Page 1 of 1

Prevent Firewall from Flushing CLI Rules

Posted: Wed Mar 28, 2018 8:18 pm
by patrick.porteous

Is there a way to prevent VestaCP from flushing the rules applied to iptables that are entered from the command line (CLI) when a new rule is added using the control panel? I have a rule that I want to persist but every time I add a new rule through the panel I have to go back to the command line and reapply the rule. Is there a file that I could add the rule to so that when I add new firewall rules through the CP it will persist? Here are the steps that I take to reproduce the issue:

Step 1 (CLI): iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP
Step 2 (CLI): iptables -L INPUT (Rule applied and shows in the output)
Step 3 (CP): Add new rule in the Firewall section of VestaCP
Step 4 (CLI): iptables -L INPUT ( iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP --Rule is now missing)

Thanks in advance for the help.

Re: Prevent Firewall from Flushing CLI Rules

Posted: Mon Apr 16, 2018 7:07 pm
by patrick.porteous
Just wanted to offer an update on this question. After not getting any response from the message board, I dug in a little deeper and found this blog post ... s-lookups/ that helped me append some advanced firewall rules to the rules applied through the GUI. Basically, the v-update-firewall command is triggered each time one adds any new rules through the GUI. Contained in the v-update-firewall command is a small bit of code that can be called to preserve rules when the command is triggered:

#vi /usr/local/vesta/bin/v-update-firewall

Look for this section of the command:

Code: Select all

# Checking custom trigger
if [ -x "$VESTA/data/firewall/" ]; then
    bash $VESTA/data/firewall/
Then to add the preserved firewall rule(s), create the file in /usr/local/vesta/data/firewall/


Code: Select all

iptables -I INPUT -p tcp --dport 25 -m string --string whatever-you-want --algo bm -j DROP

One thing that took me a minute to figure out was what permissions needed to be setup on the file but basically if you chmod it to 0700 it'll get picked up each time the v-update-firewall command is called.

Appreciate all of the hard work on VestaCP. Really a great product.