webadmin-list

[webmin-l] Strange "iptables reset" behavior in 1.910

[Joaquim H. <jo...@we...>]

Just installed Webmin "fresh" 1.910 on an Ubuntu 18.04.LTS system.

I used a iptables.up.rules file from another fairly similar system with 
iptables-restore, but it didn't look quite right in Webmin.

So then I used Webmin to "Reset firewall" and told it to use the "Block 
all except ports used for virtual hosting, on interface" defaults.

Everything looked fine except for two "ACCEPT" rules that were at the 
beginning of the list. Their comments indicate that these were the rules 
to accept established/related. The only problem is that there were *no* 
paramters/conditions set for the rule(s), so they basically ended up 
being "blank ACCEPT" rules.

I've never seen this in Webmin before, but I can repeat it at will by 
choosing to "reset firewall".


-joho

Re: [webmin-l] Strange "iptables reset" behavior in 1.910

[Joaquim H. <jo...@we...>]

Looking at this some more, the following two rules:

-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT

Will make Webmin display two "Accept always" entries.

Clicking on them, to edit, displays the same, i.e. "Accept" (with no 
conditions).

This is with Webmin 1.930 now.



-joho



On 2019-06-26 12:01, Joaquim Homrighausen wrote:
>
>
> Just installed Webmin "fresh" 1.910 on an Ubuntu 18.04.LTS system.
>
> I used a iptables.up.rules file from another fairly similar system 
> with iptables-restore, but it didn't look quite right in Webmin.
>
> So then I used Webmin to "Reset firewall" and told it to use the 
> "Block all except ports used for virtual hosting, on interface" defaults.
>
> Everything looked fine except for two "ACCEPT" rules that were at the 
> beginning of the list. Their comments indicate that these were the 
> rules to accept established/related. The only problem is that there 
> were *no* paramters/conditions set for the rule(s), so they basically 
> ended up being "blank ACCEPT" rules.
>
> I've never seen this in Webmin before, but I can repeat it at will by 
> choosing to "reset firewall".
>
>
> -joho
>

Re: [webmin-l] Strange "iptables reset" behavior in 1.910

[Andrey R. <anr...@ya...>]

Greetings, Joaquim Homrighausen!

> Looking at this some more, the       following two rules:

>     
> -A INPUT -m state --state ESTABLISHED       -j ACCEPT
>        -A INPUT -m state --state RELATED -j ACCEPT  

>     
> Will make Webmin display two "Accept       always" entries.  

>     
> Clicking on them, to edit, displays the       same, i.e. "Accept" (with no conditions).

>     
> This is with Webmin 1.930 now.  

Please replace "state" with "conntrack"/"ctstate" as appropriate.


-- 
With best regards,
Andrey Repin
Tuesday, September 24, 2019 20:24:07

Sorry for my terrible english...

Re: [webmin-l] Strange "iptables reset" behavior in 1.910

[Dave O. <da...@sy...>]

quick fix, edit /etc/sysconfig/iptables and make those lines look like this:

 

# Allow incoming data that is part of a connection we established

-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow data that is related to existing connections

-A INPUT -m conntrack --ctstate RELATED -j ACCEPT

 

Now webmin displays them correctly

 

Dave

 

 

From: Joaquim Homrighausen [mailto:jo...@we...] 
Sent: Monday, September 23, 2019 10:53 PM
To: web...@li...
Subject: Re: [webmin-l] Strange "iptables reset" behavior in 1.910

 

 

Looking at this some more, the following two rules:

 

-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT

 

Will make Webmin display two "Accept always" entries.

 

Clicking on them, to edit, displays the same, i.e. "Accept" (with no conditions).

 

This is with Webmin 1.930 now.

 

 

 

-joho

 

 

 

On 2019-06-26 12:01, Joaquim Homrighausen wrote:

 

Just installed Webmin "fresh" 1.910 on an Ubuntu 18.04.LTS system.

I used a iptables.up.rules file from another fairly similar system with iptables-restore, but it didn't look quite right in Webmin.

So then I used Webmin to "Reset firewall" and told it to use the "Block all except ports used for virtual hosting, on interface" defaults.

Everything looked fine except for two "ACCEPT" rules that were at the beginning of the list. Their comments indicate that these were the rules to accept established/related. The only problem is that there were *no* paramters/conditions set for the rule(s), so they basically ended up being "blank ACCEPT" rules.

I've never seen this in Webmin before, but I can repeat it at will by choosing to "reset firewall".

 

-joho