Iptables/vesta firewall

arktex54 · April 2, 2025, 8:13pm

Hello. How do I either (a) completely disable hestiacp firewall and use only iptables (a1) or import my rules.ip4 into the hestiacp firewall permanently
(b) make iptables see ipset lists in /usr/local/hestia/data/firewall/ipset

I currently use the custom.sh to wipe out all hestiacp rules and run iptables.

update: ipsets have not updated since October 2023.

update2: appears this will help with using ipsets for iptables. https://grok.com/share/bGVnYWN5_a0022660-c023-43ec-900a-978dcb7e6b68

sahsanu · April 2, 2025, 10:30pm

Hi @arktex54

Hestia doesn’t have a “firewall”, the firewall is iptables. Hestia is only a wrapper to add/remove rules, ipsets, etc. so there is no need to disable it.

I know nothing about Vesta so I don’t know how the rules are saved but if you don’t have dozens of rules, it is easy to add them manually or using a script.

I don’t quite understand. Could you explain?

Oh my god, too many words

How do I setup an ipset blacklist or whitelist?

Once created the ipset, you can add a firewall rule and use the ipset as source ip.

Note: Hestia provides a script (/usr/local/hestia/install/common/firewall/ipset/blacklist.sh) that includes several IP sources for undesired source IPs, which you can use to create a blocklist ipset.

arktex54 · April 17, 2025, 1:54pm

Hello. You mentioned Vesta for the firewall rules, but I am using Hestia (which has long parted from Vesta).

The IP set lists that are on the server are showing last updated as October 2023.

sahsanu · April 17, 2025, 2:08pm

Yeah, I know. Since you asked about import rules and the topic’s title is ‘Vesta firewall,’ I assumed you want to import Vesta rules into Hestia.

Show the output of this command:

v-list-firewall-ipset

arktex54 · April 18, 2025, 3:46pm

Show the output of this command:

LISTNAME     IP_VERSION  AUTOUPDATE  SUSPENDED  SOURCE                                                                                  TIME      DATE
----         ------      -----       ----       --                                                                                      ----      ----
Rushah       v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/ru/ipv4-aggregated.txt  10:35:00  2023-09-30
CHYNA        v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/cn/ipv4-aggregated.txt  10:35:11  2023-09-30
Ukraine      v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/ua/ipv4-aggregated.txt  10:35:24  2023-09-30
India        v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/in/ipv4-aggregated.txt  10:35:36  2023-09-30
Netherlands  v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/nl/ipv4-aggregated.txt  10:35:47  2023-09-30
Turkey       v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/tr/ipv4-aggregated.txt  10:35:57  2023-09-30
US           v4          yes         no         https://raw.githubusercontent.com/ipverse/rir-ip/master/country/us/ipv4-aggregated.txt  10:38:51  2023-09-30
blacklist    v4          yes         no         script:/usr/local/hestia/install/common/firewall/ipset/blacklist.sh                     16:53:09  2023-10-06
root@ny:~/sh#

sahsanu · April 18, 2025, 5:48pm

Looks like the cron job that must update the ipset is not running:

grep 'CRON.*queue daily' /var/log/syslog
crontab -u hestiaweb -l
ls -l /var/spool/cron/crontabs/
cat -A /var/spool/cron/crontabs/hestiaweb

arktex54 · April 18, 2025, 5:58pm


MAILTO=""$
CONTENT_TYPE="text/plain; charset=utf-8"$
*/2 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue restart$
15 02 * * * sudo /usr/local/hestia/bin/v-update-sys-queue disk$
10 00 * * * sudo /usr/local/hestia/bin/v-update-sys-queue traffic$
30 03 * * * sudo /usr/local/hestia/bin/v-update-sys-queue webstats$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue backup$
10 05 * * * sudo /usr/local/hestia/bin/v-backup-users$
20 00 * * * sudo /usr/local/hestia/bin/v-update-user-stats$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-rrd$
45 5 * * * sudo /usr/local/hestia/bin/v-update-sys-hestia-all$
42 2 * * * sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl$
01 00 * * * sudo /usr/local/hestia/bin/v-update-sys-queue daily$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue letsencrypt$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue dns-cluster$

sahsanu · April 18, 2025, 7:00pm

Could you please provide the output of all the commands?

