Webmin firewall rules, what file to edit and how to add permanent whitelist rules


To keep my server secure I make use of Webmin > Networking > Linux Firewall (IP tables). Also, I make use of Fail2Ban which automatically adds temporary bans to the firewall.

My current webmin IP tables systemen configuration settings are:

IP tables save file to edit: ‘Use operating system or webmin default’
Directly edit firewall rules inestad of save file? ‘Yes’

However, as soon as I restart my server, my custom rules are deleted and a default setup is reloaded. For example, I add a rule (in Webmin) to always allo IP x.x.x.x over TCP protocol. Works great, but when I restart server, it`s gone.

The actual rules file shown in Webmin is: /etc/iptables.up.rules , however, previously I used another file which was the default webmin setting. But that files seemed to be overruled, even without server restarts. I gues whenever fail2ban changes the rules.

So basically, my question is: how can I add permanent rules to the firewall, preferably from webmin?


Once you click “Apply configuration” all the rules should stay permanently even after server restart and f2b doesnt have anything to do with that. If you restart the server f2b will build again all the rules and banned IP’s if there is any.
One of the reason your iptables get reset after each server restart it could be that your host set up your server in this way, but this only apply to VPS.

Thanks for the quick reply! Currently I do not have an Apply Configuration button, only ‘Save configuration’ . This is since I enabled live editing of iptables rules instead of using a differten file.

I get your point and Ill contact the host if they know more about it, Im on a VPS indeed.

What still makes no sense to me:

  • Previously I would add my rules via Webmin, and click ‘Apply configuration’
  • The rule was applied and the whitelist rule did work

A couple days later (without the server being restarted) the customer complaint again about begin blocked. I checked firewall and his IP was still in the overview in webmin. Then I clicked apply configuration again and he was able to access again. This makes no sense to me at all, but maybe I`m missing something…?

So, I figured out what happens. Actually, my custom added rules are being added, even after restart. But what happens is that the fail2ban rules are added on TOP of the list. So, this very first firewall rule after restart always is: “jump to chain fail2ban-protocol”

Is there a way to add rules above the fail2ban rules, or should I add exceptions in the fail2ban configuration to not BAN certain IP adresses?

From experience I use terminal editor to do the dirty job related to iptables.

Do not forget to save your iptables rules when you shutdown and restore them at boot (if-pre-up.d, if-post-down.d directory). I have a special folder where I keep rules files with date and time.

As a tip I am using xtables-addons being able to have geoip and psd modules, plus CHAOS target. I am using ipset to keep my tons of banned IP list, and for speed.

@marceld202: The whole point of f2b is to ban IP before it hit anything else on the server and if you change that then all meaning of f2b is gone. Maybe you should check the rules inside f2b and see if you can adjust them e.g. put more failed attempts before banning IP’s.

If you want to whitelist some IP’s in f2b then edit jail.conf (or jail.local) and in "ignoreip = " line add IP what you want to whitelist.

Thanks everyone!

@Diabolico, thanks for pointing out that f2b is not meant to be overruled by firewall rules. I now added the exceptions to the jail.local file and this works, even after restart of server.


How did you configure your firewall? I’m newbie, but want to protect my domyhomework4me website. Maybe you can share by some tips of guides?