[BUG] netfilter-persistent.service error

jasonwch · November 6, 2025, 9:23am

Hi,

Just to report a bug and fix.

If you have custom IPSet (e.g. from a URL) setting up with HCP and also applied to one of the rule, at the same time altering iptables manually for other purpose and save the iptables with iptables-persistent package.

When you restart the server, iptables may not be able to restore properly and stating error reading the IPv4, IPv6 file at the line you’ve setup custom rule with IPSets.

Problem root cause:

netfilter-persistent.service is loaded BEFORE hestia-iptables.service which makes netfilter-persistent.service didn’t get the IPSet from Hestia, then it will report error and stop processing the restore

Resolution:

as per @sahsanu

sahsanu · November 6, 2025, 9:42am

You can add your own rules in the file /usr/local/hestia/data/firewall/custom.sh (the file is a script and must have executable permissions) and Hestia will execute that script when updating firewall, just a quick example.

❯ cat /usr/local/hestia/data/firewall/custom.sh
#!/usr/bin/env bash
ipt="/usr/sbin/iptables"
ipt6="/usr/sbin/ip6tables"

"$ipt6" -P INPUT DROP
"$ipt6" -A INPUT -s ::1 -j ACCEPT
"$ipt6" -A OUTPUT -d ::1 -j ACCEPT
"$ipt6" -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
"$ipt6" -A INPUT -p icmpv6 -j ACCEPT

ipset="i5 portspoof sahsanu-LV1 sahsanu-LV2 sahsanu-LV3 permaban"
chain_prefix="LOG_DROP"
action="DROP"
for i in $ipset; do
    "$ipt" -F "$chain_prefix"_"$i"
    "$ipt" -X "$chain_prefix"_"$i"
    "$ipt" -N "$chain_prefix"_"$i"
    "$ipt" -A "$chain_prefix"_"$i" -j LOG --log-level 4 --log-prefix "iptables:drop:$i "
    "$ipt" -A "$chain_prefix"_"$i" -j "$action"
    "$ipt" -I INPUT -m set --match-set "$i" src -j "$chain_prefix"_"$i"
done
[...]

jasonwch · November 21, 2025, 5:45am

Guys, please follow Sahsanu’s advice as my previous solution will mess up the firewall rules setup by Hestia Firewall settings. (Reason: the HestiaCP firewall will be overwritten by rules saved at netfilter-persistent)

jasonwch · November 21, 2025, 7:48am

@sahsanu

I’ve figured out to use custom.sh to add iptables rules. But is it possible for that script to make sure of ipset from HestiaCP (/usr/local/hestia/data/firewall/ipset)? I would like to make use of that for GeoIP blocking/allowing as well

Thanks

sahsanu · November 21, 2025, 8:03am

Sorry, I don’t know what you mean. Could you please explain it a bit more?

jasonwch · November 21, 2025, 8:12am

I’ve created some IPset from HestiaCP which sort out my country IP list, and the list were using by some of my rules set at HestiaCP itself. But can I use those list for my custom iptables rules set at custom.sh as well?

sahsanu · November 21, 2025, 8:21am

Yes, you can. Those ipsets are created by Hestia but are available system-wide.

jasonwch · November 21, 2025, 8:45am

May I know how to use it? for example I have an IPSet named “HongKong“

How can I put in to this rule?

$IPTABLES -I DOCKER-USER -p tcp XXXXXX --dport 9443 -j ACCEPT

sahsanu · November 21, 2025, 8:48am

$IPTABLES -I DOCKER-USER -p tcp -m set --match-set HongKong src --dport 9443 -j ACCEPT

jasonwch · November 21, 2025, 8:50am

Cool, thanks so much, so I don’t need to use xt_geoip module anymore, cool

jasonwch · November 21, 2025, 9:08am

Do I need to add module “-m tcp” as well? ( i saw that from /etc/iptables.rules files

Like this?

$IPTABLES -I DOCKER-USER -p tcp -m tcp --dport 9443 -m set --match-set HongKong src -j ACCEPT

sahsanu · November 21, 2025, 9:11am

No, -p tcp already loads the tcp module but it won’t hurt if you add it.