Iptables not loading after boot

jfinnall · September 13, 2023, 6:50pm

SYSTEM INFORMATION
Ubuntu 22.04 Server	REQUIRED
2.102	REQUIRED

After a system boot, all of the iptables are empty. I can load webmin and apply the rules manually OK. The reported file for the rules is valid and contains the proper contents. So I thought something else was flushing all the tables. Removed the app “ufw” to no avail. Have not found anything that would be able to flush the tables. So I reviewed the syslog after a boot sequence. I did not see anything else trying to load any rules. But I did find the following messages.

Sep 12 16:39:52 tmgemail systemd[1]: webmin-iptables.service: Main process exited, code=exited, status=4/NOPERMISSION

Sep 12 16:39:52 tmgemail systemd[1]: webmin-iptables.service: Failed with result ‘exit-code’.

Sep 12 16:39:52 tmgemail systemd[1]: Failed to start Load iptables save file.

So I reviewed the systemd config files. The load operation simply calls iptables-legacy-restore with redirected input from the saved file. The command executes just fine when I attempt at the command prompt.

So what permissions do I need to enable for webmin service to load iptables from systemd when the system boots up?

Thank you for your consideration,
James

ID10T · September 13, 2023, 7:08pm

Not much help but I’m wondering why you rebooted? I’ve had a couple security updates of the kernel lately and had to reboot.

jfinnall · September 13, 2023, 8:03pm

The same here, security updates.
James

jfinnall · September 14, 2023, 3:35pm

Follow up: I discovered I can

root@tmgemail:~# systemctl start webmin-iptables
root@tmgemail:~# systemctl status webmin-iptables
● webmin-iptables.service - Load iptables save file
Loaded: loaded (/lib/systemd/system/webmin-iptables.service; enabled; vendor preset: enabled)
Active: active (exited) since Thu 2023-09-14 10:58:47 EDT; 37s ago
Process: 45507 ExecStart=/bin/sh -c /sbin/iptables-legacy-restore </etc/webmin/firewall/iptables.save (code=exited, status=0/SUCCESS)
Main PID: 45507 (code=exited, status=0/SUCCESS)
CPU: 9ms

Sep 14 10:58:47 tmgemail systemd[1]: Starting Load iptables save file…
Sep 14 10:58:47 tmgemail systemd[1]: Finished Load iptables save file.

No permission problems here executing manually. Just during the boot cycle it appears.
James

Ilia · September 14, 2023, 4:05pm

You shouldn’t use iptables directly. Webmin has support for FirewallD module which will handle it all correctly for you.

What is this webmin-iptables.service anyway? What is the output of the following command on your system:

cat /lib/systemd/system/webmin-iptables.service

jfinnall · September 14, 2023, 4:45pm

Thank you for your response. Webmin provides support for many distros and various software applications. FirewallD is from RedHat. This server is Ubuntu based and does not include FriewallD by default.

The file you requested is below.

root@tmgemail:~# cat /lib/systemd/system/webmin-iptables.service
[Unit]
Description=Load iptables save file

[Service]
ExecStart=/bin/sh -c ‘/sbin/iptables-legacy-restore </etc/webmin/firewall/iptables.save’
ExecStop=/sbin/iptables -t filter -F ; /sbin/iptables -t nat -F ; /sbin/iptables -t mangle -F ; /sbin/iptables -t filter -P INPUT ACCEPT ; /sbin/iptables -t filter -P OUTPUT ACCEPT ; /sbin/iptables -t filter -P FORWARD ACCEPT ; /sbin/iptables -t nat -P PREROUTING ACCEPT ; /sbin/iptables -t nat -P POSTROUTING ACCEPT ; /sbin/iptables -t nat -P OUTPUT ACCEPT ; /sbin/iptables -t mangle -P PREROUTING ACCEPT ; /sbin/iptables -t mangle -P OUTPUT ACCEPT
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Thanks,
James

Ilia · September 14, 2023, 5:10pm

Yes, it does not. However it takes no effort to install it using apt-get install firewalld command. We do it for all Virtualmin users, and it does the job in much simpler and more reliable way.

Also, if you want a super fancy and powerful firewall, which can replace both FirewallD and Fail2Ban, consider using ConfigServer Security & Firewall, as Webmin with Authentic Theme has very good support for it.

I assume this is something was created manually.

jfinnall · September 14, 2023, 5:13pm

No, I did not create the service myself. It was created by Webmin.

ID10T · September 14, 2023, 5:37pm

How old is the system? Was it upgraded from previous versions? Did you install via Virtualmin or webmin?
https://sourceforge.net/p/webadmin/bugs/5475/

jfinnall · September 14, 2023, 5:51pm

Ubuntu 22.04 LTS fresh install in fall of 2022. I installed webmin. Never heard of virtualmin until this website two days ago. This server was a replacement for another server that I have operated for many years. The system would load the tables correctly until about two months ago. So we just loaded them manually. But since it has not been fixed so I am now investigating the problem.

ID10T · September 14, 2023, 5:53pm

OK. Strange that the first thing that appeared in a search was that link saying this problem was fixed in 2021.

jfinnall · September 14, 2023, 6:41pm

The bug report link you provided was in regard to a locking issue. My error messages did not reference any locking issues. However, when I checked the service files they did not include the -w option at all. So I added “-w 10” in both the ip and ip6 service files. My thought is maybe it is the same problem but not reporting the error the same way. So include the change and see if it helps or not.

system · November 13, 2023, 6:42pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.