Hello,
is it possible to add more protocols? not just udp, tcp and icmp. or an option to block every connection like “iptables -I INPUT -s IP -j DROP”.
Regards
Hi @radexspox
Currently it isn’t possible, Hestia only supports TCP, UDP or ICMP network protocols.
You could use v-add-firewall-ban, something like this:
v-add-firewall-ban 203.0.113.1 RECIDIVE
But it will use REJECT instead of DROP and only for protocol TCP.
-A fail2ban-RECIDIVE -s 203.0.113.1/32 -j REJECT --reject-with icmp-port-unreachable
But you can create your own custom firewall rules in file /usr/local/hestia/data/firewall/custom.sh and Hestia will load them.
For example:
Create a file in /usr/local/hestia/data/firewall/my_banned_ips with a list of the ips you want to DROP (one per line in CIDR format).
❯ cat /usr/local/hestia/data/firewall/my_banned_ips
203.0.113.1
203.0.113.2/32
233.252.0.0/24
Now create the custom.sh file and add execution perms:
touch /usr/local/hestia/data/firewall/custom.sh
chmod +x /usr/local/hestia/data/firewall/custom.sh
Now add this script:
#!/usr/bin/env bash
ipt="/usr/sbin/iptables"
ips="/usr/local/hestia/data/firewall/my_banned_ips"
action="DROP"
if [[ ! -f "$ips" ]]; then
echo "Error: file $ips doesn't exist" >&2
exit 2
fi
while IFS= read -r ip; do
ip="${ip#"${ip%%[![:space:]]*}"}"
ip="${ip%"${ip##*[![:space:]]}"}"
"$ipt" -I INPUT -s "$ip" -j "$action"
done <"$ips"
Now every time Hestia updates the firewall rules v-update-firewall, it will add a DROP rule for all protocols to those source IPs.
❯ iptables -S | grep 'T -s 2'
-A INPUT -s 233.252.0.0/24 -j DROP
-A INPUT -s 203.0.113.2/32 -j DROP
-A INPUT -s 203.0.113.1/32 -j DROP
3 Likes