Is iptables working correctly after reboot? Vs. v-update-firewall?

Community Support Firewall
1

OUTPUT OF CMD: iptables -L --line-numbers AFTER REBOOT

# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    fail2ban-HESTIA  tcp  --  anywhere             anywhere             tcp dpt:8083
2    fail2ban-MAIL  tcp  --  anywhere             anywhere             multiport dports smtp,submissions,submission,pop3,pop3s,imap2,imaps
3    fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:63009
4    fail2ban-RECIDIVE  tcp  --  anywhere             anywhere             multiport dports tcpmux:65535
5    fail2ban-FTP  tcp  --  anywhere             anywhere             tcp dpt:ftp
6    fail2ban-WEB  tcp  --  anywhere             anywhere             multiport dports http,https

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain fail2ban-FTP (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-HESTIA (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-MAIL (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  94.232.43.50         anywhere             reject-with icmp-port-unreachable
2    REJECT     all  --  airplane.medyamol.com  anywhere             reject-with icmp-port-unreachable
3    REJECT     all  --  noiseless.medyamol.com  anywhere             reject-with icmp-port-unreachable
4    RETURN     all  --  anywhere             anywhere

Chain fail2ban-RECIDIVE (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-WEB (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

OUTPUT AGAIN AFTER: v-update-firewall & iptables -L --line-numbers

# iptables -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    fail2ban-HESTIA  tcp  --  anywhere             anywhere             tcp dpt:8083
2    fail2ban-MAIL  tcp  --  anywhere             anywhere             multiport dports smtp,submissions,submission,pop3,pop3s,imap2,imaps
3    fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:22
4    fail2ban-RECIDIVE  tcp  --  anywhere             anywhere             multiport dports tcpmux:65535
5    fail2ban-FTP  tcp  --  anywhere             anywhere             tcp dpt:ftp
6    fail2ban-WEB  tcp  --  anywhere             anywhere             multiport dports http,https
7    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
8    ACCEPT     all  --  dev.evonet.top       anywhere
9    ACCEPT     all  --  localhost            anywhere
10   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:webmin
11   DROP       tcp  --  anywhere             anywhere             match-set hestia-blacklist-source src
12   ACCEPT     udp  --  anywhere             anywhere             udp dpt:https
13   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:22
14   ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
15   ACCEPT     tcp  --  anywhere             anywhere             multiport dports ftp,12000:12100
16   ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
17   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
18   ACCEPT     tcp  --  anywhere             anywhere             multiport dports smtp,submissions,submission
19   ACCEPT     tcp  --  anywhere             anywhere             multiport dports pop3,pop3s
20   ACCEPT     tcp  --  anywhere             anywhere             multiport dports imap2,imaps
21   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8083
22   ACCEPT     icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain fail2ban-FTP (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-HESTIA (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-MAIL (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  94.232.43.50         anywhere             reject-with icmp-port-unreachable
2    REJECT     all  --  airplane.medyamol.com  anywhere             reject-with icmp-port-unreachable
3    REJECT     all  --  noiseless.medyamol.com  anywhere             reject-with icmp-port-unreachable
4    RETURN     all  --  anywhere             anywhere

Chain fail2ban-RECIDIVE (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain fail2ban-WEB (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain hestia (0 references)
num  target     prot opt source               destination

Based on the output, I assume hestia is not keeping the iptable rules correctly after reboot. But I don’t know enough about this…

Please let me know what you think.

Thanks!

Adding screenshot of hestia gui if helpful

hestia-firewall
hestia-firewall2565Ă—1512 159 KB

2

Hello @evonet,

Show the output of:
Note: As I see you don’t want to show ssh port, sed is just to replace your real ssh port with xxxxx.

cat /etc/iptables.rules | sed 's/--dport HereYourSSH-MODport/--dport xxxxx/'
cat /usr/local/hestia/data/firewall/rules.conf | sed 's/PORT=\' HereYourSSH-MODport\'/PORT=\'xxxxx\'/'
3

Thanks for your reply @sahsanu

It looks like everything is the same before and after: v-update-firewall after reboot.

