How to correct IPtables

I was looking into securing my server and opened the webmin – Networking – Linux Firewall menu and found that warning:

WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.2 (nf_tables): Set f2b-dovecot doesn’t exist. Error occurred at line: 45

How can I correct this ?

Have you done anything to set an inordinate timeout value in Fail2ban? If so, see:

1 Like

Hi there, which distro are you using? Debian 10?

1 Like

Yes I’m using Debian 10

Hi there,

try the following steps:


deb buster-backports main



then run a

apt-get update

after it, run the command

apt-get -t buster-backports install "iptables"

it will install IPTABLES 1.8.3 from the Backport-Repo of Debian. Maybe you need to answer the question with a “y”. After it, you need/should restart your server after the installation of IPTABLES 1.8.3. That I think should fix your error :slight_smile:



Thank you @fabi but I It tried that without success. I’m seeing virtualmin support now.
Thank you.

The support is saying I should remove this line from my firewall config.

-A INPUT_direct \
-p tcp \
-m multiport -m set \
--reject-with icmp-port-unreachable `
--dports 110,995,143,993,587,465,4190 \
--match-set f2b-dovecot src 

But I would like to fully understand what it does.
I wen to the iptables man an iptables-extensions manual for the --reject-with-icmp-port-unreachable
it reads

   REJECT (IPv4-specific)
       This is used to send back an error packet in response  to  the  matched
       packet:  otherwise it is equivalent to DROP so it is a terminating TAR‐
       GET, ending rule traversal.  This target is only valid  in  the  INPUT,
       FORWARD  and  OUTPUT  chains,  and  user-defined  chains which are only
       called from those chains.  The following option controls the nature  of
       the error packet returned:

       --reject-with type
              The  type  given ...  icmp-port-unreachable,    ...,  
              which  return  the  appropriate  
               ICMP  error  message
              (icmp-port-unreachable  is  the  default).  

I understand that -m is for match so I gess -m multiport -m set is to set the jump -j REJECT for all the destination ports 110, 995, 143, 993, 587, 465, 4190 and source IPs that are in the f2b-dovecot set.

If I remove that what are the risk ?
understanding the risk will help me check if I have another rule in the config to mitigate it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.