How to add iptables rules to server with Hestia

Trickster · September 28, 2021, 8:40pm

I’d like to add ordinary iptables rules like this one
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
to server with Hestia. How can do that?

I used this article as an example

but it looks like Hestia overrides saved rules by it’s own.

My OS is Ubuntu 20 and Hestia 1.4.14 (amd64)

jlguerrero · September 28, 2021, 8:59pm

Visit the firewall section in the panel and add your rules there.

Trickster · September 28, 2021, 9:48pm

Good advice but can you please explain how to add my rule
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
to firewall section?

Thanks in advance!

Trickster · September 29, 2021, 10:00am

So what I found.
Ordinary rules from Hestia are stored here
/usr/local/hestia/data/firewall/rules.conf

but besides that theoretically you can store your custom iptables rules inside
/usr/local/hestia/data/firewall/custom.sh file because inside v-update-firewall script such lines exists

# Checking custom trigger
if [ -x "$HESTIA/data/firewall/custom.sh" ]; then
    bash $HESTIA/data/firewall/custom.sh
fi

but after adding rules and saving them, they will not appear after reboot or after executing v-update-firewall command.

Any thoughts how to force it to work?

Trickster · September 30, 2021, 7:15am

Are there any ways to put Hestia to some kind of debug mode or run v-update-firewall script in verbose mode?
I’d like to find out why it’s not applying rules from custom.sh.

Raphael · September 30, 2021, 7:48am

You can just add an echo to custom.sh.

Trickster · September 30, 2021, 8:59am

I added “echo” but looks like it doesn’t woks from v-update-firewall script. But manually it works fine if you launch bash custom.sh

Besides that from v-update-firewall script we can see that it have to save FW rules to /etc/iptables.rules file before server reboot. Right? Then why it can’t save rule I added manually to iptables?

And systemd module /lib/systemd/system/hestia-iptables.service will restore these rules (/etc/iptables.rules) at startup.

Trickster · September 30, 2021, 9:23am

I don’t have much time to investigate why Hestia doesn’t save additional rules and why it doesn’t use custom.sh script.
So I decided to add all my rules to separate script and added it autostart with delay. And my problem was resolved.

eris · September 30, 2021, 9:43am

github.com

hestiacp/hestiacp/blob/dcceccdceb88a7d18d89bbcb2b648203f5abf99f/bin/v-update-firewall#L149-L152

    
      
          # Checking custom trigger
          if [ -x "$HESTIA/data/firewall/custom.sh" ]; then
              bash $HESTIA/data/firewall/custom.sh
          fi

Did you set exception permission to that file?

Even with bash command it should not be needed but it looks like it is an old bug

Trickster · September 30, 2021, 9:57am

Exception or execution?
And yes, I added +x flag but it didn’t help.

eris · September 30, 2021, 10:09am

Execution yes dit make a test and it seems to work don’t forget to add

#!/bin/bash

Trickster · September 30, 2021, 11:06am

Great, I’ll check in nearest day. Frankly speaking my problem was resolves but I’ll try your suggestion.

Deepak · October 3, 2021, 6:06am

For your general information:

Any shell script could be put in debug mode by adding -x command before the name of that script. Using Hestia scripts, you do not need to enter sh or bash before the name of that script, because Hestia service is loaded and takes care of that.

However, you could force all Hestia scripts to enter in a debug mode to add bash -x in the cli as follows (as an example):

bash -x v-update-firewall

Then you can publish here the last lines of output in shell, where is begins processing of data related to firewall.

NickCoolAI · March 28, 2022, 10:27pm

Worked like a charm.
Don’t forget to make $HESTIA/data/firewall/custom.sh executable by owner and do v-update-firewall after that.

absolutemusik · July 13, 2022, 8:59am

I am working on a custom rule for 8083 addresses with multiple IPs. I can put only 1 IP or 1 range only. However, I would like to have something like 11.11.11.11 and 22.22.22.22. So, I have created a custom.sh file but it is not showing 11.11.11.11 and 22.22.22.22. It is likely overridden by the setting in Control Panel. The habit is not alike VestaCP and myVestaCP. Please suggest whether I have done anything wrong.

Raphael · July 13, 2022, 9:01am

The custom firewall trigger should be the same like on myvesta, I dont think we’ve reworked this one. How did you created the custom.sh? Is it executable? Does it work when you trigger it manualy?

eris · July 13, 2022, 9:17am

Easiest method is using ipset:

https://docs.hestiacp.com/admin_docs/settings/firewall.html#how-do-i-setup-ip-set-black-whitelist

Create a .txt file with at least 10 ips:

For example:
1.2.3.1/32
1.2.3.2/32
1.2.3.3/32
1.2.3.4/32
1.2.3.5/32
1.2.3.6/32
1.2.3.7/32
1.2.3.8/32
1.2.3.9/32
1.2.3.10/32

And add it follow the instructions above:

qwxpr · September 28, 2022, 9:56am

if i run v-update-firewall file custom.sh execute all ok.
but after reboot custom.sh not exec. It should?

ineed exec one line after reboot /sbin/ip6tables-restore < /etc/iptables/rules.v6

or i need another way for run command /sbin/ip6tables-restore < /etc/iptables/rules.v6