AFTER REBOOT

cat /etc/iptables.rules
# Generated by iptables-save v1.8.7 on Mon Oct 23 01:00:05 2023
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-HESTIA - [0:0]
:fail2ban-MAIL - [0:0]
:fail2ban-RECIDIVE - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-WEB - [0:0]
:hestia - [0:0]
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-HESTIA
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport x -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -m set --match-set crowdsec-blacklists src -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s x.x.x.x/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m set --match-set hestia-blacklist-source src -j DROP
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport x -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-MAIL -j RETURN
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN
COMMIT
# Completed on Mon Oct 23 01:00:05 2023

cat /usr/local/hestia/data/firewall/rules.conf
RULE='1' ACTION='ACCEPT' PROTOCOL='ICMP' PORT='0' IP='0.0.0.0/0' COMMENT='PING' SUSPENDED='no' TIME='17:13:48' DATE='2014-09-16'
RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='8083' IP='0.0.0.0/0' COMMENT='HESTIA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='3' ACTION='ACCEPT' PROTOCOL='TCP' PORT='143,993' IP='0.0.0.0/0' COMMENT='IMAP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='4' ACTION='ACCEPT' PROTOCOL='TCP' PORT='110,995' IP='0.0.0.0/0' COMMENT='POP3' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='5' ACTION='ACCEPT' PROTOCOL='TCP' PORT='25,465,587' IP='0.0.0.0/0' COMMENT='SMTP' SUSPENDED='no' TIME='21:47:04' DATE='2018-11-07'
RULE='6' ACTION='ACCEPT' PROTOCOL='TCP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='7' ACTION='ACCEPT' PROTOCOL='UDP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='8' ACTION='ACCEPT' PROTOCOL='TCP' PORT='21,12000-12100' IP='0.0.0.0/0' COMMENT='FTP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='9' ACTION='ACCEPT' PROTOCOL='TCP' PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB' SUSPENDED='no' TIME='17:04:27' DATE='2014-09-24'
RULE='10' ACTION='ACCEPT' PROTOCOL='TCP' PORT='x' IP='0.0.0.0/0' COMMENT='SSH-MOD' SUSPENDED='no' TIME='08:49:31' DATE='2023-10-08'
RULE='11' ACTION='ACCEPT' PROTOCOL='UDP' PORT='443' IP='0.0.0.0/0' COMMENT='WEB-UDP' SUSPENDED='no' TIME='08:50:55' DATE='2023-10-08'
RULE='13' ACTION='DROP' PROTOCOL='TCP' PORT='0' IP='ipset:hestia-blacklist-source' COMMENT='' SUSPENDED='no' TIME='00:29:30' DATE='2023-10-21'
RULE='14' ACTION='ACCEPT' PROTOCOL='TCP' PORT='10000' IP='0.0.0.0/0' COMMENT='WEBMIN' SUSPENDED='no' TIME='02:00:33' DATE='2023-10-22'


AFTER: v-update-firewall

cat /etc/iptables.rules
# Generated by iptables-save v1.8.7 on Mon Oct 23 10:47:07 2023
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-HESTIA - [0:0]
:fail2ban-MAIL - [0:0]
:fail2ban-RECIDIVE - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-WEB - [0:0]
:hestia - [0:0]
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-HESTIA
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport x -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -m set --match-set crowdsec-blacklists src -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s x.x.x.x/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m set --match-set hestia-blacklist-source src -j DROP
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport x -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-MAIL -j RETURN
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN
COMMIT
# Completed on Mon Oct 23 10:47:07 2023


