HestiaCP integrated firewall is letting everything go through

So as the tittle says, the integrated HestiCP firewall doesn’t actually block or open the ports I would need or don’t want to be exposed, my machine is essentially running without any firewall at the moment.

I just recently installed Microbin and noticed that I could access it instantly on port 81, port 81 isn’t in the firewall list of HestiaCP, so now I’m kinda worried that I’m running my Ubuntu 24.04 server without any kind of firewall, IP tables are showing up in the list but literally nothing is happening I even tried blocking port 22, and I still can ssh into the server.

I’m using UFW normally, so maybe it’s just because I don’t know how iptables itself works, but it still seems really weird.
Here is the ssh command result for iptables and the second is the Hestia firewall page

image1373×314 31.8 KB

Second image of the panel is here:

image872×262 11.8 KB

Show the output of these commands (don’t share an screenshot, copy/paste the output, select it and click on button </> to format it):

iptables -S -t nat
iptables -S

Are the hidden IPs the ones used by your server, or is one of them the public IP you are using to connect to your server? Because that would explain why you can connect to port 81 from an external network.

Quick question: How exactly did you check that port 81 was open to the public?

Here are the two commands:

root@hestia:/# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.18.0.0/16 ! -o br-052b1f071db7 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i br-052b1f071db7 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i br-052b1f071db7 -p tcp -m tcp --dport 81 -j DNAT --to-destination 172.18.0.2:8080
root@hestia:/# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-BRIDGE
-N DOCKER-CT
-N DOCKER-FORWARD
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N fail2ban-FTP
-N fail2ban-HESTIA
-N fail2ban-RECIDIVE
-N fail2ban-SSH
-N fail2ban-WEB
-N hestia
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-HESTIA
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 5.175.249.234/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 5.175.249.227/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-FORWARD
-A DOCKER -d 172.18.0.2/32 ! -i br-052b1f071db7 -o br-052b1f071db7 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER ! -i br-052b1f071db7 -o br-052b1f071db7 -j DROP
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-BRIDGE -o br-052b1f071db7 -j DOCKER
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-CT -o br-052b1f071db7 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DOCKER-FORWARD -j DOCKER-BRIDGE
-A DOCKER-FORWARD -i docker0 -j ACCEPT
-A DOCKER-FORWARD -i br-052b1f071db7 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-052b1f071db7 ! -o br-052b1f071db7 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o br-052b1f071db7 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-USER -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-RECIDIVE -s 92.255.85.37/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 92.255.85.253/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 92.255.85.107/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 42.96.18.76/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 41.86.56.153/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.237/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.235/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.233/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.232/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.231/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.230/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.229/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.228/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.227/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.226/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.225/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.223/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.222/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.221/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.220/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.219/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.218/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.217/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.216/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.198/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.186/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.112/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 218.92.0.111/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 202.165.14.190/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 193.37.71.206/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 185.93.89.118/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 185.42.12.240/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 178.217.72.50/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 14.225.202.217/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 128.199.188.253/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 103.88.130.60/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 103.29.85.13/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 103.171.91.12/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN
root@hestia:/#

By going to the Pastebin itself, then it struck me that I never opened the port, but I could access it, it does the same if I go with the IP and when I test it on
the port checker

I believe this rule is responsible for allowing connections to port 81:

Hmm! I didn’t spot it before yeah must be it, now that I think about it, their thing is basically a 1 time run installer script that uses docker hub (from what I understood from the GitHub) so it must be it yeah, thanks, but what about port 22 for ssh ? Shouldn’t I lose access to ssh if I block port 22 on Hestia CP ? Or is there yet another rule I missed

Yeah i don’t know much with iptables I’m just starting out in using a control panel like Hestia or any for the matter, and was only doing docker and directly on the machine for the nginx or panels like Pterodactyl using UFW or firewalld, so thanks for your help

If you are already connected, no. If you try to connect using a new session, yes, you should be blocked. Indeed right now port ssh is not open.

❯ check_ports 5.175.249.234
[...]
PORT     STATE SERVICE   REASON
21/tcp   open  ftp       syn-ack ttl 52
80/tcp   open  http      syn-ack ttl 52
81/tcp   open  hosts2-ns syn-ack ttl 51
443/tcp  open  https     syn-ack ttl 52
8083/tcp open  us-srv    syn-ack ttl 52

Thanks for the help, problem solved it was just docker that made its own iptables rule that is overwriting Hestia ones that’s it