Does iptables/firewall work with IPv6?

Wonder · December 4, 2025, 6:54pm

Apologies if this topic has already been covered, I’ve been reading for several days and my head is about to explode…

I’m configuring Hestia to migrate one of my sites, see how it goes, and then migrate the others.

Since this is new to me, I’m reading up on it first, and at this hour, like I said, my head is about to explode

I have Hestia running Debian 12, and I have IPv6 connectivity, but… nothing about IPv6 appears in the firewall settings. Is the firewall that comes with Hestia compatible with IPv6?

As I said, sorry if this topic has already been discussed, but I haven’t found any threads that clarify this for me…

Thanks

sahsanu · December 4, 2025, 10:32pm

Hestia doesn’t support IPv6 yet. Work is being done, but it isn’t available yet.

Wonder · December 4, 2025, 10:54pm

Okay, I understand. So, it’s not yet possible to access Hestia with IPv6?

The important thing is knowing that they’re working on it.

Thanks for the reply

sahsanu · December 4, 2025, 10:55pm

Not yet, at least not in a way supported by Hestia.

Wonder · December 4, 2025, 10:59pm

Okay, thanks for the reply.
Well, knowing they’re working on it, I suppose it’s just a matter of time.

Wonder · December 5, 2025, 8:04am

Excuse me, this might be a bit off-topic in this thread. I came to ask about the possibility of iptables/firewall working with IPv6. You informed me that Hestia doesn’t support IPv6, okay.

I came here because of this thread:

I understand that with this system, users would access the site via IPv6 through Nginx (it’s the same system I use in another panel I’m currently using and plan to abandon). Am I mistaken, or is this correct?

What I don’t see here is how to select one template or the other (default.tpl or ipv6.tpl once it’s copied and edited, of course). It would be a way to test this without affecting the site in any way.

Thanks in advance.

sahsanu · December 5, 2025, 8:13am

It’s correct but only for the web domain.

Edit your web domain, and in Advanced Options you can select the template from the dropdown list under Proxy Template.

Wonder · December 5, 2025, 8:36am

Thanks for the reply.

Okay, I understand that it’s only for web domains, as you indicated.

However, in the other panel I mentioned, instead of putting between those brackets, I put my IPv6 address, so it looks like this:

listen [myipv6]:%proxy_ssl_port% ssl

I gather that for Apache, it’s the same procedure (copying templates and modifying them by adding the IPv6 field).

I had it right in front of me and didn’t see it, thanks, I’ll do some testing

Now I need to see if it can be done for email, although I haven’t gotten to the email field yet.

Thanks again.

sahsanu · December 5, 2025, 8:55am

Yes, you can use a specific IPv6 address, no problem.

You don’t need to modify the Apache templates; the only web server accessed using your public IPs is Nginx.

For the mail domain, there is no way to add a specific template, but you can modify the current one.

For Nginx + Apache2, edit the default.tpl and default.stpl templates located in /usr/local/hestia/data/templates/mail/nginx/ and create the mail domain or rebuild it if already exists.

Keep in mind that you may need to modify these mail templates again after the next Hestia upgrade.

Wonder · December 5, 2025, 10:20am

[quote=“sahsanu, post:9, topic:20702”]

Yes, you can use a specific IPv6 address, no problem.[/quote]
Okay, perfect

[quote=“sahsanu, post:9, topic:20702”]
You don’t need to modify the Apache templates; the only web server accessed using your public IPs is Nginx.[/quote]
Thanks for the clarification. I understand that everything is handled by nginx, and that’s the only place I need to modify.

Okay, but I don’t think I explained myself well. Correct me if I’m wrong, but this is so that webmail and Roundcube can also be accessible/listen via IPv6. If so, I’ll make those changes, and in the next Hestia upgrade, I’ll remember to make the change.

I meant that Exim/SMTP should be able to work with IPv6 (Gmail wants to receive mail via IPv6 as well). I’ve been looking into it and I’ve seen that the file /etc/exim4/exim4.conf.template has this field: disable_ipv6 = true
It would be a matter of changing it to false.

And the file:

/etc/dovecot/dovecot.conf already has: listen = *, ::
Which is necessary for IPv6.

If I’m wrong about anything, please correct me.

And thank you very much in advance!

sahsanu · December 5, 2025, 12:37pm

That’s correct.

Correct, but you should also comment out these directives, which tell Exim to use the IPv4 address for outgoing mail:

interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}

Yes.

I can’t remember any other changes that need to be made in Exim or Dovecot for them to use IPv6.

You’re welcome

Wonder · December 5, 2025, 12:48pm

Perfect

Hmm… I wasn’t aware of this parameter… okay, I’ll mention it.

Anyway, I’m already running tests and it’s sending the site via IPv6, but I was unaware of this parameter. I come from the Red Hat/Postfix world, so this is all a bit new to me…

Ok, then, all good

Thank you so much! You can’t imagine how grateful I am for these answers, the forum, etc.
Thanks

PS: I just changed the DNS settings and they’re pointing to the new server with Hestia, working perfectly on the first try (after some initial configuration, readings, etc.).