Debian 10 Firewalld vs iptables thrashing about

System Operating system Debian Linux 10
Webmin version 1.973 Usermin version
Virtualmin version 6.16 Pro Authentic theme version
Time on system Friday, August 27, 2021 5:48 PM Kernel and CPU

Linux IPTables Firewall
IPv4 Firewall


**Rules file /etc/iptables.up.rules**
**External managed rules detected. Activate "[Directly edit firewall rules"] or your firewall rules may break.**

**Warning!** It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the [FirewallD module] instead.

**WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.2 (nf_tables): Set f2b-proftpd doesn't exist. Error occurred at line: 45**

OK, so clicking on FirewallD:


FirewallD

### Failed to list zones : Error: INVALID_ZONE

So, as per FirewallD - Invalid Zones - #8 by vminbeginner I activated buster backports, uninstalled iptables, and reinstalled iptables, and still had a problem. So I installed firewalld hoping I could get things to work but that didn’t help either.

So I apt purge iptables and apt purge firewalld and apt install firewalld but that ended up with error messages like:

ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
                                                  line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
                                                  line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT

but at least then I found this:

Which said to edit /etc/firewalld/firewalld.conf and change IndividualCalls=no to IndividualCalls=yes

When I did that, at least firewalld seemed to be running without any status errors.

Hopefully I’ve not ended up with a damaged system.

UPDATE: Yep. Damaged. I had to reload from backup.

It would appear Debian 10 has a firewall problem that Virtualmin hasn’t been able to correct.

Is there some “howto” for getting Debian 10 and a firewall to work and play well together under Virtualmin?

1 Like

Hello jabowery :slight_smile: The Ubertus team faced the same challenge. To resolve this, we use both nftables and firewalld from the Backport for Debian 10 Buster.


Below are detailed steps & info. If those are of interest.

Steps

  1. Backup everything. This is optional, but recommended in the unlikely event that the following does not work.
  2. Remove iptables
  3. Reboot server
  4. Install nftables from the Debian Buster Backport repository. So that you get a more recent version.
  5. Install firewalld from the Debian Buster Backport repository. So that you get a more recent version.
  6. Adapt your Fail2Ban configurations appropriately for nftables. For example, but not limited to, using the Webmin Fail2Ban page, adapt its “Default action to apply” for nftables. For example nftables-multiport. Instead of iptables-multiport.
  7. Reboot server
  8. If fail2ban is not a fresh installation. It might need a few of its cycles to adapt itself.
  9. If the above fails. Try the same steps but fully remove fail2ban, then reinstall a fresh new fail2ban.
  10. Done. You have successfully resolved the challenge with fail2ban & iptables. Enjoy :slight_smile:

Attribution to the Ubertus SysAdmin team & DevOps team for those steps

Why nftables instead of iptables?

  • Starting with Debian 10, iptables is officially deprecated with nftables. With Debian 11 the deprecated goes even further. iptables is now the default on Debian 11. Source at Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld - Phoronix

  • Starting in August 2020, nftables is included into the Linux Kernel. Which result in potential significant increase in both performance & security.

  • Fail2Ban on Debian 10 has very good support for nftables. With lots of built-in configurations.

Notes

For those not familiar with nftables. It is the new framework by the Netfilter Project. Which allows you to perform packet filtering (firewalling), NAT, mangling and packet classification.

firewalld is a front end management tool for nftables. Think of nftables as the engine. And firewalld as your dashboard.

Firewalld “owns” the firewall on the system, and all management should be done using the firewalld commands or the Webmin firewalld module. Attribution to Joe at https://forum.virtualmin.com/t/firewall-iptables-and-firewalld-conflict/58278/5

Related wiki about nftables at nftables - Debian Wiki

For those not familiar with Backport. It means you get more recent version of packages for Debian.

nftables replaces the old popular iptables, ip6tables, arptables and ebtables.

1 Like

Do yourself a favor and implement CSF + LFD.

Sorry if this is not perfect for you. I just recommend CSF every chance I get (over any other iptables firewall and fail2ban). It’s well worth the learning curve.

https://virtualarchitects.com/wiki/doku.php?id=networking:firewall:csf

G

1 Like

None of the above works for me. I just deleted the rule that references fail2ban sshd.

Does anyone know of upgrading to Debian 11 breaks virtualmin?

It seems Debian 11 is the only place one can get a working firewall out-of-the-box.