Find the answer to your Linux question:
Results 1 to 6 of 6
Thanks In advance, I am somewhat new to Linux, but I can get around on it. I enabled the Linux firewall from within Webmin. In Ubuntu 12.04 server. Since then ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2013
    Posts
    3

    Linux Firewall in WebMin


    Thanks In advance,

    I am somewhat new to Linux, but I can get around on it.

    I enabled the Linux firewall from within Webmin. In Ubuntu 12.04 server. Since then remote WAN access has ceased. Thus no web access to Apache2 server on port 80 nor even Webmin on port 10000 from the WAN side of my router. I can still access it from the LAN. The Linux firewall is set to the defaults to allow access on all ports. I can ping these ports from the LAN and directly from the router but not from the WAN. Netstat shows the ports are listening. Tcpdump shows activity on those ports when trying to access from the WAN. I tried to completely disable the Linux firewall set not to run at reboot, but it seems to still be running. Any Ideas?

    Regards

  2. #2
    Linux User Steven_G's Avatar
    Join Date
    Jun 2012
    Location
    Western US
    Posts
    350
    OK, first you don't enable the ubuntu firewall through webmin. What you're actually enabling is the webmin module that can interact with your firewall. Through that module you can set your firewall to "start at boot" and "save the rules" to a file in /etc; neither one of which is necessary (ISFAIK).

    The ubuntu firewall is "uncomplicated firewall" (ufw) and there are lots and lots of ways to admin it through both the command line and the GUI.

    Code:
    sudo ufw disable
    will disable it for testing.

    Code:
    sudo apt-get install gufw
    will install one of the simplest GUI frontends for ufw.

    Code:
    sudo ufw enable
    will turn it back on.

    Code:
    sudo ufw status verbose
    will tell you a lot about its current status.

    Code:
    man ufw
    will pull up a small novela and there's tons of docs on the net.

    I'm no guru. I'm just moving out of using the GUI to admin my firewall and starting to use "intelligent" scripts to autowrite proactive and reactive IPTables rules for my firewall.

    I'm using a combo of portsentry, psad, fwsnort, hostdeny and ipkungfu.

    I have webmin setup to read and display my firewall rules, but to to be able to effect any changes to them.

    The only problem I've had getting in to webmin was when I set fwsnort up as too restrictive. So I opened a pin hole from my local IP address for my LAN adapter to the propper port with the following rule I found on the web:

    -A INPUT -d <LOCAL ADDRESS> -s <LOCAL ADDRESS> -i -p tcp --dport 10000 -j ACCEPT

    (Drop the brackets around the address for the actual rule.)

    And preface the new rule with
    Code:
    sudo iptables
    in the terminal.

    Hopefully that will point you in the right direction.
    Last edited by Steven_G; 03-14-2013 at 12:43 PM.

  3. #3
    Just Joined!
    Join Date
    Mar 2013
    Posts
    3

    Still no WAN access

    Thanks for your reply,

    By default ufw is disabled in Ubuntu. When I accessed the Linux Firewall module from Webmin and save the default settings, I essentially enabled or started the ufw firewall service in ubuntu. Or did I? Webmin still says the Linux firewall is started and enabled at boot, but the ufw status from the command line says it's inactive.

    I don't necessarily have to use webmin. But I am using this machine primarily for learning purposes. It was just the first and easiest way to manage it remotely. I have since installed xrdp so I can access the command line remotely. Is there a better way for remote wan access. I'm not always home when I get free time.

    Anyway,
    I have disabled the firewall manually using "sudo ufw disable" from the command line. "sudo ufw status verbose" the status was "inactive".
    I re-enabled the ufw and checked the status "defaults: deny (incoming), allow (outgoing)" I changed the incoming to allow. Still nothing.
    After many weeks of searching forums, I have been down this same road many times before. Still no wan access. I beginning to think something the webmin module did may have corrupted something.

    Thanks again for your input, got any other ideas?




    Quote Originally Posted by Steven_G View Post
    OK, first you don't enable the ubuntu firewall through webmin. What you're actually enabling is the webmin module that can interact with your firewall. Through that module you can set your firewall to "start at boot" and "save the rules" to a file in /etc; neither one of which is necessary (ISFAIK).

    The ubuntu firewall is "uncomplicated firewall" (ufw) and there are lots and lots of ways to admin it through both the command line and the GUI.

    Code:
    sudo ufw disable
    will disable it for testing.

    Code:
    sudo apt-get install gufw
    will install one of the simplest GUI frontends for ufw.

    Code:
    sudo ufw enable
    will turn it back on.

    Code:
    sudo ufw status verbose
    will tell you a lot about its current status.

