Please help troubleshoot IPtables issue

I am having problems with iptables, so I have two questions:

A) What exactly (in command line speak) does the “Revert Configuration” button do?

B) Where does this screen read the rules displayed from?

If you would like to really find out what is going on, please read up here to catch up.

Thank you.

Howdy,

A) What exactly (in command line speak) does the “Revert Configuration” button do?

The firewall configuration you see on the “Linux Firewall” page isn’t actually active until you hit “Apply Configuration”.

So, hitting the “Revert” button undoes all the changes that have been added to that screen, and the existing rules from the rules file are displayed in their place.

B) Where does this screen read the rules displayed from?

Underneath where it says “Linux Firewall”, it says “Rules File”. That rules file, in your case, is /etc/sysconfig/iptables.

-Eric

Howdy,

I’m unfortunately not familiar with Atomic Secure Linux, so I’m not sure how exactly it handles things such as firewalling.

However, firewall rules would need to be stored somewhere, or else they wouldn’t persist across a reboot.

Iptables comes with a script named “iptables-save” which saves the iptables rules, and iptables-restore which restores them. Most distros use those to generate the rules files, and read from that file while booting up.

You can change the rule file Webmin uses by going into Webmin -> Networking -> Linux Firewall -> Module Config -> System Configuration, and setting the “IPtables save file to edit” option.

-Eric

In ASL (it is NOT a distro, but a suite of security enhancementes, including a kernel) the rules are stored in the kernel.

If I check “Directly edit firewall rules instead of save file” where will it read the active rules from?

Hmm, the kernel doesn’t store things – the kernel is something that resides in RAM.

If something is going to persist across a reboot, it has to be stored in a file somewhere.

I would assume that “Directly edit firewall rules instead of save file” would read the rules directly using the iptables commands. So if you don’t know where the rules are being stored, you could always try that option.

-Eric

according to the creator of ASL, it does read the rules from the kernel. see the 4th post in
https://www.atomicorp.com/forum/viewtopic.php?f=3&t=6153&p=35375

Thanks Eric.

Atomic Secure Linux doesnt use a rule file. Please read more about it here.

Maybe you can help me figure out what has happened. Webmin was reporting almost all the loaded (inserted and active, via ASL) firewall rules, but some more recent ones were not shown. I didnt change a thing on the webmin screen (as I dont manage the firewall via webmin), and I thought that by hitting “Revert Configuration” it would load up what were the active rules and thus be in sync with what ASL displays as active rules.

But that was not the case. The button actually flushed the entire firewall configuration eventhough in the worst case, ASFAIU, it should have not changed a thing: wasnt it supposed to apply from /etc/sysconfig/iptables, since that was what it was showing in the first place (and was not modified)?

Side question: since ASL is where firewall is managed in my system, is it possible to modify where webmin reads the rules from? Maybe it should, as suggested by the creator of ASL, “be looking at the actual firewall state and not at a file”.

Thanks again.

I think what he means is that ASL doesn’t handle loading the iptables rules itself.

Somehow, the kernel has to be told what rules to use. And the kernel can’t remember things across a reboot.

Distros handle that by having a rules file.

I’m sure there is a rules file somewhere on your server.

-Eric

they said “There is no single file containing all the rules, but for custom rules (IE done through ASL Web) it uses /etc/asl/firewall/running.fw. You will not see the dynamic rules in that, for the same reason that we did not use /etc/sysconfig/iptables (permanency). The dynamic and complex (MTA, etc) rules are populated from separate databases, they load from the asl-firewall script.”

also, they said “The ideal way to view all the running (loaded) rules is with iptables-save, and if you want that in a file just redirect the output into one.”

Does webmin read from iptables-save when “Directly edit firewall rules instead of save file” is checked?

“There is no single file containing all the rules, but for custom rules (IE done through ASL Web) it uses /etc/asl/firewall/running.fw. You will not see the dynamic rules in that, for the same reason that we did not use /etc/sysconfig/iptables (permanency). The dynamic and complex (MTA, etc) rules are populated from separate databases, they load from the asl-firewall script.”

Okay, that makes more sense!

Does webmin read from iptables-save when “Directly edit firewall rules instead of save file” is checked?

I unfortunately don’t know the answer to that… it would think that it would either query iptables directly, or call iptables-save to obtain that information. I don’t know which.

It probably wouldn’t matter though, as each would accomplish the same goal (which is to directly edit the firewall rules that are in use).

Does that setting work for you?

-Eric

Unfortunately I am not yet sure. It is hard to get Atomic Secure Linux (Atomicorp) people to be TRULY helpful. It seems they get a kick out of making you work hard to solve your problems.

it does read the active config, but I am going to leave it reading /etc/sysconfig/iptables since I dont manage the firewall via webmin.

as usual, the forums are so helpful here. thank you again eric!