Why Hestia iptables if it doesn't work?

Hestia has iptables. You can try to ban the addresses of the country you need. To do this, it is possible to create a list of IP addresses of the required country.

The main problem is that it doesn’t work. Why then was this done, it is not clear?

What can be done in such a situation?

Create the necessary IP address sheets for the countries you want to block.

Create a folder for custom scripts

mkdir -p /usr/local/hestia/custom-scripts

Copy all the text below to a file on your PC, such as Notepad:

#!/bin/bash

# HestiaCP GeoIP блокировка по странам

# List of countries to block (file names .v4.iplist в /usr/local/hestia/data/firewall/ipset/)

BLOCK_COUNTRIES=(
“Russia”
“China”
“Iran”
“Algeria”
)

IPSET_NAME=“geo_blacklist”

if ipset list $IPSET_NAME >/dev/null 2>&1; then
ipset flush $IPSET_NAME
else
ipset create $IPSET_NAME hash:net
fi

for country in “${BLOCK_COUNTRIES\[@\]}”; do
LIST_FILE=“/usr/local/hestia/data/firewall/ipset/${country}.v4.iplist”
if \[\[ -f “$LIST_FILE” \]\]; then
echo “Adding IP from $country…”
while read ip; do
\[\[ “$ip” =\~ ^#|^$ \]\] && continue
ipset add $IPSET_NAME $ip 2>/dev/null
done < “$LIST_FILE”
else
echo “⚠️  File $LIST_FILE not found.”
fi
done

if ! iptables -C INPUT -m set --match-set $IPSET_NAME src -j DROP 2>/dev/null; then
iptables -I INPUT 10 -m set --match-set $IPSET_NAME src -j DROP
echo “Added blocking rule via iptables.”
else
echo “The iptables rule already exists.”
fi

netfilter-persistent save
echo “✅ GeoIP blocking has been updated and saved.”

Transfer the file /usr/local/hestia/custom-scripts/geo-block.sh

File Permissions 755

Fixing line breaks

apt update
apt install dos2unix -y

dos2unix /usr/local/hestia/custom-scripts/geo-block.sh

Run the script

/usr/local/hestia/custom-scripts/geo-block.sh

If everything went correctly, you will see something like:

Adding IP from Russia...
Adding IP from China...
Added blocking rule via iptables.
✅ GeoIP blocking updated and saved.

Now the block list will work.

If you need to edit the list of countries, repeat the procedure again.

Why do you think it doesn’t work? What steps did you follow to block that ipset?

1. Domain.com:2083/add/firewall/ipset/
2. For eg : https://raw.githubusercontent.com/ipverse/rir-ip/master/country/ru/ipv4-aggregated.txt
3. country/ru > is the country name to-be blocked
4. Domain.com:2083/add/firewall/ > add Rule >

I clicked Add IP addresses to IPset for firewall

Filled out the form
Argentina
https://raw.githubusercontent.com/ipverse/rir-ip/master/country/ar/ipv4-aggregated.txt
IPv4
Yes

Clicked Save

I got it in /usr/local/hestia/data/firewall/ipset/Argentina.v4.iplist

And

I got it in /usr/local/hestia/data/firewall/ipset.conf

LISTNAME='Argentina' IP_VERSION='v4' SOURCE='https://www.ipdeny.com/ipblocks/data/countries/ar.zone' AUTOUPDATE='yes' SUSPENDED='no' TIME='14:07:08' DATE='2025-11-13'

That's it, it doesn't work.

That’s only the first part of the equation, now you must add a firewall rule to DROP INPUT connections from that ipset.

GPT chat response:
Hestia Control Panel (HestiaCP) does not have a built-in interface for geolocation (country) blocking in the Firewall / iptables section, but this can be easily done manually via ipset + iptables, and everything works fine with Hestia.

I didn’t find in the panel how this rule could be applied to my country blocking list.

Once you add the ipset, in this case Argentina, you need to add the rule.

Server settings → Firewall → Add rule:

imagen457×590 7.47 KB

And Save

For more info: Firewall | Hestia Control Panel

Thanks, I’ll try, I searched in iptables and didn’t find it.

panelURL/list/firewall/ipset/ > can see the existing lists. But no way to view/edit.

You can’t view or edit the content of the lists from Web UI. Once Hestia parses the lists from a local file, url or script, it saves the resulting list file in the dir /usr/local/hestia/data/firewall/ipset/