How to correct IPtables

maliky · August 8, 2020, 7:06pm

I was looking into securing my server and opened the webmin – Networking – Linux Firewall menu and found that warning:

WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.2 (nf_tables): Set f2b-dovecot doesn’t exist. Error occurred at line: 45

How can I correct this ?

calport · August 9, 2020, 4:16am

Have you done anything to set an inordinate timeout value in Fail2ban? If so, see:

fabi · August 9, 2020, 6:02am

Hi there, which distro are you using? Debian 10?

maliky · August 9, 2020, 8:14am

Yes I’m using Debian 10

fabi · August 9, 2020, 5:27pm

Hi there,

try the following steps:

Add

deb http://deb.debian.org/debian buster-backports main

to

/etc/apt/sources.list

then run a

apt-get update

after it, run the command

apt-get -t buster-backports install "iptables"

it will install IPTABLES 1.8.3 from the Backport-Repo of Debian. Maybe you need to answer the question with a “y”. After it, you need/should restart your server after the installation of IPTABLES 1.8.3. That I think should fix your error

Cheers

Fabi

maliky · August 13, 2020, 9:30am

Thank you @fabi but I It tried that without success. I’m seeing virtualmin support now.
Thank you.

maliky · August 17, 2020, 11:22am

The support is saying I should remove this line from my firewall config.

-A INPUT_direct \
-p tcp \
-m multiport -m set \
-j REJECT \
--reject-with icmp-port-unreachable `
--dports 110,995,143,993,587,465,4190 \
--match-set f2b-dovecot src

But I would like to fully understand what it does.
I wen to the iptables man an iptables-extensions manual for the --reject-with-icmp-port-unreachable
it reads

   REJECT (IPv4-specific)
       This is used to send back an error packet in response  to  the  matched
       packet:  otherwise it is equivalent to DROP so it is a terminating TAR‐
       GET, ending rule traversal.  This target is only valid  in  the  INPUT,
       FORWARD  and  OUTPUT  chains,  and  user-defined  chains which are only
       called from those chains.  The following option controls the nature  of
       the error packet returned:

       --reject-with type
              The  type  given ...  icmp-port-unreachable,    ...,  
              which  return  the  appropriate  
               ICMP  error  message
              (icmp-port-unreachable  is  the  default).

I understand that -m is for match so I gess -m multiport -m set is to set the jump -j REJECT for all the destination ports 110, 995, 143, 993, 587, 465, 4190 and source IPs that are in the f2b-dovecot set.

If I remove that what are the risk ?
understanding the risk will help me check if I have another rule in the config to mitigate it.

system · September 16, 2020, 11:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.