SYSTEM INFORMATION | |
---|---|
OS type and version | Ubuntu 22.04 |
Virtualmin version | 7.9.0 |
Hello all,
I have problems accessing ::1 ports and I guess it’s related to my iptables-issue.
spamd wasn’t able to connect to [::1]:783, which has been solved by running it solely on 127.0.0.1 but there are other issues, like dccproc operations not permitted from/to ::1 and finally not being able to even ping to IPv6 localhost.
Obviously there are iptables-legacy policies active:
sudo iptables -S
# Warning: iptables-legacy tables present, use iptables-legacy to see them
....
sudo iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
sudo iptables -V
iptables v1.8.7 (nf_tables)
Same result with ip6tables.
I wonder where they come from. I read that Ubuntu 22.04 comes with nftables as standard, but the packages is not even installed? Is that due to the virutalmin installation and dependencies?
Firewalld is coming up correctly and the iptables are set without issues. But when I restart firewalld it throws errors:
ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables):
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain FORWARD_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain INPUT_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.7 (nf_tables):
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain FORWARD_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain INPUT_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.7 (nf_tables):
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.7 (nf_tables):
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 5: CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
So, all is hinting to these policies. How to solve that?
The network settings seems to be fine, as far as I can tell:
ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 34318 bytes 28874753 (28.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34318 bytes 28874753 (28.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 127.0.0.1 netmask 255.255.255.255 broadcast 0.0.0.0 destination 127.0.0.1
inet6 1234:456:7890:1234:5678:9012:3456:7890 prefixlen 128 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
RX packets 31583 bytes 9964873 (9.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 45565 bytes 25059155 (25.0 MB)
TX errors 0 dropped 4 overruns 0 carrier 0 collisions 0
venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 12.34.56.78 netmask 255.255.255.255 broadcast 12.34.56.78 destination 12.34.56.78
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
I already checked updates-alternatives for iptables and got rid of the reference to iptables-legacy:
sudo update-alternatives --display iptables
iptables - automatischer Modus
beste Version des Links ist /usr/sbin/iptables-nft
Link verweist zur Zeit auf /usr/sbin/iptables-nft
Link iptables ist /usr/sbin/iptables
Slave iptables-restore ist /usr/sbin/iptables-restore
Slave iptables-save ist /usr/sbin/iptables-save
/usr/sbin/iptables-nft - Priorität 20
Slave iptables-restore: /usr/sbin/iptables-nft-restore
Slave iptables-save: /usr/sbin/iptables-nft-save
There are files iptables.up.rules and ip6tables.up.rules in /etc which are obviously generated by webmin. I renamed them but iptables.up.rules is back when rebooting.
I tend to isave the rules, flush and restore them, as the non-legacy rules seem to also include the basic policies.
Something like:
sudo iptables-save > iptables-save.txt
sudo ip6tables-save > ip6tables-save.txt
sudo iptables-legacy-save > iptables-legacy-save.txt
sudo ip6tables-legacy-save > ip6tables-legacy-save.txt
sudo iptables -F
iptables-restore < iptables-save.txt
ip6tables-restore < ip6tables-save.txt
But I’m actually afraid to do that…
The questions are:
- Is this a valid approach or will this wreck my setup and force a restore?
- Where is this coming from? I don’t remember messing with the rules at all
- Does anybody know how to approach that?
I really want to get rid of the warning and the issues I have with localhost ipv6.
Help would really be appreciated!
Thanks in advance and best regards!
Christian