Thank you @sahsanu
I ran the command: systemctl status hestia-iptables and discovered that it was failing to start, which explains the missing rules.
The issue was: I added iptables -I INPUT 1 -m set --match-set crowdsec-blacklists src -j DROP to /usr/local/hestia/data/firewall/custom.sh
But I did not know I needed to add it to hestia directly as an ipset because crowdsec makes it available on the system confirmed via ipset list crowdsec-blacklists Crowdsec adds the ipset correctly but hestia removes it.
I know crowdsec is not supported by hestia, but any chance you know the correct way to add that ipset to hestia. I assume crowdsec-blacklists is a file on the system, but I couldn’t find out where it’s located via google search or their docs.