Skip to main content

Create persistent Host Access Control rules via CLI

Comments

10 comments

  • cPRex Jurassic Moderator

    Hey there!  I've confirmed that they do indeed seem to be temporary and I'm seeing if I can come up with a plan B.  I'll let you know what I find out!

    0
  • cPRex Jurassic Moderator

    I went down quite a rabbit hole on Host Access Control while looking into this, but at least I have an idea now.

    On the machine where the rules get wiped, can you see if there are any issues with the service itself by running this command?

    systemctl status nftables

    I'm wondering if there are issues with the service itself processing rules, and that command should show me more details.

    0
  • Macs R We

    systemctl status nftables

    â nftables.service - Netfilter Tables

         Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset: disabled)

         Active: active (exited) since Sat 2026-01-03 13:51:14 MST; 1 day 23h ago

           Docs: man:nft(8)

        Process: 639 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)

       Main PID: 639 (code=exited, status=0/SUCCESS)

            CPU: 23ms

     

    Notice: journal has been rotated since unit was started, output may be incomplete.

     

    0
  • cPRex Jurassic Moderator

    Thanks for that.  That confirms it wasn't the one case I was thinking of, and I just wanted to confirm that before recommending anything else.

    If you need to make the rules that were added on the command line permanent, you can run this:

    nft list ruleset > /etc/sysconfig/nftables.conf

    Can you try that for me on your end and let me know if that maintains the rules as you expect?

    0
  • Macs R We

    It solves that problem (thank you!) but introduces another.

    I've verified that safestoring the ruleset as you suggested does cause Host Access Control to persist across reboots. Yay!

    But the command you provide stores a lot more than the Host Access Control rules. For example, I notice that the CPHulk temp ban IP list is also saved to that file... meaning that every time my server reboots, it's going to lose items recently added to the temp ban list and reassert items that expired long ago. Other chains are also present that could present similar issues (I'm not familiar with the implications of many of them).

    This file doesn't exist in the default installation, and presumably cPanel stores its own persistent rules image in some other database. If we create this file (like I just did), do we know that the system will load it first, then overwrite it with whatever cPanel has stored away, or do it in the opposite order, or what? The first would be ideal, the second pessimal.

    Is there a variation of  the command you supplied that would store JUST the Host Access Control chain? Would loading such a file leave the other chains untouched, or wipe them out (empty them)?

    A secondary issue is what happens if I do use the WHM facility to modify the Host Access Control rules (for example, delete one)? That action isn't going to change that file, so that rule will come back after a reboot. (If all the other problem can be solved, I'm willing to limit myself to never using the Host Access Control screen in WHM directly, to avoid this issue.)

    0
  • cPRex Jurassic Moderator

    I just wanted to let you know that I'm still looking into this, but I haven't found much on my end yet.  Once I have more details I'll be sure to post!

    0
  • cPRex Jurassic Moderator

    I'll be honest, I still don't have a good explanation for everything happening here.  I think part of the issue is this:

    https://support.cpanel.net/hc/en-us/articles/31733253610519-cPHulk-chain-is-not-added-to-INPUT-filter-in-nftables-resulting-in-the-cPHulk-Firewall-chain-not-blocking-any-IPs

    where the records *should* be getting added to the nft chains by default, but since that isn't happening the manual workaround I recommended earlier was adding them for you.  That's likely one layer to the puzzle.

    Is there any way you can make a ticket on this one?

    0
  • Macs R We

    Thanks again. Ticket #95901850.

    0
  • cPRex Jurassic Moderator

    Great - I've also let the guy know that I was doing troubleshooting with on this about the ticket, and he's likely going to reach out soon there.

    0
  • Macs R We

    It looks like the solution (at least for me) is to add

    nft list chain inet filter cPanel-HostAccessControl > /etc/sysconfig/nftables.conf

    at the end of the shell script that sets my Host Access Control via nft commands.

    I didn't have an nftables.conf existing on my server; if someone reading this later does, they will have to create the file somewhere else and put an "include" directive in the existing nftables.conf to drag it in at the end.

    0

Please sign in to leave a comment.