/patches and see if that addresses your issue exactly?

I am on 1.974.

From #27: When I went to use the iptables editing, I found I could not combine multiple IP addresses in one rule.

When I went to apply my IPv4 rules, I got the error: Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found.

From #32-36: I am confused about iptables versus nftables.

From #46: Evidently there is a problem with a cross issue between v4 and v6. These should be separate at all times.

From #50, 54: Incorrect layout.

From #55: Next release mentioned. Assume 1.975.

From #70: Can you do anything about the layout?

@Ilia, I should first have asked you if you are working on the Webmin interface? Particularly how it displays the netfilter rules. (As that was regarding my references to #50 and #70 above.)

Ilia's picture
Submitted by Ilia on Tue, 05/25/2021 - 18:13

I am also working on the UI, yes. I remember in the past I made some patches to display large amount of IPs nicely for Firewall module. I am not sure, perhaps that is the problem? If you switch to Gray Theme do you get different output?

Could you just attach the list of rules which I could easily load and try it out?

Speaking about splitting on the comma, I saw few days ago, Jamie made a commit in this regard but I am not sure if that is related. The same about --state option.

If you are an advanced user could you just grab from Webmin Git repo firewall directory and try it out locally? I assume that most issues you're talking about were addressed by Jamie already.

Well, as a preface to the whole issue, I understand that the format of nftables rules is different from iptables rules, so that will require an automated choice of display formats.

With that said, the fact is that I cannot see the details of each iptables rule on a line by line basis as Webmin currently displays it. (I do not want to go into nftables, as I do not understand that format yet.)

Here is a list of some rules to try:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [22:1581]
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -m comment --comment "Accept all loopback interface" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Accept all having a matching outgoing connection" -j ACCEPT
-A INPUT -s 71.252.219.43/32 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"
-A INPUT -s 162.159.200.123/32 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"
-A INPUT -s 38.229.71.1/32 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"
-A INPUT -s 66.228.58.20/32 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"
-A INPUT -s 199.180.220.89/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 199.180.220.91/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 208.89.104.3/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 45.33.71.83/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 45.33.70.196/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 157.230.238.197/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 45.55.33.77/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
-A INPUT -s 199.180.223.109/32 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT
COMMIT

These are from a current iptables, and in Webmin they look like this screenshot: https://ibb.co/qdKkSdC https://ibb.co/YT6fw5b

Please note that the layout is not matching the items and does not have the correct settings for each rule.

I would also say to get rid of Webmin>Networking>LInux IPv6 Firewall. It is already under Linux Firewall by just selecting a button at the top for IPv6. No need to confuse things.

Yes, I too am not sure if the next release will fix the comma, space, line return option

Yes, I am an advanced user, but unfamiliar with your processes. I can do anything if someone simply tells me the specific steps to take, and I will be able to recognized results and offer feedback.

Thank you.

That should have been: -A INPUT -s 192.168.1.0/24 -j ACCEPT

-A INPUT -i lo -m comment --comment "Accept all loopback interface" -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Accept all having a matching outgoing connection" -j ACCEPT

-A INPUT -s 71.252.219.43,162.159.200.123,38.229.71.1,66.228.58.20 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"

-A INPUT -s 199.180.220.89, 199.180.220.91,208.89.104.3,45.33.71.83, 45.33.70.196,157.230.238.197,45.55.33.77,199.180.223.109 -p udp -m udp --dport 5060:5080 -m comment --comment "Accept from SIP provider" -j ACCEPT

This is so much simpler and cleaner.

Regarding comment #85 - if the active rules and what you see in webmin are totally different, are you sure webmin is looking at the correct config file?

The user would have no control over that. Webmin does what it does.

Ok, let's look at some specific rules from your screenshot .. for example :

-A INPUT -s 71.252.219.43/32 -p udp -m udp --dport 123 -m comment --comment "Accept all from NTP pool"

I don't see a -j accept in there, so it's unclear why this would cause iptables to accept matching traffic?

Bloody hell, Jamie. You are correct. How the heck did that happen? Now I have to go over everything again. Something did not get copied correctly or formatted correctly initially.

I'll try again and see what happens.

By the way, that must be why the Webmin display shows "Do nothing".

Yeah, if there's no -j action, Webmin assumes that the rule doesn't block or accept the packet.

Yeah, what it says on those is "Do nothing".

I still have this problem on ubuntu 20.04 and 16.04 with latest webmin 1.974 When I click apply configuration firewall it gives: Failed to apply configuration : Failed to restart iptables.service: Unit iptables.service not found.

PatriceJ's picture
Submitted by PatriceJ on Thu, 06/03/2021 - 13:17

Hello Debian 10.9 Webmin 1.974

I just upgraded the server and I cannot apply iptables 4 rules I get "Failed to apply configuration : Failed to restart iptables.service: Unit iptables.service not found. "

Same to have it run at boot, I get "Bootup action iptables does not exist"

Iptables rules are active because they are launched via the network/interface file at start. post-up iptables-restore < xxxxx

I see that in #73 issue is fixed on next update, is this on 1.975 ? or was supposed to be fixed in 1.974?

If 1.975, how can we get it as right now the highest propose is 1.974?

Thank you

From what I can determine, we are awaiting the release of 1.975. At that point, we will see how things shake out before we test it again for ourselves. I am sure Jamie is working on that release now.

Please note that while I share the error you guys found, mine is a little different as mentioned before:

Failed to apply configuration : Failed to restart ip6tables.service: Unit ip6tables.service not found.

As you know, and as I've pointed out before, Debian 10 uses nftables by default, but accommodates iptables. However, we must remember that they are two separate systems which are trying to use some crossover in the available services.

While nftables is automatically persistent by original programming, iptables is not. It therefore appears to need iptables-persistent installed. During or after the installation, one must perform a save function to create the /etc/iptables/ directory and save the settings there in files rules.v4 and rules.v6.

Webmin creates a file /etc/iptables.up.rules. (I do not know when it does this. nftables has its info in /etc/nftables.conf. Which is used by Webmin, and how does it know which to choose? I am unclear about that.

At least, that's how I understand it now.

Here is an interesting and specific issue related to this subject. In my /etc/iptables/rules.v4, my third line states:

A -INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Accept all having a matching outgoing connection" -j ACCEPT

In Webmin, that same lines reads:

Action Condition Comment

Accept Always Accept all having a matching out going connection.

Not only is that not very descriptive, but is wrong in a basic sense.

Ilia, IMHO this has part of the problem having to do with layout.

OK, I see the bug that causes that - it will be fixed in the next release.

Thank you, Jamie. I look forward to the next release.

By the way, does Condition = Always actually mean "All Ways", as in all ports, protocols, addresses, etc.?

Yes, it means that the rule will match all packets.

Thanks for that, Jamie.

As you probably have thought about, it is nice if the GUI does some interpretation to put things into simple English usage. IMHO, regardless of what iptables or nftables does, it is preferable to say what is actually meant.

Maybe this is something that Ilia can address, but I would like to see something like "All Ways", or "All Ports", or "All Protocols", or "All IP's", just to be more specific as to what a given rule is allowing. Otherwise, I am not sure what information "Condition" is providing.

This might be handled by something as simple as a few If/Then statements in the programming.?.?

Does that make sense?

Thanks.

Maybe if the condition said "All traffic" or something like that?

Great idea. I totally agree with you. (That's why good ideas come from many minds.)

So if it was only partial, it might display something like: "All traffic on UDP" "All traffic on ports 5060-5060" "All traffic from 192.167.1.25" or similar ideas.

Is this too much programming?

Okay, I was surprised to learn that a new Webmin was available. Woo hoo! Thank you, Jamie.

I look forward to trying it out this week.

What really surprised me was that the version jumped a few, from 1.974 to 1.979. Wow! Why the big jump?

@Jamie, I loaded the latest version and tried to set up a ruleset. They worked flawlessly.

After creating the rules, I selected to Apply Configuration. I then selected Activate at boot.

Next I rebooted the server. However, when I ran sudo iptables -L, there were no items present. But it said that there were some under legacy. So I ran sudo iptables-legacy -L and got a strange listing that did not match my entries.

For one thing, it listed the IP addresses as domain names. Translation seems like a mistake. IP addresses don't need translation. I think this is a problem related to iptables-legacy in Raspbian.

Another thing is that it should have displayed from iptables and not iptables-legacy. Since Webmin created /etc/iptables.up.rules, it should have displayed the file with the command sudo iptables -L.

When iptables is created to persist, iptables-presistent creates /etc/iptables/rules.v4 and /etc/iptables/rules.v6. Shouldn't Webmin have used that method since nftables does not exsit?

BTW, restarting Webmin does show that the rules are still correct after the server reboot. I remain confused as to what to expect from the server commandline.

Listing the rules with IPs is expected, because hostnames get resolved to IPs when the rules are loaded into the kernel.

But, Jamie, wasn't that my point? Why are the IP addresses being converted to hostnames and then saved in the file? They then have to be converted back to IP addresses to be useful. I definitely entered them as IP addresses. Was it Webmin the did the unnecessary conversion?

Oh I see - that conversion must be done by the iptables comand, via a reverse lookup.

Since in the kernel the rule are only stored as IPs, we don't know if they were originally entered as an IP or a hostname.

Jamie, I always look up hostnames and enter them as their appropriate IP addresses. I found that the iptables -L command does a reverse lookup, as you surmised. One must use the -n option with it so as to suppress that function. Also, I failed to actually view the /etc/iptables.up.rules file which showed the IP addresses as they should be. My mistake. Webmin does correctly view and display it. Many thanks for a job well done.

@Ilia, the latest version of Webmin has lost the comments column. Was that intentional?

Ilia's picture
Submitted by Ilia on Tue, 06/29/2021 - 07:35

@Ilia, the latest version of Webmin has lost the comments column. Was that intentional?

Not at all. I assume that you have mistakenly disabled comments in Linux Firewall ⇾ Configuration: Configurable global options with Display comment in rules list option set to No.

It was unchecked. Thanks for that. However, I did not do it, as I had no reason to do so that I can imagine. Strange.

By the way, is there a way to improve the column layout? The Action column is way too wide and need shrinking. The other two need to be expanded to the left. Even the Move column can be shrunk slightly to the right.

I'd also like to remind you to get rid of the separate menu item for Linux IPv6 Firewall since it is redundant. All one has to do is select the button at the top of the Linux Firewall page to see the same thing.

What do you think?

Thank you.

Good suggestion, I'll remove that redundant version switcher.