Firewall issue after reboot

Webmin
1
SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.3
Webmin version 2.105
Usermin version 2.005
Virtualmin version 7.8.2
Theme version 21.09.5
Package updates All installed packages are up to date

I’ve upgraded Ubuntu to 22.04 some days ago.
Now I have an issue after reboot. The Firewall seems to block anything,
I only get anything up and working again, if I login via “connected console” to the server and execute following commands:

iptables -P INPUT ACCEPT

It seems that a rule is breaking the whole IPTABLES-Service.
What is the best way to figure out which rule is the cause of t he issue?

iptables -S return this:

-P FORWARD DROP
-P OUTPUT ACCEPT
-N f2b-nginx-badbots
-N f2b-postfix-sasl
-N f2b-proftp_noSuchUser
-A INPUT -p tcp -j f2b-nginx-badbots
-A INPUT -p tcp -m multiport --dports 0:65535 -j f2b-proftp_noSuchUser
-A f2b-nginx-badbots -s 98.71.20.249/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nginx-badbots -s 95.214.25.83/32 -j REJECT --reject-with icmp-port-unreachable
...(hundreds of that nginx-badbots rules)
-A f2b-nginx-badbots -j RETURN
-A f2b-postfix-sasl -j RETURN
-A f2b-proftp_noSuchUser -s 94.140.48.197/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftp_noSuchUser -s 94.131.241.75/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftp_noSuchUser -j RETURN

Hab in den Logs noch folgendes gefunden:

ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables): invalid port/service `1-65535' specified
     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2

And here is what I did, and what nearly drive me crazy.
So partial solution is found, but some questions stay open…

I’ve restored the file /etc/webmin/firewall/iptables.save… but anytime I reboot - or only restart firewall, it was gone… file was empty again.

So I’ve opened the settings of “Linux IPTables Firewall” module and set IPv4 to NO.

image
image954×335 102 KB

Then after a reboot the firewall rules are still in the file and shown in the “Linux IPTables Firewall” module.
(If I change that back to “yes” the rules disappear after reboot again!)

But …

…I’ve found that firewallD was not running. So I’ve press the button to start it… and webmin wasn’t available again.
I had to open the Server-Console again and allow SSH and Webmin-Ports to be accessable… even if I have them added in firewallD:

image
image1108×845 128 KB

Any Idea why activating firewallD make the whole server unavailable… as it work like a charm before distribution upgrade

… additional note… I’ve gave it a try… here the results:

  1. If I reboot the server while firewallD is up and running, server come up, but all request are blocked by the firewall
  2. If I disable firewallD and reboot, server come up and is available (webmin, webpages… everything).
  3. up from the moment where I start firewallD, whole server is unavailable.

So the fail is with firewallD, but I don’t see why.
I

3

You talked about iptables then firewalld. They 2 different firewalls and shouldn’t work together.

4

@stefan1959
Ok, thought firewalld would be only be a frontend to iptables … so learned something :slight_smile:

But by default firewalld was activated after webmin/virtualmin installation. I wonder why it doesn’t work anymore after upgrade.

Any Idea how to debug it step by step?

5

Firewalld is a frontend for iptables … but look at the log files for firewalld for the startup errors. A quick resume is obtained by ‘sudo service firewalld status’ and fix what error it shows

2 Likes
6

Really, I didn’t know that.

7

I wonder about all that behavior after upgrade, as I always used firewallD (up from installation of this webmin-server), and it work quite well.

@jimr1 do you have any idea why server block any request if I start firewalld?

8

what do the rules like when you view them ?

image
image1365×912 82.9 KB

any useful output with

systemctl status firewalld

9

image
image1016×592 75.2 KB

systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-12-12 09:45:49 CET; 2min 31s ago
       Docs: man:firewalld(1)
   Main PID: 2385071 (firewalld)
      Tasks: 2 (limit: 4443)
     Memory: 24.1M
        CPU: 725ms
     CGroup: /system.slice/firewalld.service
             └─2385071 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

and sudo firewall-cmd --list-all

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client dns dns-over-tls ftp http https imap imaps mysql smtp smtps
  ports: 587/tcp 53/tcp 20/tcp 2222/tcp 20000/tcp 53/udp 22/tcp 10000/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

sudo firewall-cmd --get-default-zone
public
10

This look as if it should still work fine … so do you run fail2ban ? if so try stopping fail2ban and starting firewalld, and see if you still have the problem that rules out fail2ban adding your IP to firewalld’s data set

11

I got it. Solution was:

sudo ufw disable

I don’t see why or how that could happend (any explanation is very welcome).
But after I’d disabled ufw, “firewallD” work again like before the Distribution upgrade of Ubuntu 20.04 LTS to 22.04 LTS.

12

Never had that on distribution upgrade before however i tend to remove ufw as i don’t use it so may never have hit this one. Good to see your working again

1 Like
13

Thanks for your patience and helping hands. Was part of my solution :slight_smile:

14

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.