Custom.sh firewalls not working?

andrewnewby · December 16, 2022, 3:52pm

Hi,

I’m intrigued about the custom.sh that was mentioned for adding in custom rules to the firewall after a reboot. I created custom.sh:

lroot@east:/usr/local/hestia/data/firewall# ls -lh
total 16K
-rw-rw---- 1 root root    0 Dec 16 15:45 banlist.conf
-rw-rw---- 1 root root  228 Dec 16 15:44 chains.conf
-rwxr-xr-x 1 root root 1.6K Dec 16 15:40 custom.sh
drwxr-xr-x 2 root root 4.0K Dec 16 14:57 ipset
-rw-r--r-- 1 root root    0 Dec 16 15:14 ipset.conf
-rw-r--r-- 1 root root 2.7K Dec 16 15:25 rules.conf

With the contents:


ipt4="$(command -v iptables)"
ipt6="$(command -v ip6tables)"

# add maltrail rules

/usr/sbin/ipset -q create maltrail hash:net
$ipt4 -I INPUT -m set --match-set maltrail src -j DROP

# Flush all rules and delete all chains

# for a clean startup

$ipt6 -F

$ipt6 -X

# Zero out all counters

$ipt6 -Z

# Default policies: deny all incoming

# Unrestricted outgoing

$ipt6 -P INPUT DROP

$ipt6 -P FORWARD DROP

$ipt6 -P OUTPUT ACCEPT

# Must allow loopback interface

$ipt6 -A INPUT -i lo -j ACCEPT

# Reject connection attempts not initiated from the host

# $ipt6 -A INPUT -p tcp --syn -j DROP

# Allow return connections initiated from the host

$ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept all ICMP v6 packets

$ipt6 -A INPUT -p icmpv6 -j ACCEPT

# Optional rules to allow other LAN hosts access to services. Delete $ipt6 -A INPUT -p tcp --syn -j DROP

# Allow DHCPv6 from LAN only

$ipt6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT

# Allow connections from SSH clients

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS traffic

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# Allow access to SMTP, POP3, and IMAP

$ipt6 -A INPUT -m state --state NEW -p tcp -m multiport --dport 25,110,143 -j ACCEPT

The ipv6 rules are created - but for some reason not:

/usr/sbin/ipset -q create maltrail hash:net
$ipt4 -I INPUT -m set --match-set maltrail src -j DROP

And its also missing some custom rules I have in the firewall (for example, por 8983 for solr)

Am I missing a step?

eris · December 16, 2022, 4:25pm

$ipt4 COMMIT

At the end

andrewnewby · December 16, 2022, 4:39pm

Thanks. It doesn’t seem to like it though?

$ipt4 COMMIT

Try iptables -h' or 'iptables --help' for more information. Bad argument COMMIT’

Does v-update-firewall get run on a reboot? In /usr/local/hestia/binv-update-firewall, I tweaked it:

# Checking custom trigger
if [ -x "$HESTIA/data/firewall/custom.sh" ]; then
    bash $HESTIA/data/firewall/custom.sh > /usr/local/hestia/data/firewall/reboot.log
fi

When I reboot the server, I don’t see that .log file getting updated?

UPDATE: So it seems the COMMIT isn’t needed? If I remove that and run the script:

sh /usr/local/hestia/data/firewall/custom.sh

It creates the rules fine. To me, it seems more like v-update-firewall isn’t being run on reboot?