arktex54 · April 18, 2025, 7:40pm


root@ny:~/sh# grep 'CRON.*queue daily' /var/log/syslog
crontab -u hestiaweb -l
ls -l /var/spool/cron/crontabs/
cat -A /var/spool/cron/crontabs/hestiaweb
MAILTO=""
CONTENT_TYPE="text/plain; charset=utf-8"
15 02 * * * sudo /usr/local/hestia/bin/v-update-sys-queue disk
10 00 * * * sudo /usr/local/hestia/bin/v-update-sys-queue traffic
30 03 * * * sudo /usr/local/hestia/bin/v-update-sys-queue webstats
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue backup
10 05 * * * sudo /usr/local/hestia/bin/v-backup-users
20 00 * * * sudo /usr/local/hestia/bin/v-update-user-stats
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-rrd
43 1 * * * sudo /usr/local/hestia/bin/v-update-sys-hestia-all
04 1 * * * sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue letsencrypt
* * * * * sudo /usr/local/hestia/bin/v-update-sys-queue restart
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue dns-cluster
total 40K
-rw------- 1 admin admin 70 Feb  4 01:43 admin
-rw------- 1 user2 user2 70 Oct 12  2023 user2
-rw------- 1 user3 user3 117 Dec 11  2023 user3
-rw------- 1 user4 user4 70 Sep 20  2024 user4
-rw------- 1 user5 user5 810 Feb  4 01:43 user5
-rw------- 1 user6 user6 70 Nov 20  2023 user6
-rw------- 1 user7 user7 663 Apr 18 14:23 user7
-rw------- 1 user8 user8 70 Sep 30  2023 user8
-rw------- 1 user9 user9 70 Sep 20  2024 user9
-rw------- 1 user10 user10 70 Sep 30  2023 user10
MAILTO=""$
CONTENT_TYPE="text/plain; charset=utf-8"$
15 02 * * * sudo /usr/local/hestia/bin/v-update-sys-queue disk$
10 00 * * * sudo /usr/local/hestia/bin/v-update-sys-queue traffic$
30 03 * * * sudo /usr/local/hestia/bin/v-update-sys-queue webstats$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue backup$
10 05 * * * sudo /usr/local/hestia/bin/v-backup-users$
20 00 * * * sudo /usr/local/hestia/bin/v-update-user-stats$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-rrd$
43 1 * * * sudo /usr/local/hestia/bin/v-update-sys-hestia-all$
04 1 * * * sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue letsencrypt$
* * * * * sudo /usr/local/hestia/bin/v-update-sys-queue restart$
*/5 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue dns-cluster$
root@ny:~/sh#

sahsanu · April 18, 2025, 9:15pm

I can’t see the output so looks like that cron job is not running.

The first command doesn’t show the cron job for hestiaweb user but the second command does. Did you edit the output?

Is cron working?

grep CRON /var/log/syslog

arktex54 · April 18, 2025, 9:28pm

CDT -0500

2025-04-18T16:21:01.268014-05:00 ny CRON[1387283]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:22:01.634005-05:00 ny CRON[1388079]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:23:01.695252-05:00 ny CRON[1388823]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:24:01.224507-05:00 ny CRON[1389540]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:25:01.721404-05:00 ny CRON[1390258]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-rrd)
2025-04-18T16:25:01.728592-05:00 ny CRON[1390261]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue backup)
2025-04-18T16:25:01.729710-05:00 ny CRON[1390262]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue letsencrypt)
2025-04-18T16:25:01.732736-05:00 ny CRON[1390263]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:25:01.738201-05:00 ny CRON[1390268]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue dns-cluster)
2025-04-18T16:26:01.875142-05:00 ny CRON[1391550]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:27:01.368496-05:00 ny CRON[1392267]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)
2025-04-18T16:28:01.282914-05:00 ny CRON[1393034]: (hestiaweb) CMD (sudo /usr/local/hestia/bin/v-update-sys-queue restart)

sahsanu · April 18, 2025, 10:36pm

I need you to answer the questions I ask, otherwise I can’t get an idea of what’s going on…

Cron is working, checking again the outputs, the first output you shown for cat -A /var/spool/cron/crontabs/hestiaweb had this line:

01 00 * * * sudo /usr/local/hestia/bin/v-update-sys-queue daily$

But the second doesn’t so I’m wondering what’s going on.

This command is the one that updates the ipsets so you must have it in hestiaweb’s crontab. So edit the hestiaweb’s crontab from command line:

crontab -e -u hestiaweb

And add this line:

10 00 * * * sudo /usr/local/hestia/bin/v-update-sys-queue daily

arktex54 · April 19, 2025, 12:57am

It was missing from both servers. Thank you warmly for the help.

arktex54 · April 19, 2025, 7:32pm

How do I add the following to the blacklist ipset?

Add to /usr/local/hestia/install/common/firewall/ipset/blacklist.sh ??

https://rules.emergingthreats.net/fwrules/emerging-PIX-DSHIELD.rules

sahsanu · April 19, 2025, 9:27pm

Under normal conditions, you would only need to edit the blacklist.sh script and add that URL to the BLACKLISTS array. The problem is that the DSHIELD list is in a format that the script won’t be able to process.

arktex54 · April 19, 2025, 9:35pm

for anyone else searching…
use v-list-firewall-ipset
and it will tell you the source