Как решить ошибку ufw enable?

Question

[Михаил]

Пытаюсь включить ufw и выходит следующий лог с закрытием ssh соеденений

root:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 4 failed
iptables-restore: line 75 failed

Problem running '/etc/ufw/before.rules'

root:~# /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.9.2, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
error was: iptables: No chain/target/match by that name.
limit: pass
ctstate (NEW): FAIL
error was: iptables: No chain/target/match by that name.
ctstate (RELATED): FAIL
error was: iptables: No chain/target/match by that name.
ctstate (ESTABLISHED): FAIL
error was: iptables: No chain/target/match by that name.
ctstate (INVALID): FAIL
error was: iptables: No chain/target/match by that name.
ctstate (new, recent set): FAIL (no runtime support)
error was: iptables: No chain/target/match by that name.
ctstate (new, recent update): FAIL (no runtime support)
error was: iptables: No chain/target/match by that name.
ctstate (new, limit): FAIL
error was: iptables: No chain/target/match by that name.
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
error was: ip6tables: No chain/target/match by that name.
limit: pass
ctstate (NEW): FAIL
error was: ip6tables: No chain/target/match by that name.
ctstate (RELATED): FAIL
error was: ip6tables: No chain/target/match by that name.
ctstate (ESTABLISHED): FAIL
error was: ip6tables: No chain/target/match by that name.
ctstate (INVALID): FAIL
error was: ip6tables: No chain/target/match by that name.
ctstate (new, recent set): FAIL (no runtime support)
error was: ip6tables: No chain/target/match by that name.
ctstate (new, recent update): FAIL (no runtime support)
error was: ip6tables: No chain/target/match by that name.
ctstate (new, limit): FAIL
error was: ip6tables: No chain/target/match by that name.
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass
ipv6 rt: pass

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

Прошёл весь гугл не нашёл решения..

Comments

[Drno]

ну он тебя предупреждает что ssh соединение закроется. ты вообще разрешил его в ufw ?

Answer 1

[hint000]

iptables-restore: line 4 failed
iptables-restore: line 75 failed
Problem running '/etc/ufw/before.rules'

Ругается на какие-то правила, но вы их не показали.
Показывайте из файла /etc/ufw/before.rules по крайней мере строку 4 и строку 75, на которые ругается. А лучше весь этот файл для большей ясностти.
Также командой iptables -V покажите версию iptables.

hashlimit: FAIL

покажите find /lib/modules/ -name '*xt_hashlimit*'

ctstate (NEW): FAIL

покажите find /lib/modules/ -name '*xt_conntrack*'

Comments

[Михаил]

/etc/ufw/before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

iptables -V
iptables v1.8.7 (legacy)

find /lib/modules/ -name '*xt_hashlimit*'
Ничего

find /lib/modules/ -name '*xt_conntrack*'
Ничего

[hint000]

Михаил, Пока довольно странно, что в системе (если это Debian) не видно нужных модулей ядра.
А если так?:

find /lib/modules/*/kernel/net/netfilter -name *conntrack.*

Если тоже ничего, тогда
find /lib/modules/*/kernel/net/netfilter

[Михаил]

find /lib/modules/*/kernel/net/netfilter -name *conntrack.*

find: '/lib/modules/*/kernel/net/netfilter': No such file or directory

find /lib/modules/*/kernel/net/netfilter

find: '/lib/modules/*/kernel/net/netfilter': No such file or directory

Возможно нужно установить netfilter? Не совсем понимаю как.
И да Debian 11

[hint000]

Попробуйте установить эти пакеты:

sudo apt install conntrack conntrackd libnetfilter-conntrack3