Ip bans in banlist service web not active after reboot?

maurice · February 12, 2023, 12:57am

Hello all,

In the hestia webinterface, ip banlist (@ url :8083/list/firewall/banlist/) I have a few ips listed under the service ‘recidive’ that are probably there because fail2ban found them in the past.

I also have added a few ip’s manually under the service ‘web’.

It seems that, after a reboot of the server, the chain ‘recidive’ is still filled with the banned ips (which is good), but the chain ‘web’ is empty (not good). Both checked with ‘iptables -L’.

Only after a manually ‘v-update-firewall’ the chain ‘web’ is as expected, filled with the ips from the banlist.

Is this intended behavior or a bug?

Thank you.

dtkoe · February 14, 2023, 6:55am

it’s also interesting how to save banned ones after a reboot

eris · February 14, 2023, 10:27am

That can’t be right

eris · February 14, 2023, 10:40am

It looks intended in:

github.com

hestiacp/hestiacp/blob/d128e3c770f9f87917a7e20d88a0ed9b59dbc915/bin/v-update-firewall#L183


      
          		echo " -j REJECT --reject-with icmp-port-unreachable" >> $tmp
          	done
          	bash $tmp 2> /dev/null
          	rm -f $tmp
          fi
          
          
# Clean up and saving rules to the master iptables file
          if [ -d "/etc/sysconfig" ]; then
          	/sbin/iptables-save | sed -e 's/[[0-9]\+:[0-9]\+]/[0:0]/g' -e '/^-A fail2ban-[A-Z]\+ -s .\+$/d' > /etc/sysconfig/iptables
          else
          	/sbin/iptables-save | sed -e 's/[[0-9]\+:[0-9]\+]/[0:0]/g' -e '/^-A fail2ban-[A-Z]\+ -s .\+$/d' > /etc/iptables.rules
          	iptablesversion="$(iptables --version | head -1 | awk '{print $2}' | cut -f -2 -d .)"
          	sd_unit="/lib/systemd/system/hestia-iptables.service"
          	if [ ! -e "$sd_unit" ]; then
          		echo "[Unit]" >> $sd_unit
          		echo "Description=Loading Hestia firewall rules" >> $sd_unit
          		echo "DefaultDependencies=no" >> $sd_unit
          		echo "Wants=network-pre.target local-fs.target" >> $sd_unit
          		echo "Before=network-pre.target" >> $sd_unit
          		echo "After=local-fs.target" >> $sd_unit
          		echo "" >> $sd_unit

If you want to permanently block an ip:

system · March 16, 2023, 10:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.