How to add iptables rules to server with Hestia

I’d like to add ordinary iptables rules like this one
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
to server with Hestia. How can do that?

I used this article as an example

but it looks like Hestia overrides saved rules by it’s own.

My OS is Ubuntu 20 and Hestia 1.4.14 (amd64)

Visit the firewall section in the panel and add your rules there.

2 Likes

Good advice but can you please explain how to add my rule
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
to firewall section?

изображение

Thanks in advance!

So what I found.
Ordinary rules from Hestia are stored here
/usr/local/hestia/data/firewall/rules.conf

but besides that theoretically you can store your custom iptables rules inside
/usr/local/hestia/data/firewall/custom.sh file because inside v-update-firewall script such lines exists

# Checking custom trigger
if [ -x "$HESTIA/data/firewall/custom.sh" ]; then
    bash $HESTIA/data/firewall/custom.sh
fi

but after adding rules and saving them, they will not appear after reboot or after executing v-update-firewall command.

Any thoughts how to force it to work?

Are there any ways to put Hestia to some kind of debug mode or run v-update-firewall script in verbose mode?
I’d like to find out why it’s not applying rules from custom.sh.

You can just add an echo to custom.sh.

I added “echo” but looks like it doesn’t woks from v-update-firewall script. But manually it works fine if you launch bash custom.sh

Besides that from v-update-firewall script we can see that it have to save FW rules to /etc/iptables.rules file before server reboot. Right? Then why it can’t save rule I added manually to iptables?

And systemd module /lib/systemd/system/hestia-iptables.service will restore these rules (/etc/iptables.rules) at startup.

I don’t have much time to investigate why Hestia doesn’t save additional rules and why it doesn’t use custom.sh script.
So I decided to add all my rules to separate script and added it autostart with delay. And my problem was resolved.

Did you set exception permission to that file?

Even with bash command it should not be needed but it looks like it is an old bug

Exception or execution?
And yes, I added +x flag but it didn’t help.

Execution yes dit make a test and it seems to work don’t forget to add

#!/bin/bash

1 Like

Great, I’ll check in nearest day. Frankly speaking my problem was resolves but I’ll try your suggestion.

For your general information:

Any shell script could be put in debug mode by adding -x command before the name of that script. Using Hestia scripts, you do not need to enter sh or bash before the name of that script, because Hestia service is loaded and takes care of that.

However, you could force all Hestia scripts to enter in a debug mode to add bash -x in the cli as follows (as an example):

bash -x v-update-firewall

Then you can publish here the last lines of output in shell, where is begins processing of data related to firewall.

Worked like a charm.
Don’t forget to make $HESTIA/data/firewall/custom.sh executable by owner and do v-update-firewall after that.

I am working on a custom rule for 8083 addresses with multiple IPs. I can put only 1 IP or 1 range only. However, I would like to have something like 11.11.11.11 and 22.22.22.22. So, I have created a custom.sh file but it is not showing 11.11.11.11 and 22.22.22.22. It is likely overridden by the setting in Control Panel. The habit is not alike VestaCP and myVestaCP. Please suggest whether I have done anything wrong.

The custom firewall trigger should be the same like on myvesta, I dont think we’ve reworked this one. How did you created the custom.sh? Is it executable? Does it work when you trigger it manualy?

Easiest method is using ipset:

https://docs.hestiacp.com/admin_docs/settings/firewall.html#how-do-i-setup-ip-set-black-whitelist

Create a .txt file with at least 10 ips:

For example:
1.2.3.1/32
1.2.3.2/32
1.2.3.3/32
1.2.3.4/32
1.2.3.5/32
1.2.3.6/32
1.2.3.7/32
1.2.3.8/32
1.2.3.9/32
1.2.3.10/32

And add it follow the instructions above:

if i run v-update-firewall file custom.sh execute all ok.
but after reboot custom.sh not exec. It should?

ineed exec one line after reboot /sbin/ip6tables-restore < /etc/iptables/rules.v6

or i need another way for run command /sbin/ip6tables-restore < /etc/iptables/rules.v6