relation between iptables and webmin's Linux firewall

Hi all,

I'm relatively familiar with iptables, which I'm using since years
and configuring by hand since years.

Now at a new company (a startup) I'm asked to do modification
to some of the firewalls (all systems are Linux systems).

I know how to do it all "by hand", but I don't understand what's
the relation with webmin's "Linux firewall" page.

If I make a modification by hand, say :

$IPT -I OUTPUT -p tcp --dport 22 -m owner --uid-owner 507 -d $RBCK -j
ACCEPT

it of course is taken into account by iptables.

(this is just an example btw, I'm not discussing the merits of such
a rule

But it doesn't appear into webmin and, worse, if someone applies a new
rule into webmin, then modifications done by hand are lost.

So here comes a $0.02 question: is it possible to make the kind of
modification I did up there "by hand" and have it interacting nicely
with webmin's firewall thinggy?

Or are we better to simply decide to not use webmin at all to configure
the firewall?

If we decide not to use webmin for the firewall setup, is it possible
to
*prevent* webmin to modify the firewall by mistake?

Lastly, do people that need more or less complicated firewall rule
usually use webmin to do firewall administration?

Thanks in advance for any infos,

fab

On 23 Jun 2006 12:20:00 -0700, (E-Mail Removed) wrote:
>
> Now at a new company (a startup) I'm asked to do modification
> to some of the firewalls (all systems are Linux systems).
>
> I know how to do it all "by hand", but I don't understand what's
> the relation with webmin's "Linux firewall" page.
>
> If I make a modification by hand, say :
>
> $IPT -I OUTPUT -p tcp --dport 22 -m owner --uid-owner 507 -d $RBCK -j
> ACCEPT
>
> it of course is taken into account by iptables.
>
> (this is just an example btw, I'm not discussing the merits of such
> a rule
>
> But it doesn't appear into webmin and, worse, if someone applies a new
> rule into webmin, then modifications done by hand are lost.
>
> So here comes a $0.02 question: is it possible to make the kind of
> modification I did up there "by hand" and have it interacting nicely
> with webmin's firewall thinggy?

Only if you add your hand change to the config file used via webmin.
On my Madriva Linux 2006.0 that would be /etc/sysconfig/iptables.


> Or are we better to simply decide to not use webmin at all to configure
> the firewall?

What if the hand changes are not saved before the next reboot.

> If we decide not to use webmin for the firewall setup, is it possible
> to
> *prevent* webmin to modify the firewall by mistake?

Remove the selection from webmin. Downside a security/bugfix from the
linux vendor may re-enable it. You have to admit, using webmin from
the house at oh dark thrity in the morning beats having to drive in
for a quick fix/change/stop a DOS attack,....

> Lastly, do people that need more or less complicated firewall rule
> usually use webmin to do firewall administration?

Cannot help there. Running the Shorewall wrapper as a firewall on
Mandriva Linux.

Bit Twister wrote:
....
> > So here comes a $0.02 question: is it possible to make the kind of
> > modification I did up there "by hand" and have it interacting nicely
> > with webmin's firewall thinggy?
>
> Only if you add your hand change to the config file used via webmin.
> On my Madriva Linux 2006.0 that would be /etc/sysconfig/iptables.

excellent!

This is apparently exactly what I was looking for.

Now I've just got some minor questions unresolved.

Do you know if I can just add a single rule to that file and have
iptables
take it into account immediately or do I have to restart the firewall
everytime?

More precisely, to come back to my previous example:

$IPT -I OUTPUT -p tcp --dport 22 -m owner --uid-owner 507 -j ACCEPT

With iptables that single rule gets added immediately and taken into
account right away. With the file webmin's using, I insert my line at
the appropriate place and I restart the firewall?

> > Or are we better to simply decide to not use webmin at all to configure
> > the firewall?
>
> What if the hand changes are not saved before the next reboot.

it was just an example, to see what was going on


> > If we decide not to use webmin for the firewall setup, is it possible
> > to
> > *prevent* webmin to modify the firewall by mistake?
>
> Remove the selection from webmin. Downside a security/bugfix from the
> linux vendor may re-enable it.

I see.. I'll leave it on.


> You have to admit, using webmin from
> the house at oh dark thrity in the morning beats having to drive in
> for a quick fix/change/stop a DOS attack,....

sure, but SSH + handcrafted iptables rules can do it too doesn't it?

(if SSH's port is blocked it won't work, but then it won't work either
by webmin if webmin port is blocked)



Thanks a lot again for your answer, this was exactly what escaped me,

fab

On 23 Jun 2006 13:16:15 -0700, (E-Mail Removed) wrote:
>
> Do you know if I can just add a single rule to that file and have
> iptables
> take it into account immediately or do I have to restart the firewall
> everytime?

We were discussing your change made by hand method.
You would pop a rule into iptables, test it and if ok, update the
save file and double check your work to verify you entered the rule
correctly and in the correct spot.

>
> More precisely, to come back to my previous example:
>
> $IPT -I OUTPUT -p tcp --dport 22 -m owner --uid-owner 507 -j ACCEPT
>
> With iptables that single rule gets added immediately and taken into
> account right away.

Yep, downside, mistype in save file and next reboot, system could be
dead as far as access.

> With the file webmin's using, I insert my line at
> the appropriate place and I restart the firewall?

Yep. one place for change to be made, less chance of mistake.


>>
>> What if the hand changes are not saved before the next reboot.
>
> it was just an example, to see what was going on

No you misunderstand. You pop in a rule via iptables and forget to add
rule to save table file.


>
>> You have to admit, using webmin from
>> the house at oh dark thrity in the morning beats having to drive in
>> for a quick fix/change/stop a DOS attack,....
>
> sure, but SSH + handcrafted iptables rules can do it too doesn't it?

Yes, I was thinking your ssh port may/should have inbound rules to only allow
connections from known ip address and you would be dead in the water
if you got beeped while accross town at a friends house.

Lots of script kiddies trying to break into the ssh port.
You could move ssh port, add port knocking I guess.