Cannot Configure Firewall Debian 10 Server

[BullseyeSmith]

Howdy,

I cannot configure the firewall on Debian 10 Server. I am unable to connect via port forwarding of my router using default configurations. Both ufw and firewalld run into errors. Is there another firewall app that I'm supposed to use? VM Server isn't very useful if I cannot connect to it.

Code: Select all

root@LXCDEBIAN10S:~# uname -a
Linux LXCDEBIAN10S 5.4.x #1 SMP Sun Mar 27 20:42:37 CST 2022 x86_64 GNU/Linux

root@LXCDEBIAN10S:~# iptables --version
iptables/1.8.2 Failed to initialize nft: Protocol not supported

root@LXCDEBIAN10S:~# apt install nftables
Reading package lists... Done
Building dependency tree
Reading state information... Done
nftables is already the newest version (0.9.0-2).
nftables set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@LXCDEBIAN10S:~# nftables --version
-bash: nftables: command not found

root@LXCDEBIAN10S:~# nft --version
netlink.c:62: Unable to initialize Netlink socket: Protocol not supported

[father.mande]

Hi,
As I know :
Kernel 5.4.x from Asustor is provide only with nf_nat kernel module ... but complete nft require up to 26 modules (for full capabilities, even it's rare to need more than a small number )
here after the list : (here all except redirect rules ... it's just an example not to be used as is)

Code: Select all

CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m

So you can try to extend the kernel by adding nft in the kernel config file and compile the modules, then insert it manually. (use kernel GPL source provide by Asustor)

I have no time to do it (for you) and check all depends before generating modules, but it's a little complex but really feasible. The best is to select require modules for your own usage to don't generate and load all of them.

For the nftables command line error (not found) I think (if my memory is not bad) it's because the command is nft not nftables ??? T.B.C.
Philippe.

[BullseyeSmith]

In my attempts to figure out how to install modules, I discovered it would require lsmod. This led to a bigger problem:

Code: Select all

root@LXCDEBIAN10S:~# lsmod --version
-bash: lsmod: command not found

root@LXCDEBIAN10S:~# apt install lsmod
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package lsmod

root@LXCDEBIAN10S:~# locate lsmod
-bash: locate: command not found

root@LXCDEBIAN10S:~# apt install locate
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  locate
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 270 kB of archives.
After this operation, 431 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 locate amd64 4.6.0+git+20190209-2 [270 kB]
Fetched 270 kB in 1s (524 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package locate.
(Reading database ... 16885 files and directories currently installed.)
Preparing to unpack .../locate_4.6.0+git+20190209-2_amd64.deb ...
Unpacking locate (4.6.0+git+20190209-2) ...
Setting up locate (4.6.0+git+20190209-2) ...
root@LXCDEBIAN10S:~#

root@LXCDEBIAN10S:~# locate lsmod
root@LXCDEBIAN10S:~#

So basically lsmod in not installed, nor is it available to install from the default repository. ¯\_(ツ)_/¯

As for the nftables, your are correct that nft is the proper command, but the results are not much better:

Code: Select all

root@LXCDEBIAN10S:~# iptables --version
iptables/1.8.2 Failed to initialize nft: Protocol not supported

root@LXCDEBIAN10S:~# nftables --version
-bash: nftables: command not found

root@LXCDEBIAN10S:~# nft --version
netlink.c:62: Unable to initialize Netlink socket: Protocol not supported

I did attempt to upgrade to Debian 11, as well as try to download the latest kernal, but both attempts never changed uname, and ended up with several errors forcing me to reset to factory defaults.

I just want to be able to connect to our minecraft server with a DDNS connection. I can fully install MC and set up an SSH and connect from within my 192.168.x.x network, but trying to get to it from outside the router is turning into a serious headache.

[Nazar78]

• 1. lsmod is part of kmod bundle and should be installed by default. Perhaps your /sbin is not in the path environment? Try /sbin/lsmod.

• 2. Even if you attempt to upgrade to Debian 11, it will still use the host kernel because like others e.g. docker, LXC is still an underlying container. I'm using the LXC with Ubuntu Desktop 22.04 LTS (Jammy Jellyfish) still with the 5.4.x kernel. The only way to use another kernel is to run VirtualBox.

• 3. You should actually try to compile the kernel outside the NAS environment i.e. on VirtualBox or on another x86_64 box because even if you have a perfect build environment setup on the NAS, any kernel references will still reflect back to 5.4.x, unless if you trick the compiler or installer to use 5.4.0, refer to https://forum.asustor.com/viewtopic.php ... ame#p36632

• 4. Not sure what you're trying to achieve, install MC server to make it accessible outside your router via DDNS? Why not just forward the port 25565 from your router to LXC bridged interface, bond0-br? One thing though, give LXC a fixed MAC address, set it in /volume1/.@plugins/AppCentral/linux-center/containers/debian10/net, lxc.network.hwaddr, else your router will have a hard time reserving DHCP lease or forwarding fixed ports because the MAC will change every time LXC restarts.

Tips: you can easily run minecraft server using docker. Install docker-ce from Asustor App Center, then SSH and run "docker create -i -t --name=mc --network host -e EULA=TRUE itzg/minecraft-server:latest && docker start mc". Use "-p 25565:25565" instead of "--network host" if you want to use NAT instead of bridge. Then forward the port 25565 from your router to the NAS local IP.