IP Table Configuration Error in Webmin

11 posts / 0 new
Last post
#1 Sun, 03/22/2009 - 04:38
rduval

IP Table Configuration Error in Webmin

I tried to add iptables using the Webmin interface on a Centos5.2 machines running on an OpenVZ server and got the following error: [code:1]Failed to apply configuration :

Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: mangle filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: iptables-restore: line 61 failed Warning: wierd character in interface `venet0:0' (No aliases, :, ! or *). [FAILED] [/code:1]

I selected the interface from the Webmin dropdown box so it's not like I typed it wrong.

Any ideas?

Sun, 03/22/2009 - 04:40
rduval

I also tried it using venet0 and basically got the same thing:
[code:1]Failed to apply configuration :

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 61 failed
[FAILED]

[/code:1]

Sun, 03/22/2009 - 08:23 (Reply to #2)
andreychek

Hrm, I'm not sure if this is a problem with what Virtualmin is trying to setup, or if it's a problem with the underlying iptables scripts in CentOS.

Unless Joe or someone else has a thought, I might suggest filing a bug report (using the Bugs and Issues link below), and maybe Jamie can offer some advice on how to resolve it.
-Eric

Mon, 03/23/2009 - 03:41 (Reply to #3)
rduval

<div class='quote'>I guess the bug would be that Webmin is offering interfaces that are merely virtual interfaces, which iptables doesn't deal with.</div>

Points taken. But apparently, iptables does work with virtual interfaces according to the OpenVZ wiki at http://wiki.openvz.org/Setting_up_an_iptables_firewall and with Virtual Machines becoming so popular and OpenVZ in particular it might be something to be addressed in Webmin.

I love Webmin because I'm not always comfortable working at a command line level for certain things. For those of us who aren't sure which packages to remove without breaking things and then having to rebuild, iptables is an easy way to block access to anything that we're not using even though it may be running on the machine.

One other point, according to what I've read there's no reason why iptables wouldn't accept venet0 or venet0:0 so it seems that it is a Webmin thing and not an iptables issue. Maybe I'm wrong but it seems like that to me.

Again, thanks for the info and for the amazing sofware.

Mon, 03/23/2009 - 03:55 (Reply to #4)
andreychek

Yeah, if the iptables script works from the command line, it should work within Webmin.

We certainly appreciate wanting to stick to the web interface -- that's the reason for having goodies like Webmin and Virtualmin.

If you have a chance, although Jamie closed out your task, it might be helpful to still attach the iptables script he was asking for -- we can look at line 61 of the saved iptables info and verify the problem.

The script in question is located here:

/etc/iptables-save

Could you either post that to the Bug Report, or just attach it to this forum post?

Thanks,
-Eric

Mon, 03/23/2009 - 10:38 (Reply to #5)
rduval

Here's the file but it's a binary (I think) and it was in /sbin/ nothing in /etc/

Mon, 03/23/2009 - 10:41 (Reply to #6)
andreychek

If it's located in /sbin/ it's not the right one :-)

There is a text file somewhere containing the rules; I'm not overly familiar with it, as I use another tool called shorewall to handle that, so I might be using the wrong filenames.

Poking around on Google, I see this particular file mentioned for storing iptables rules:

/etc/sysconfig/iptables

Does that exist on your system?
-Eric

Mon, 03/23/2009 - 10:41 (Reply to #7)
rduval

oops, I zipped it so hopefully it will take it now... [file name=iptables_save.zip size=27600]http://www.virtualmin.com/components/com_fireboard/uploaded/files/iptabl...

Sun, 03/22/2009 - 10:02
rduval

I filed a bug report as you suggested but hoping there is a workaround. Right now the whole machine is wide open.

Sun, 03/22/2009 - 10:16 (Reply to #9)
andreychek

Like yourself, I run firewall software on my machine.

However, that isn't to prevent people from getting to a service I have running -- it's to make sure nothing ever starts up on the machine that I don't expect.

When I setup a new Virtualmin server, the first thing I do is remove every service I don't need.

At that point, the machine isn't running any software that a firewall is protecting -- as the firewall is configured to allow connections to everything on the box.

What the firewall gets me at that point is protection from a new service being launched that I'm not aware of. For example, some rootkits launch an ssh server on a high port. Or perhaps a user will launch a daemon, thinking it's a good idea -- but things like that can often end badly :-)

The firewall protects from unexpected things like that.

In my opinion, a firewall is a great portion of the &quot;security in layers&quot; concept, but the absence of one isn't necessarily the biggest of security concerns.

My first concern would be to remove any service that doesn't need to be running. And my second concern would be to make sure every piece of software running on the box is up to date (and that includes web applications).

Again, I like firewalls, but they're only one piece of the puzzle!

Just some thoughts :-)
-Eric

Sun, 03/22/2009 - 11:35 (Reply to #10)
Joe
Joe's picture

<div class='quote'>Right now the whole machine is wide open.</div>

You're assuming firewalls are magic. Your machine will always be wide open for the services you provide to the world (web, mail, etc.), and if you aren't providing a service, there should be nothing on the port at all...so a firewall is of very limited utility in a world-facing server. Eric has pointed out the occasions where it <i>is</i> useful...but it's primarily a benefit for reducing the value of your server as a target rather than preventing attacks.

The workaround is to choose a real interface rather than an alias (this is an iptables thing...you can't use eth0:1, for example...you must use eth0), or identify using some other mechanism like destination IP or destination port. I guess the bug would be that Webmin is offering interfaces that are merely virtual interfaces, which iptables doesn't deal with.

--

Check out the forum guidelines!

Topic locked