cat /usr/local/hestia/data/firewall/rules.conf
RULE='1' ACTION='ACCEPT' PROTOCOL='ICMP' PORT='0' IP='0.0.0.0/0' COMMENT='PING' SUSPENDED='no' TIME='17:13:48' DATE='2014-09-16'
RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='8083' IP='0.0.0.0/0' COMMENT='HESTIA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='3' ACTION='ACCEPT' PROTOCOL='TCP' PORT='143,993' IP='0.0.0.0/0' COMMENT='IMAP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='4' ACTION='ACCEPT' PROTOCOL='TCP' PORT='110,995' IP='0.0.0.0/0' COMMENT='POP3' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='5' ACTION='ACCEPT' PROTOCOL='TCP' PORT='25,465,587' IP='0.0.0.0/0' COMMENT='SMTP' SUSPENDED='no' TIME='21:47:04' DATE='2018-11-07'
RULE='6' ACTION='ACCEPT' PROTOCOL='TCP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='7' ACTION='ACCEPT' PROTOCOL='UDP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='8' ACTION='ACCEPT' PROTOCOL='TCP' PORT='21,12000-12100' IP='0.0.0.0/0' COMMENT='FTP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='9' ACTION='ACCEPT' PROTOCOL='TCP' PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB' SUSPENDED='no' TIME='17:04:27' DATE='2014-09-24'
RULE='10' ACTION='ACCEPT' PROTOCOL='TCP' PORT='x' IP='0.0.0.0/0' COMMENT='SSH-MOD' SUSPENDED='no' TIME='08:49:31' DATE='2023-10-08'
RULE='11' ACTION='ACCEPT' PROTOCOL='UDP' PORT='443' IP='0.0.0.0/0' COMMENT='WEB-UDP' SUSPENDED='no' TIME='08:50:55' DATE='2023-10-08'
RULE='13' ACTION='DROP' PROTOCOL='TCP' PORT='0' IP='ipset:hestia-blacklist-source' COMMENT='' SUSPENDED='no' TIME='00:29:30' DATE='2023-10-21'
RULE='14' ACTION='ACCEPT' PROTOCOL='TCP' PORT='10000' IP='0.0.0.0/0' COMMENT='WEBMIN' SUSPENDED='no' TIME='02:00:33' DATE='2023-10-22'

these are the rules that are not present in iptables -L --line-numbers after reboot before v-update-firewall

Thoughts?

4

Hi @evonet,

Maybe I’m missing something but the rules you said that are not show after reboot… I can see them in iptables.rules after reboot. Are you saying that those rules are not loaded after reboot even they are included in iptables.rules conf file?

Note: I always use iptables -S to show the rules, it is clearer… to me.

Cheers,
sahsanu

5

Also, show the output of these commands:

ufw status
systemctl cat hestia-iptables
systemctl status hestia-iptables
6

Thank you @sahsanu

I ran the command: systemctl status hestia-iptables and discovered that it was failing to start, which explains the missing rules.

The issue was: I added iptables -I INPUT 1 -m set --match-set crowdsec-blacklists src -j DROP to /usr/local/hestia/data/firewall/custom.sh

But I did not know I needed to add it to hestia directly as an ipset because crowdsec makes it available on the system confirmed via ipset list crowdsec-blacklists Crowdsec adds the ipset correctly but hestia removes it.

I know crowdsec is not supported by hestia, but any chance you know the correct way to add that ipset to hestia. I assume crowdsec-blacklists is a file on the system, but I couldn’t find out where it’s located via google search or their docs.

7

You are welcome.

I know nothing about Crowdsec so no idea how it adds the ips to ipset but if you only need an existing ipset with name crowdsec-blacklists, create a new ipset in Hestia pointing to a file with at least 5 ips and create a DROP rule with that ipset so the ipset will exist and crowdsec could add the ips to it… I’ve no idea whether Crowdsec will work this way. It should be great that this ipset where in some place on your file system but maybe this list is dynamic and is retrieved via Crowdsec’s API only.

8

Thanks @sahsanu

I like this work around. I will try it.

I agree and this is the question. I will followup on another post in this forum, and I post at the crowdsec forum.

Thank you!

1 Like