19.2. The Linux Firewall Module
This module can be used to set up a firewall on a Linux system with IPtables enabled, or to edit any part of an existing firewall. It stores the firewall configuration in a save file created and read by the iptables-save and iptables-restore commands, not in a shell script containing calls to the iptables command. Red Hat, Debian, and Gentoo Linux all use a save file like this as standard, which Webmin knows about and will work with.
If you have manually created a firewall using a shell script and want to use this module to edit it from now on, it will have to be converted to an IPtables save file so that Webmin can edit it. Fortunately, the module can do this for you automatically—all you have to do is stop your custom script from being run at boot time, and tell the module to create its own firewall setup script instead.
This also applies to firewalls created by tools such as YaST or fBuilder, which write out shell scripts of iptables commands. Unless the tool can also edit an IPtables save file (such as knetfilter), it should not be used alongside Webmin's Linux Firewall module, or they will probably overwrite each other's settings.
When you enter the module from the Networking category, the main page will usually display a list of all chains and rules in the first table that contains any (usually Packet filtering), as shown in Figure 19.2. However, if Webmin detects that the iptables or iptables-save commands are not installed, an error message will be displayed instead—check your distribution CD or website for a package containing them.
Figure 19.2. The Linux Firewall module.
If this is the first time you have used the module and no firewall has been set up on your system yet, the main page will instead display a form to simplify the initial firewall creation. Three options will be displayed—select one and click the Setup Firewall button to set it up. If necessary, Webmin will also display an Enable firewall at boot time? Checkbox, which if selected will cause a boot-up script to be created so that the firewall is enabled at boot time as well.
The firewall setup options are:
Allow all traffic If this is selected, the firewall will be created “empty” and all traffic allowed through.
Do network address translation on external interface The firewall will be set up for NAT, so that hosts on an internal LAN can access the Internet via a host with a single public IP address. You must select the network interface that is connected to the Internet from the list next to this option, such as ppp0.
Block all incoming connections on external interface If this is chosen, the firewall will be set up to block all traffic coming into your system on the selected network interface, except for established connections, DNS replies, and harmless ICMP packets. The interface you select should be the one connected to the Internet, such as ppp0.
Block all except SSH and IDENT on external interface Similar to the previous option, but SSH and IDENT protocol traffic will be allowed as well.
Block all except SSH, IDENT, ping, and high ports on interface Similar to the previous option, but ICMP pings and connections to ports above 1024 will be allowed as well.
If this is the first time the module has been used and Webmin detects that a firewall already exists on your system, its rules will be displayed and you will be prompted to convert it to a save file so that the module can be used to edit it. If you choose to do this by clicking the Save Firewall Rules button, all existing tables, chains, and rules will be safely recorded. An Enable firewall at boot time? checkbox will also be displayed if necessary, which if selected will cause Webmin to create a boot script to activate the saved firewall rules at boot time.
If you choose to convert an existing manually created firewall configuration, be sure to disable any existing script that sets it up at boot time. Otherwise both the old script and the one created by Webmin will be run, possibly causing the rules set up in this module to be cancelled out by the older manual configuration.