We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Prevent Firewall from Flushing CLI Rules Topic is solved
-
- Posts: 7
- Joined: Fri Jan 15, 2016 6:55 pm
Prevent Firewall from Flushing CLI Rules
Hello,
Is there a way to prevent VestaCP from flushing the rules applied to iptables that are entered from the command line (CLI) when a new rule is added using the control panel? I have a rule that I want to persist but every time I add a new rule through the panel I have to go back to the command line and reapply the rule. Is there a file that I could add the rule to so that when I add new firewall rules through the CP it will persist? Here are the steps that I take to reproduce the issue:
Step 1 (CLI): iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP
Step 2 (CLI): iptables -L INPUT (Rule applied and shows in the output)
Step 3 (CP): Add new rule in the Firewall section of VestaCP
Step 4 (CLI): iptables -L INPUT ( iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP --Rule is now missing)
Thanks in advance for the help.
Is there a way to prevent VestaCP from flushing the rules applied to iptables that are entered from the command line (CLI) when a new rule is added using the control panel? I have a rule that I want to persist but every time I add a new rule through the panel I have to go back to the command line and reapply the rule. Is there a file that I could add the rule to so that when I add new firewall rules through the CP it will persist? Here are the steps that I take to reproduce the issue:
Step 1 (CLI): iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP
Step 2 (CLI): iptables -L INPUT (Rule applied and shows in the output)
Step 3 (CP): Add new rule in the Firewall section of VestaCP
Step 4 (CLI): iptables -L INPUT ( iptables -I INPUT -p tcp --dport 25 -m string --string some-string --algo bm -j DROP --Rule is now missing)
Thanks in advance for the help.
-
- Posts: 7
- Joined: Fri Jan 15, 2016 6:55 pm
Re: Prevent Firewall from Flushing CLI Rules
Just wanted to offer an update on this question. After not getting any response from the message board, I dug in a little deeper and found this blog post http://www.lowendguide.com/3/networking ... s-lookups/ that helped me append some advanced firewall rules to the rules applied through the GUI. Basically, the v-update-firewall command is triggered each time one adds any new rules through the GUI. Contained in the v-update-firewall command is a small bit of code that can be called to preserve rules when the command is triggered:
#vi /usr/local/vesta/bin/v-update-firewall
Look for this section of the command:
Then to add the preserved firewall rule(s), create the custom.sh file in /usr/local/vesta/data/firewall/custom.sh
Sample custom.sh:
One thing that took me a minute to figure out was what permissions needed to be setup on the custom.sh file but basically if you chmod it to 0700 it'll get picked up each time the v-update-firewall command is called.
Appreciate all of the hard work on VestaCP. Really a great product.
#vi /usr/local/vesta/bin/v-update-firewall
Look for this section of the command:
Code: Select all
# Checking custom trigger
if [ -x "$VESTA/data/firewall/custom.sh" ]; then
bash $VESTA/data/firewall/custom.sh
fi
Sample custom.sh:
Code: Select all
#!/bin/bash
iptables -I INPUT -p tcp --dport 25 -m string --string whatever-you-want --algo bm -j DROP
One thing that took me a minute to figure out was what permissions needed to be setup on the custom.sh file but basically if you chmod it to 0700 it'll get picked up each time the v-update-firewall command is called.
Appreciate all of the hard work on VestaCP. Really a great product.