|Ubuntu 22.04 Server
After a system boot, all of the iptables are empty. I can load webmin and apply the rules manually OK. The reported file for the rules is valid and contains the proper contents. So I thought something else was flushing all the tables. Removed the app “ufw” to no avail. Have not found anything that would be able to flush the tables. So I reviewed the syslog after a boot sequence. I did not see anything else trying to load any rules. But I did find the following messages.
Sep 12 16:39:52 tmgemail systemd: webmin-iptables.service: Main process exited, code=exited, status=4/NOPERMISSION
Sep 12 16:39:52 tmgemail systemd: webmin-iptables.service: Failed with result ‘exit-code’.
Sep 12 16:39:52 tmgemail systemd: Failed to start Load iptables save file.
So I reviewed the systemd config files. The load operation simply calls iptables-legacy-restore with redirected input from the saved file. The command executes just fine when I attempt at the command prompt.
So what permissions do I need to enable for webmin service to load iptables from systemd when the system boots up?
Thank you for your consideration,
Not much help but I’m wondering why you rebooted? I’ve had a couple security updates of the kernel lately and had to reboot.
The same here, security updates.
Follow up: I discovered I can
root@tmgemail:~# systemctl start webmin-iptables
root@tmgemail:~# systemctl status webmin-iptables
● webmin-iptables.service - Load iptables save file
Loaded: loaded (/lib/systemd/system/webmin-iptables.service; enabled; vendor preset: enabled)
Active: active (exited) since Thu 2023-09-14 10:58:47 EDT; 37s ago
Process: 45507 ExecStart=/bin/sh -c /sbin/iptables-legacy-restore </etc/webmin/firewall/iptables.save (code=exited, status=0/SUCCESS)
Main PID: 45507 (code=exited, status=0/SUCCESS)
Sep 14 10:58:47 tmgemail systemd: Starting Load iptables save file…
Sep 14 10:58:47 tmgemail systemd: Finished Load iptables save file.
No permission problems here executing manually. Just during the boot cycle it appears.
You shouldn’t use iptables directly. Webmin has support for FirewallD module which will handle it all correctly for you.
What is this
webmin-iptables.service anyway? What is the output of the following command on your system:
Thank you for your response. Webmin provides support for many distros and various software applications. FirewallD is from RedHat. This server is Ubuntu based and does not include FriewallD by default.
The file you requested is below.
root@tmgemail:~# cat /lib/systemd/system/webmin-iptables.service
Description=Load iptables save file
ExecStart=/bin/sh -c ‘/sbin/iptables-legacy-restore </etc/webmin/firewall/iptables.save’
ExecStop=/sbin/iptables -t filter -F ; /sbin/iptables -t nat -F ; /sbin/iptables -t mangle -F ; /sbin/iptables -t filter -P INPUT ACCEPT ; /sbin/iptables -t filter -P OUTPUT ACCEPT ; /sbin/iptables -t filter -P FORWARD ACCEPT ; /sbin/iptables -t nat -P PREROUTING ACCEPT ; /sbin/iptables -t nat -P POSTROUTING ACCEPT ; /sbin/iptables -t nat -P OUTPUT ACCEPT ; /sbin/iptables -t mangle -P PREROUTING ACCEPT ; /sbin/iptables -t mangle -P OUTPUT ACCEPT
Yes, it does not. However it takes no effort to install it using
apt-get install firewalld command. We do it for all Virtualmin users, and it does the job in much simpler and more reliable way.
Also, if you want a super fancy and powerful firewall, which can replace both FirewallD and Fail2Ban, consider using ConfigServer Security & Firewall, as Webmin with Authentic Theme has very good support for it.
I assume this is something was created manually.
No, I did not create the service myself. It was created by Webmin.
How old is the system? Was it upgraded from previous versions? Did you install via Virtualmin or webmin?
Ubuntu 22.04 LTS fresh install in fall of 2022. I installed webmin. Never heard of virtualmin until this website two days ago. This server was a replacement for another server that I have operated for many years. The system would load the tables correctly until about two months ago. So we just loaded them manually. But since it has not been fixed so I am now investigating the problem.
OK. Strange that the first thing that appeared in a search was that link saying this problem was fixed in 2021.
The bug report link you provided was in regard to a locking issue. My error messages did not reference any locking issues. However, when I checked the service files they did not include the -w option at all. So I added “-w 10” in both the ip and ip6 service files. My thought is maybe it is the same problem but not reporting the error the same way. So include the change and see if it helps or not.