Firewall
WARNING
After every edit or update the firewall, Hestia will clear the current iptables unless the rules are added via Hestia and custom script.
How can I open or block a port or IP?
- Navigate to the server settings by clicking the Server icon in the top right.
- Click the Firewall button.
- Click the Add Rule button.
- Select the desired action.
- Select the desired protocol.
- Enter the port(s) you want this rule to apply to (
0
for all ports). - Set the IP this rule applies to (
0.0.0.0/0
for all IPs) or select an IPSet. - Optionally describe the rule’s function.
- Click the Save button in the top right.
You can also use the v-add-firewall-rule command.
How do I setup an IPSet blacklist or whitelist?
IPSet are large lists of IP addresses or subnets. They can be used for blacklists and whitelists.
- Navigate to the server settings by clicking the Server icon in the top right.
- Click the Firewall button.
- Click the Manage IP lists button.
- Click the Add IP list button.
- Name your IP list.
- Select the data source by entering one of the following:
- URL:
http://ipverse.net/ipblocks/data/countries/nl.zone
- Script (with
chmod 755
):/usr/local/hestia/install/deb/firewall/ipset/blacklist.sh
- File:
file:/location/of/file
- You can also use one of Hestia’s included sources.
- URL:
- Selected the desired IP version (v4 or v6).
- Choose whether to auto-update the list or not.
- Click the Save button in the top right.
How can I customize iptables rules?
DANGER
This is dangerously advanced feature, please make sure you understand what you are doing.
Hestia supports setting custom rules, chains or flags, etc. using script.
Script must be here: /usr/local/hestia/data/firewall/custom.sh
- Create custom.sh:
touch /usr/local/hestia/data/firewall/custom.sh
- Make it executable:
chmod +x /usr/local/hestia/data/firewall/custom.sh
- Edit it with your favorite editor.
- Test and make sure it works.
- To make custom rules persistent, run:
v-update-firewall
IMPLICIT PROTECTION: Before making the rules persistent, if you screw up or lock yourself out of the server, just reboot.
custom.sh example:
#!/bin/bash
IPTABLES="$(command -v iptables)"
$IPTABLES -N YOURCHAIN
$IPTABLES -F YOURCHAIN
$IPTABLES -I YOURCHAIN -s 0.0.0.0/0 -j RETURN
$IPTABLES -I INPUT -p TCP -m multiport --dports 1:65535 -j YOURCHAIN
My IPSet doesn’t work
An IPSet must contain at least 10 IP or IP ranges.
Can I combine multiple sources in one?
If you want to combine multiple IP sources together, you can do so by using the following script:
#!/bin/bash
BEL=(
"https://raw.githubusercontent.com/ipverse/rir-ip/master/country/be/ipv4-aggregated.txt"
"https://raw.githubusercontent.com/ipverse/rir-ip/master/country/nl/ipv4-aggregated.txt"
"https://raw.githubusercontent.com/ipverse/rir-ip/master/country/lu/ipv4-aggregated.txt"
)
IP_BEL_TMP=$(mktemp)
for i in "${BEL[@]}"; do
IP_TMP=$(mktemp)
((HTTP_RC = $(curl -L --connect-timeout 10 --max-time 10 -o "$IP_TMP" -s -w "%{http_code}" "$i")))
if ((HTTP_RC == 200 || HTTP_RC == 302 || HTTP_RC == 0)); then # "0" because file:/// returns 000
command grep -Po '^(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' "$IP_TMP" | sed -r 's/^0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)$/\1.\2.\3.\4/' >> "$IP_BEL_TMP"
elif ((HTTP_RC == 503)); then
echo >&2 -e "\\nUnavailable (${HTTP_RC}): $i"
else
echo >&2 -e "\\nWarning: curl returned HTTP response code $HTTP_RC for URL $i"
fi
rm -f "$IP_TMP"
done
sed -r -e '/^(0\.0\.0\.0|10\.|127\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|22[4-9]\.|23[0-9]\.)/d' "$IP_BEL_TMP" | sort -n | sort -mu
rm -f "$IP_BEL_TMP"