Can't connect to ::1 & iptables-legacy policies active

Czar · February 26, 2024, 8:08pm

SYSTEM INFORMATION
OS type and version	Ubuntu 22.04
Virtualmin version	7.9.0

Hello all,

I have problems accessing ::1 ports and I guess it’s related to my iptables-issue.

spamd wasn’t able to connect to [::1]:783, which has been solved by running it solely on 127.0.0.1 but there are other issues, like dccproc operations not permitted from/to ::1 and finally not being able to even ping to IPv6 localhost.

Obviously there are iptables-legacy policies active:

sudo iptables -S
# Warning: iptables-legacy tables present, use iptables-legacy to see them
....

sudo iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

sudo iptables -V
iptables v1.8.7 (nf_tables)

Same result with ip6tables.

I wonder where they come from. I read that Ubuntu 22.04 comes with nftables as standard, but the packages is not even installed? Is that due to the virutalmin installation and dependencies?

Firewalld is coming up correctly and the iptables are set without issues. But when I restart firewalld it throws errors:

 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables):
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain FORWARD_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain INPUT_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
 ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.7 (nf_tables):
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain FORWARD_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain INPUT_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
 ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.7 (nf_tables):
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
 ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.7 (nf_tables):
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain OUTPUT_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
 line 5: CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct

So, all is hinting to these policies. How to solve that?

The network settings seems to be fine, as far as I can tell:

ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 34318  bytes 28874753 (28.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34318  bytes 28874753 (28.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 127.0.0.1  netmask 255.255.255.255  broadcast 0.0.0.0  destination 127.0.0.1
        inet6 1234:456:7890:1234:5678:9012:3456:7890  prefixlen 128  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
        RX packets 31583  bytes 9964873 (9.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 45565  bytes 25059155 (25.0 MB)
        TX errors 0  dropped 4 overruns 0  carrier 0  collisions 0

venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 12.34.56.78  netmask 255.255.255.255  broadcast 12.34.56.78  destination 12.34.56.78
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)

I already checked updates-alternatives for iptables and got rid of the reference to iptables-legacy:

sudo update-alternatives --display iptables
iptables - automatischer Modus
  beste Version des Links ist /usr/sbin/iptables-nft
  Link verweist zur Zeit auf /usr/sbin/iptables-nft
  Link iptables ist /usr/sbin/iptables
  Slave iptables-restore ist /usr/sbin/iptables-restore
  Slave iptables-save ist /usr/sbin/iptables-save
/usr/sbin/iptables-nft - Priorität 20
  Slave iptables-restore: /usr/sbin/iptables-nft-restore
  Slave iptables-save: /usr/sbin/iptables-nft-save

There are files iptables.up.rules and ip6tables.up.rules in /etc which are obviously generated by webmin. I renamed them but iptables.up.rules is back when rebooting.

I tend to isave the rules, flush and restore them, as the non-legacy rules seem to also include the basic policies.

Something like:

sudo iptables-save > iptables-save.txt
sudo ip6tables-save > ip6tables-save.txt
sudo iptables-legacy-save > iptables-legacy-save.txt
sudo ip6tables-legacy-save > ip6tables-legacy-save.txt

sudo iptables -F

iptables-restore < iptables-save.txt
ip6tables-restore < ip6tables-save.txt

But I’m actually afraid to do that…

The questions are:

Is this a valid approach or will this wreck my setup and force a restore?
Where is this coming from? I don’t remember messing with the rules at all
Does anybody know how to approach that?

I really want to get rid of the warning and the issues I have with localhost ipv6.

Help would really be appreciated!

Thanks in advance and best regards!
Christian

system · April 26, 2024, 8:08pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.