    Code:
    man ufw
    will pull up a small novela and there's tons of docs on the net.

    I'm no guru. I'm just moving out of using the GUI to admin my firewall and starting to use "intelligent" scripts to autowrite proactive and reactive IPTables rules for my firewall.

    I'm using a combo of portsentry, psad, fwsnort, hostdeny and ipkungfu.

    I have webmin setup to read and display my firewall rules, but to to be able to effect any changes to them.

    The only problem I've had getting in to webmin was when I set fwsnort up as too restrictive. So I opened a pin hole from my local IP address for my LAN adapter to the propper port with the following rule I found on the web:

    -A INPUT -d <LOCAL ADDRESS> -s <LOCAL ADDRESS> -i -p tcp --dport 10000 -j ACCEPT

    (Drop the brackets around the address for the actual rule.)

    And preface the new rule with
    Code:
    sudo iptables
    in the terminal.

    Hopefully that will point you in the right direction.

  4. #4
    Linux User Steven_G's Avatar
    Join Date
    Jun 2012
    Location
    Western US
    Posts
    350
    Quote Originally Posted by FroglevelMC View Post
    Thanks for your reply,

    By default ufw is disabled in Ubuntu. When I accessed the Linux Firewall module from Webmin and save the default settings, I essentially enabled or started the ufw firewall service in ubuntu. Or did I? Webmin still says the Linux firewall is started and enabled at boot, but the ufw status from the command line says it's inactive.
    I don't *think* you did (not a guru). I *think* that all you're doing is allowing the webmin module to interact with the firewall.

    I would not suggest that you set your firewall to allow all incoming traffic nor allow webmin to admin it.

    This is what I would suggest:

    Purge webmin.

    I DL'd my wm client as a .deb package from a third party site and used GDebi to install it. This is the easy way to do it as it checks for dependencies and registers the package so it can be managed with the included package management tools like synaptic, aptitude and apt-get.

    Depending on what version of UB you're running a lot of this stuff has been stripped out of the default installation. If you don't already have them I would highly recommend getting gdebi, aptitude and synaptic from the repos. They'll make life easier while you learn. I'd also get ubuntu tweak (not in the repos). Do not use the ub tweak install scripts, they suck. But, it has one of the best system janitors I've seen. Bleachbit is another good cleaning tool. Pull the man pages on aptitude, synaptic and apt-get; you'll find lots of good info on package management.

    Between all of those tools make sure all traces of webmin are removed from your system.

    Along the way you may have borked IPTables, so let's flush it:
    Code:
    sudo iptables -F
    This will clean out any rules in your IPTables and let you start over.

    Then run:

    Code:
    sudo dpkg --configure -a
    This will cause dpkg (another package management tool) to kind of "reset" all the packages on your system. This *should* tell the firewall to stop looking to wm to be admined.

    You should now be back to OOB / "deconfigured".

    To enable the UB FW:
    Code:
    sudo enable ufw
    Even then it still will not run at boot because it's not needed. ufw is just a cli / script interface that makes it easier to manage the netfilter firewall / IPTables that is built in to the kernel. That is your *actual* firewall and it comes up at boot with the kernel.

    Install gufw and some of the other FW tools I mentioned before. They are very helpful when you are learning IPTables.

    You can reinstall webmin. By default it will only read your current IPTables rules and not try to manage them. I would leave it that way.

    You should now be ready for some googles on how to tell your firewall (start with ufw, it's the easiest to learn) to allow WAN access.

    If that does not get you going then either the problem is something other than your fw or one of the gurus will have to step in and help you because we've pretty much hit the end of my current skill level.

  5. #5
    Just Joined!
    Join Date
    Mar 2013
    Posts
    3
    Well,

    After all that, It appears DNS is not resolving. Cant ping outside my network! Got to figure out what went wrong.

    Thanks

  6. #6
    Linux User Steven_G's Avatar
    Join Date
    Jun 2012
    Location
    Western US
    Posts
    350
    Well you still haven't said what version of ubuntu you're using. I'm going to *assume* that it is 12.04 or newer.

    Just an FYI: There are a lot of DNS issues in general with UB 12.04+ because some so-called guru / dev decided to dump bind for DNS resolution and switch over to dnsmasq. Do some googles on it. The short version is dnsmasq is known to be full of security holes and a lot of people (including me) think it was a retarded idea. In the process not only did it create the potential for holes but also caused some DNS resolution issues.

    From what I've read those issues do not include the problem that you are having. But, I figured I'd give you this info because in the process of tracking down and repairing the problem you may want to go ahead and remove dnsmasq from your system and convert back to bind; which not only does not have all of the security holes of dnsmasq but is also much better documented. And you can google your way through the switch with no problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •