Menu

#5175 Linux Firewall: cannot add connection state related,existing to filter

1.890
closed-fixed
Jamie Cameron
None
7
2018-11-17
2018-08-07
Eric Bechtel
No

I'm using Ubuntu Linux 16.04.5. In the Linux Firewall module, in Packet Filtering, I'm getting the following error on multiple installations of the latest Ubuntu 16 when I attempt to add a filter rule allowing anything with connection state established/related:

WARNING! Your current IPtables configuration is invalid : iptables-restore v1.6.0: conntrack: At least one option is required Error occurred at line: 6

It converts the rule I attempted to Accept->Always without any filter parameters.

Our limited-technical staff normally adds firewall rules using the Webmin Firewall interface, so this is troublesome for us.

2 Attachments
chrome_2018-08-07_11-29-31.png
chrome_2018-08-07_11-30-05.png

Discussion

  • Christian Nill

    Christian Nill - 2018-08-09

    I found exactly the same issue in Webmin. Adding this firewall rules manually from the shell all works great and after reload the rule will be correctly shown in Webmin but if i try to edit the rule it shows the EXISTING,RELATED (as example) as ignored and nothing is selected.

    Greetings

     

  • Jamie Cameron

    Jamie Cameron - 2018-08-11

    I don't think EXISTING is a valid iptables state according to https://linux.die.net/man/8/iptables

     

    • Christian Nill

      Christian Nill - 2018-08-11

      I'm sorry my mistake. I mean ESTABLISHED not EXISTING

      Greetings

       

  • Jamie Cameron

    Jamie Cameron - 2018-08-11

    Are you on Webmin 1.890 or 1.891 there? They should support the conntrack IPtables module properly.

     

    • Christian Nill

      Christian Nill - 2018-08-12

      I'm on Webmin 1.890

       

  • Jamie Cameron

    Jamie Cameron - 2018-08-12

    What does the uname -r command output on your system? That will show the kernel version webmin is looking at ..

     

  • David G. North, CCP

    David G. North, CCP - 2018-08-15

    I also am seeing this issue in 1.890.
    'uname -r' reports 4.9.0-3-amd64
    For me, adding the rules from the shell would render correctly when using "-m state --state ESTABLISHED" but not if using "-m conntrack --ctstate ESTABLISHED"

    There is a "@known_args" array at around line 24 of firewall4-lib.pl and firewall6-lib.pl which is missing the newly supported '--ctstate' option. I added that option into those array initializers and this problem is resolved locally for me.

     

  • Kaboom

    Kaboom - 2018-09-10

    I also have this issue on 1.890
    uname -r shows 4.4.0-134-generic

     

  • James J. Forsyth

    James J. Forsyth - 2018-09-11

    I have this on 1.890 as well.
    My 'uname -r' reports "4.9.0-8-amd64".

    The fix suggested by David of adding the '--ctstate' option to the "@known_args" array in the firewall4-lib.pl and firewall6-lib.pl files also worked for me. I added it to the files in both the firewall and firewall6 directories.

     

  • Jamie Cameron

    Jamie Cameron - 2018-09-12
    • status: open --> closed-fixed
    • assigned_to: Jamie Cameron
     

  • Jamie Cameron

    Jamie Cameron - 2018-09-12

    yeah, the incorrect use of cstate in Webmin is the cause. This will be fixed in the next major release.

     

  • Claudio Nicora

    Claudio Nicora - 2018-11-17

    Just updated to 1.900 but this bug is still there.
    Ubuntu server 18.04.1-x64

    # uname -r
4.15.0-42-generic

    PS: posted a more detailed message here: https://github.com/webmin/webmin/issues/948

     

    Last edit: Claudio Nicora 2018-11-17

Log in to post a comment.

Auth0 Logo