Configuring iptables for Webmin Servers Index Module

Earlier today I implemented stricter iptables rules on this web server – finally completing one essential task I have been ignoring for so long. Minutes later, just when I was beginning to feel good about myself, on a remote server some place else, the Webmin System and Server Status module there was reporting that it could no longer access this server!

Damn.

I had to find out 2 things and find them out quickly! I needed to figure out 1. the port (or ports) I need to open (for this service to work again) and 2. the protocol over which this monitoring service was running.

To make a long story short, from Webmin’s System and Server Status module where I started reading, I was led to the Webmin Servers Index module. When I was going through the official documentation on the Servers Index module online, I found what I was looking for in the last paragraph, under the How RPC works heading, where it had this to say:

The only problem with fast mode is that some firewalls may block the TCP connection, which is typically made on a port 1 or 2 above the remote host’s base Webmin port, such as 10001 or 10002. Multiple connections may be made if data is transferred with RPC, so any firewall on your network between the two servers must be configured to allow connectios from the master to the remote host on ports in the range 10000 up to 10100.

More information and details about the Webmin Servers Index module can be found here.

So, it was running over TCP and I need to open ports 10000 through 10100. Because I know only my web servers are accessing this server for monitoring purposes, I decided, obviously, to also limit access by IP addresses.

In the end, something similar to the following lines were appended to my iptables script to ensure that the Webmin System and Server Status module on my remote server resumes working.

Example iptables Script

Allow Access from Remote Server

For Webmin System and Server Status Module

If my remote server hostname is jenia.example.com and my remote server’s main IP address is 192.0.43.9:

...
# FOR samia.example.com (this server) ONLY; for Webmin Servers Index service.
# Allow acccess from jenia.example.com, a remote server at 192.0.43.9.
iptables -A INPUT -p tcp --dport 10000:10100 -s 192.0.43.9 -j ACCEPT

samia.example.com and jenia.example.com are obviously example host and server names. They don’t really exist. All the IP addresses on this page are also completely bogus, fictional, and not related to me or my own web servers in any way.

If I want to allow access from all the IPs on my remote server, I can use the CIDR notation in place of the single IP address. For something like 192.0.43.8/29:

...
iptables -A INPUT -p tcp --dport 10000:10100 -s 192.0.43.8/29 -j ACCEPT

If I want to allow access to a small range of IP addresses from my remote server, I can also simply use that in the rule. For something like 192.0.43.10 - 192.0.43.12, for example:

...
iptables -A INPUT -p tcp --dport 10000:10100 -m iprange --src-range 192.0.43.10-192.0.43.12 -j ACCEPT

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>