When is custom.sh run on a reboot?

I have a custom .sh script , which has all my ipv6 rules in (that I want to be added back in after a reboot). So I have:

root@2024:/usr/local/hestia/data/firewall# ls -lh
total 20K
-rw-rw---- 1 root root  141 Jan 10 13:50 banlist.conf
-rw-rw---- 1 root root  269 Jan 10 13:50 chains.conf
-rwxr-xr-x 1 root root 1.4K Jan  9 15:09 custom.sh
drwxr-xr-x 2 root root 4.0K Dec 30 06:45 ipset
-rw-r--r-- 1 root root    0 Dec 30 13:51 ipset.conf
-rw-r--r-- 1 root root 2.1K Jan  9 15:03 rules.conf

This is the contents of custom.sh:

#!/bin/bash

# ip6tables single-host firewall script

# Define your command variables

ipt6="/sbin/ip6tables"

# Flush all rules and delete all chains

# for a clean startup

$ipt6 -F

$ipt6 -X

# Zero out all counters

$ipt6 -Z

# Default policies: deny all incoming

# Unrestricted outgoing

$ipt6 -P INPUT DROP

$ipt6 -P FORWARD DROP

$ipt6 -P OUTPUT ACCEPT

# Must allow loopback interface

$ipt6 -A INPUT -i lo -j ACCEPT

# Reject connection attempts not initiated from the host

# $ipt6 -A INPUT -p tcp --syn -j DROP

# Allow return connections initiated from the host

$ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept all ICMP v6 packets

$ipt6 -A INPUT -p icmpv6 -j ACCEPT

# Optional rules to allow other LAN hosts access to services. Delete $ipt6 -A INPUT -p tcp --syn -j DROP

# Allow DHCPv6 from LAN only

$ipt6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT

# Allow connections from SSH clients

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22122 -j ACCEPT

# Allow HTTP and HTTPS traffic

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# Allow access to SMTP, POP3, and IMAP

$ipt6 -A INPUT -m state --state NEW -p tcp -m multiport --dport 25,110,143 -j ACCEPT

If I manually run it, it works fine:

root@2024:~# ip6tables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@2024:~# bash /usr/local/hestia/data/firewall/custom.sh
root@2024:~# ip6tables --list -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
ACCEPT     icmpv6    ::/0                 ::/0
ACCEPT     udp      fe80::/10            ::/0                 state NEW udp dpt:546
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:22
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:22122
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:80
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:443
ACCEPT     tcp      ::/0                 ::/0                 state NEW multiport dports 25,110,143

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@2024:~#

Yet when I reboot, it doesn’t. Is there any way I can debug? I’m assuming v-update-firewall does indeed run on a server reboot?

Thanks

Andy

It doesn’t work that way.

v-update-firewall executes /usr/local/hestia/data/firewall/custom.sh so your rules are applied and after that it executes the command iptables-save to save the rules in file /etc/iptables.rules , yes, iptables-save not ip6tables-save so your rules for IPv6 are not saved.

Hestia doesn’t support IPv6 yet so you should use the way your OS provides to load those rules on every reboot.

Use iptables-persistent for ip6tables.

Hmmm ok thanks. I’ve left it as a reboot then:

@reboot sleep 30 && bash /usr/local/hestia/data/firewall/custom.sh