In the webmin linux firewall module I was manually adding rules and when I tried to add a State Established rule I would get an error when trying to apply the configuration so I figured that I had done something and added rules that confliced is some way so I reset the firewall which cleared out the iptables file and took me to the inital setup page.
here I selected:
"Block all except ports used for virtual hosting, on interface" And selected venet0 as the interface.
Clicked Setup Firewall.
The page with all the pre-configured rules appeared. I clicked Apply Configuration and got an error again!!!!!
This is the iptables file that was generated:
Generated by iptables-save v1.2.11 on Tue Jan 15 05:39:43 2008*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT
Completed on Tue Jan 15 05:39:43 2008 Generated by iptables-save v1.2.11 on Tue Jan 15 05:39:43 2008*filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0]
Accept traffic from internal interfaces-A INPUT ! -i venet0 -j ACCEPT
Accept traffic with the ACK flag set-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
Allow incoming data that is part of a connection we established-A INPUT -m state --state ESTABLISHED -j ACCEPT
Allow data that is related to existing connections-A INPUT -m state --state RELATED -j ACCEPT
Accept responses to DNS queries-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
Accept responses to our pings-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
Accept notifications of unreachable hosts-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
Accept notifications to reduce sending speed-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
Accept notifications of lost packets-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
Accept notifications of protocol problems-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
Allow connections to our SSH server-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
Allow connections to our IDENT server-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
Respond to pings-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
Allow connections to webserver-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Allow SSL connections to webserver-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Allow connections to mail server-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Allow connections to FTP server-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
Allow connections to POP3 server-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
Allow connections to IMAP server-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
Allow connections to Webmin-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
Allow connections to Usermin-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT COMMIT
Completed on Tue Jan 15 05:39:43 2008 Generated by iptables-save v1.2.11 on Tue Jan 15 05:39:43 2008*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
Completed on Tue Jan 15 05:39:43 2008I tried again by starting over with all open and just adding State Established as the only rule and that gets an error.
So what is wrong? Could this be a kernel issue?
This is: webmin 1.390 CentOS 4.6 kernel 2.6.9-023stab044.4-enterprise iptables 1.2.11
After a little research I belive this issue is because I am on a virtuozzo VPS wich apparently has an issue with how the iptables module for the kernel interacts with the VPS VE space.
Is anybody else using webmin on virtuozzo VPS running CentOS 4.6?
If so how did you get arround this issue?