**Rules file /etc/iptables.up.rules**
**External managed rules detected. Activate "[Directly edit firewall rules"] or your firewall rules may break.**
**Warning!** It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the [FirewallD module] instead.
**WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.2 (nf_tables): Set f2b-proftpd doesn't exist. Error occurred at line: 45**
OK, so clicking on FirewallD:
FirewallD
### Failed to list zones : Error: INVALID_ZONE
So, as per FirewallD - Invalid Zones - #8 by vminbeginner I activated buster backports, uninstalled iptables, and reinstalled iptables, and still had a problem. So I installed firewalld hoping I could get things to work but that didn’t help either.
So I apt purge iptables and apt purge firewalld and apt install firewalld but that ended up with error messages like:
ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
but at least then I found this:
Which said to edit /etc/firewalld/firewalld.conf and change IndividualCalls=no to IndividualCalls=yes
When I did that, at least firewalld seemed to be running without any status errors.
Hopefully I’ve not ended up with a damaged system.
UPDATE: Yep. Damaged. I had to reload from backup.
It would appear Debian 10 has a firewall problem that Virtualmin hasn’t been able to correct.
Is there some “howto” for getting Debian 10 and a firewall to work and play well together under Virtualmin?
Hello jabowery The Ubertus team faced the same challenge. To resolve this, we use both nftables and firewalld from the Backport for Debian 10 Buster.
Below are detailed steps & info. If those are of interest.
Steps
Backup everything. This is optional, but recommended in the unlikely event that the following does not work.
Remove iptables
Reboot server
Install nftables from the Debian Buster Backport repository. So that you get a more recent version.
Install firewalld from the Debian Buster Backport repository. So that you get a more recent version.
Adapt your Fail2Ban configurations appropriately for nftables. For example, but not limited to, using the Webmin Fail2Ban page, adapt its “Default action to apply” for nftables. For example nftables-multiport. Instead of iptables-multiport.
Reboot server
If fail2ban is not a fresh installation. It might need a few of its cycles to adapt itself.
If the above fails. Try the same steps but fully remove fail2ban, then reinstall a fresh new fail2ban.
Done. You have successfully resolved the challenge with fail2ban & iptables. Enjoy
Attribution to the Ubertus SysAdmin team & DevOps team for those steps
Starting in August 2020, nftables is included into the Linux Kernel. Which result in potential significant increase in both performance & security.
Fail2Ban on Debian 10 has very good support for nftables. With lots of built-in configurations.
Notes
For those not familiar with nftables. It is the new framework by the Netfilter Project. Which allows you to perform packet filtering (firewalling), NAT, mangling and packet classification.
firewalld is a front end management tool for nftables. Think of nftables as the engine. And firewalld as your dashboard.
Sorry if this is not perfect for you. I just recommend CSF every chance I get (over any other iptables firewall and fail2ban). It’s well worth the learning curve.
The Ubertus team faced the same challenge. To resolve this, we use both