Results 1 to 6 of 6
Thanks In advance, I am somewhat new to Linux, but I can get around on it. I enabled the Linux firewall from within Webmin. In Ubuntu 12.04 server. Since then ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 03-14-2013 #1
- Join Date
- Mar 2013
Linux Firewall in WebMin
I am somewhat new to Linux, but I can get around on it.
I enabled the Linux firewall from within Webmin. In Ubuntu 12.04 server. Since then remote WAN access has ceased. Thus no web access to Apache2 server on port 80 nor even Webmin on port 10000 from the WAN side of my router. I can still access it from the LAN. The Linux firewall is set to the defaults to allow access on all ports. I can ping these ports from the LAN and directly from the router but not from the WAN. Netstat shows the ports are listening. Tcpdump shows activity on those ports when trying to access from the WAN. I tried to completely disable the Linux firewall set not to run at reboot, but it seems to still be running. Any Ideas?
- 03-14-2013 #2
OK, first you don't enable the ubuntu firewall through webmin. What you're actually enabling is the webmin module that can interact with your firewall. Through that module you can set your firewall to "start at boot" and "save the rules" to a file in /etc; neither one of which is necessary (ISFAIK).
The ubuntu firewall is "uncomplicated firewall" (ufw) and there are lots and lots of ways to admin it through both the command line and the GUI.
sudo ufw disable
sudo apt-get install gufw
sudo ufw enable
sudo ufw status verbose
I'm no guru. I'm just moving out of using the GUI to admin my firewall and starting to use "intelligent" scripts to autowrite proactive and reactive IPTables rules for my firewall.
I'm using a combo of portsentry, psad, fwsnort, hostdeny and ipkungfu.
I have webmin setup to read and display my firewall rules, but to to be able to effect any changes to them.
The only problem I've had getting in to webmin was when I set fwsnort up as too restrictive. So I opened a pin hole from my local IP address for my LAN adapter to the propper port with the following rule I found on the web:
-A INPUT -d <LOCAL ADDRESS> -s <LOCAL ADDRESS> -i -p tcp --dport 10000 -j ACCEPT
(Drop the brackets around the address for the actual rule.)
And preface the new rule withCode:
Hopefully that will point you in the right direction.
Last edited by Steven_G; 03-14-2013 at 12:43 PM.
- 03-14-2013 #3
- Join Date
- Mar 2013
Still no WAN access
Thanks for your reply,
By default ufw is disabled in Ubuntu. When I accessed the Linux Firewall module from Webmin and save the default settings, I essentially enabled or started the ufw firewall service in ubuntu. Or did I? Webmin still says the Linux firewall is started and enabled at boot, but the ufw status from the command line says it's inactive.
I don't necessarily have to use webmin. But I am using this machine primarily for learning purposes. It was just the first and easiest way to manage it remotely. I have since installed xrdp so I can access the command line remotely. Is there a better way for remote wan access. I'm not always home when I get free time.
I have disabled the firewall manually using "sudo ufw disable" from the command line. "sudo ufw status verbose" the status was "inactive".
I re-enabled the ufw and checked the status "defaults: deny (incoming), allow (outgoing)" I changed the incoming to allow. Still nothing.
After many weeks of searching forums, I have been down this same road many times before. Still no wan access. I beginning to think something the webmin module did may have corrupted something.
Thanks again for your input, got any other ideas?
- 03-15-2013 #4
I would not suggest that you set your firewall to allow all incoming traffic nor allow webmin to admin it.
This is what I would suggest:
I DL'd my wm client as a .deb package from a third party site and used GDebi to install it. This is the easy way to do it as it checks for dependencies and registers the package so it can be managed with the included package management tools like synaptic, aptitude and apt-get.
Depending on what version of UB you're running a lot of this stuff has been stripped out of the default installation. If you don't already have them I would highly recommend getting gdebi, aptitude and synaptic from the repos. They'll make life easier while you learn. I'd also get ubuntu tweak (not in the repos). Do not use the ub tweak install scripts, they suck. But, it has one of the best system janitors I've seen. Bleachbit is another good cleaning tool. Pull the man pages on aptitude, synaptic and apt-get; you'll find lots of good info on package management.
Between all of those tools make sure all traces of webmin are removed from your system.
Along the way you may have borked IPTables, so let's flush it:
sudo iptables -F
sudo dpkg --configure -a
You should now be back to OOB / "deconfigured".
To enable the UB FW:
sudo enable ufw
Install gufw and some of the other FW tools I mentioned before. They are very helpful when you are learning IPTables.
You can reinstall webmin. By default it will only read your current IPTables rules and not try to manage them. I would leave it that way.
You should now be ready for some googles on how to tell your firewall (start with ufw, it's the easiest to learn) to allow WAN access.
If that does not get you going then either the problem is something other than your fw or one of the gurus will have to step in and help you because we've pretty much hit the end of my current skill level.
- 03-19-2013 #5
- Join Date
- Mar 2013
After all that, It appears DNS is not resolving. Cant ping outside my network! Got to figure out what went wrong.
- 03-20-2013 #6
Well you still haven't said what version of ubuntu you're using. I'm going to *assume* that it is 12.04 or newer.
Just an FYI: There are a lot of DNS issues in general with UB 12.04+ because some so-called guru / dev decided to dump bind for DNS resolution and switch over to dnsmasq. Do some googles on it. The short version is dnsmasq is known to be full of security holes and a lot of people (including me) think it was a retarded idea. In the process not only did it create the potential for holes but also caused some DNS resolution issues.
From what I've read those issues do not include the problem that you are having. But, I figured I'd give you this info because in the process of tracking down and repairing the problem you may want to go ahead and remove dnsmasq from your system and convert back to bind; which not only does not have all of the security holes of dnsmasq but is also much better documented. And you can google your way through the switch with no problem.