Webmin Linux Firewall gives incorrect information when using iptables-persistent

I love Webmin - it makes admin'ing my VPS so easy. But I have had trouble using the Linux Firewall page. I wonder if Webmin is not compatible with iptables-persistent. There are several problems:

  1. After installing (with apt install iptables-persistent) the Linux Firewall page shows that the iptables files are saved in /etc/iptables.up.rules and /etc/ip6tables.up.rules This is not correct - they're saved in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

  2. The Activate at boot control doesn't work. a) If I click Yes, then click Activate at boot, then reboot the system, the "No" button is checked again. b) The iptables rules are not reloaded - I get a default set of rules.

  3. The list of rules displayed does not match the active set (from /etc/iptables/rules.v4 and /etc/iptables/rules.v6). It may be the leftover rules from /etc/iptables.up.rules and /etc/ip6tables.up.rules

  4. The help text (top of the page, second button from the left) speaks of "ipi(6)tables" - I suspect this should be "ip(6)tables"...

How can I make the Webmin page reflect the actual state of my iptables? Many thanks.

PS I also want to say something nice: Since I have chosen not to use firewalld, I removed it with sudo apt purge firewalld. Webmin DOES give a good diagnostic message if I click FirewallD (It says, "The FirewallD module cannot be used : The FirewallD control command firewall-cmd was not found on your system")

Status: 
Needs review
Virtualmin version: 
6.14
Webmin version: 
1.962

Comments

This could be an issue with Webmin's detecting of your Linux version.

What output do you get if you run grep os_ /etc/webmin/config ?

$ grep os_ /etc/webmin/config
os_type=debian-linux
os_version=11.0
real_os_type=Ubuntu Linux
real_os_version=20.04.1

Thanks!

NB: lsb_release shows I'm on 20.04.2...:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:    20.04
Codename:   focal

Yet another update:

  • Webmin called for a bunch of package upgrades, including Webmin (to 1.973) and Virtualmin (to 6.15)
  • I allowed those to proceed. In so doing...
  • Webmin noticed that I'm actually on 20.04.2, and so I clicked the "Update version" or whatever it's called
  • Now the dashboard shows 20.04.2
  • Linux Firewall still shows the rules in the incorrect location /etc/iptables.up.rules
$ grep os_ /etc/webmin/config
os_version=11.0
real_os_type=Ubuntu Linux
os_type=debian-linux
real_os_version=20.04.2

Did the latest Ubuntu release change the location of those config files? Virtualmin currently only looks in /etc/iptables.up.rules rather than /etc/iptables/rules.v4

I frankly have no idea. (There doesn't seem to be a lot of documentation here...)

I do know that, after I installed iptables-persistent, my rules are being saved in /etc/iptables/rules.v4... (That's the set of rules that are being installed after a reboot...)

Update: I know more now... iptables-persistent seems to have a configuration file in /etc/default/netfilter-persistent with "plugins" in /usr/share/netfilter-persistent/plugins.d/ The "plugin" file 15-ip4tables (below) does refer to the /etc/iptables/rules.v4 file... How could Webmin figure this out? Many thanks.

/etc/default/netfilter-persistent

# Configuration for netfilter-persistent
# Plugins may extend this file or have their own

FLUSH_ON_STOP=0

# Set to yes to skip saving rules/sets when netfilter-persistent is called with
# the save parameter
# IPTABLES_SKIP_SAVE=yes
# IP6TABLES_SKIP_SAVE=yes
# IPSET_SKIP_SAVE=yes

and plugins are saved in /usr/share/netfilter-persistent/plugins.d/:

/usr/share/netfilter-persistent/plugins.d/

ls -al /usr/share/netfilter-persistent/plugins.d/
total 16
drwxr-xr-x 2 root root 4096 Mar 17 07:39 ./
drwxr-xr-x 3 root root 4096 Mar 17 07:39 ../
-rwxr-xr-x 1 root root 2024 Sep 13  2019 15-ip4tables*
-rwxr-xr-x 1 root root 1983 Sep 13  2019 25-ip6tables*

/usr/share/netfilter-persistent/plugins.d/15-ip4tables

The plugin file 15-ip4tables looks like this. 25-ip6tables looks similar, although I didn't check it carefully:

#!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter 
# Copyright (C) 2010, 2014 Jonathan Wiltshire 
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

set -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Source configuration
if [ -f "/etc/default/netfilter-persistent" ]; then
    . /etc/default/netfilter-persistent
fi

load_rules()
{
    #load IPv4 rules
    if [ ! -f /etc/iptables/rules.v4 ]; then
        echo "Warning: skipping IPv4 (no rules to load)"
    else
        iptables-restore < /etc/iptables/rules.v4
    fi
}

save_rules()
{
    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
        touch /etc/iptables/rules.v4
        chmod 0640 /etc/iptables/rules.v4
        iptables-save > /etc/iptables/rules.v4
    fi
}

flush_rules()
{
    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
    for table in $TABLES
    do
        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
        for chain in $CHAINS
        do
            # policy can't be set on user-defined chains
            iptables -t $table -P $chain ACCEPT || true
        done
        iptables -t $table -F
        iptables -t $table -Z
        iptables -t $table -X
    done
}

case "$1" in
start|restart|reload|force-reload)
    load_rules
    ;;
save)
    save_rules
    ;;
stop)
    # Why? because if stop is used, the firewall gets flushed for a variable
    # amount of time during package upgrades, leaving the machine vulnerable
    # It's also not always desirable to flush during purge
    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
    ;;
flush)
    flush_rules
    ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac

Thanks, that's useful .. I didn't have the iptables-persistent command installed on my test system. I'll give that a shot.

NB: I am using iptables (and iptables-save, and iptables-restore) 1.8.4. Thanks!

$ iptables --version
iptables v1.8.4 (legacy)

Ok, the next release of Webmin will support this configuration properly.

I just wanted to mention that I also have this problem on Debian 10. From what I can tell, it is now netfilter-persistence. To get started one can run "sudo service netfilter-persistent save". Still Webmin does not see these settings.

I hope this helps.

Does this help you, Jamie? The command appears to be:

sudo service netfilter-persistent save

which returns:

[….] Saving netfilter rules...run-parts: executing /user/share/netfilter-persistent/plugins.d/15-ip4tables save

run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

done.

sudo systemctl status netfilter-persistent

shows that the system loads:

/user/share/netfilter-persistent/plugins.d/15-ip4tables

/usr/share/netfilter-persistent/plugins.d/25-ip6tables

as it stated before.

So right now I have Webmin able to Activate at boot - Yes. However, applying any rules makes no difference to the tables. Therefore doing anything with them thru Webmin is non-functional.

Thanks for your efforts.

Next boot up I noticed error:

Iptables failed to load, or words to that effect. Uses systemctl status webmin.iptables.service to check it out.

Unit webmin.iptables.service could not be found

Unit service.service could not be found

So I just turned off Activate at boot and we're back to the way it was.

Thanks.

These issues should all be fixed in Webmin 1.974

Thank you, Jamie. It is very much appreciated.

These issues should all be fixed in Webmin 1.974

Thanks!

How soon will this be available from the Webmin GUI dashboard? (I clicked "Refresh Available Packages" and it's not listed.) Thanks again...

Ilia's picture
Submitted by Ilia on Mon, 04/05/2021 - 13:53

We should release next Webmin 1.974 within next week.

If you feel comfortable, you could try applying relevant patch and see if it works for you.

Cool! I'll wait for the official update