Prevent Firewall from Flushing CLI Rules Topic is solved
-
- Posts: 7
- Joined: Fri Jan 15, 2016 6:55 pm
Prevent Firewall from Flushing CLI Rules
Hello,
Is there a way to prevent VestaCP from flushing the rules applied to iptables that are entered from the command line (CLI) when a new rule is added using the control panel? I have a rule that I want to persist but every time I add a new rule through the panel I have to go back to the command line and reapply the rule. Is there a file that I could add the rule to so that when I add new firewall rules through the CP it will persist? Here are the steps that I take to reproduce the issue:
Step 1 (CLI): iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP
Step 2 (CLI): iptables -L INPUT (Rule applied and shows in the output)
Step 3 (CP): Add new rule in the Firewall section of VestaCP
Step 4 (CLI): iptables -L INPUT ( iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP --Rule is now missing)
Thanks in advance for the help.
Is there a way to prevent VestaCP from flushing the rules applied to iptables that are entered from the command line (CLI) when a new rule is added using the control panel? I have a rule that I want to persist but every time I add a new rule through the panel I have to go back to the command line and reapply the rule. Is there a file that I could add the rule to so that when I add new firewall rules through the CP it will persist? Here are the steps that I take to reproduce the issue:
Step 1 (CLI): iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP
Step 2 (CLI): iptables -L INPUT (Rule applied and shows in the output)
Step 3 (CP): Add new rule in the Firewall section of VestaCP
Step 4 (CLI): iptables -L INPUT ( iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP --Rule is now missing)
Thanks in advance for the help.
-
- Posts: 7
- Joined: Fri Jan 15, 2016 6:55 pm
Re: Prevent Firewall from Flushing CLI Rules
Just wanted to offer an update on this question. After not getting any response from the message board, I dug in a little deeper and found this blog post http://www.lowendguide.com/3/networking ... s-lookups/ that helped me append some advanced firewall rules to the rules applied through the GUI. Basically, the v-update-firewall command is triggered each time one adds any new rules through the GUI. Contained in the v-update-firewall command is a small bit of code that can be called to preserve rules when the command is triggered:
#vi /usr/local/vesta/bin/v-update-firewall
Look for this section of the command:
Then to add the preserved firewall rule(s), create the custom.sh file in /usr/local/vesta/data/firewall/custom.sh
Sample custom.sh:
One thing that took me a minute to figure out was what permissions needed to be setup on the custom.sh file but basically if you chmod it to 0700 it'll get picked up each time the v-update-firewall command is called.
Appreciate all of the hard work on VestaCP. Really a great product.
#vi /usr/local/vesta/bin/v-update-firewall
Look for this section of the command:
Code: Select all
# Checking custom trigger
if [ -x "$VESTA/data/firewall/custom.sh" ]; then
bash $VESTA/data/firewall/custom.sh
fi
Sample custom.sh:
Code: Select all
#!/bin/bash
iptables -I INPUT -p tcp --dport 25 -m string --string whatever-you-want --algo bm -j DROP
One thing that took me a minute to figure out was what permissions needed to be setup on the custom.sh file but basically if you chmod it to 0700 it'll get picked up each time the v-update-firewall command is called.
Appreciate all of the hard work on VestaCP. Really a great product.