In the webmin linux firewall module I was manually adding rules and when I tried to add a State Established rule I would get an error when trying to apply the configuration so I figured that I had done something and added rules that confliced is some way so I reset the firewall which cleared out the iptables file and took me to the inital setup page.
here I selected:
"Block all except ports used for virtual hosting, on interface"
And selected venet0 as the interface.
Clicked Setup Firewall.
The page with all the pre-configured rules appeared.
I clicked Apply Configuration and got an error again!!!
This is the iptables file that was generated:
Generated by iptables-save v1.2.11 on Tue Jan 15 05:39:43 2008
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
Completed on Tue Jan 15 05:39:43 2008
Generated by iptables-save v1.2.11 on Tue Jan 15 05:39:43 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Allow connections to mail server
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
Allow connections to POP3 server
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
Allow connections to IMAP server
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
COMMIT
Completed on Tue Jan 15 05:39:43 2008
Generated by iptables-save v1.2.11 on Tue Jan 15 05:39:43 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
Completed on Tue Jan 15 05:39:43 2008
I tried again by starting over with all open and just adding State Established as the only rule and that gets an error.
So what is wrong?
Could this be a kernel issue?
This is:
webmin 1.390
CentOS 4.6
kernel 2.6.9-023stab044.4-enterprise
iptables 1.2.11