Create persistent Host Access Control rules via CLI
I have a dozen or so firewall rules set up in WHM Host Access Control. When I need my hosting provider to debug some problem, they want me to add permissions for more than two dozen other IP addresses or ranges temporarily, so they can get in to do their work.
Back when my server ran on CentOS, it wasn't difficult to manage this easily within the Host Access Control page by keeping their additional rules in place at the end of the list, but moving the "reject everybody else" rules to either before or after them as needed. But it turns out that the Host Access Control page for AlmaLinux 8 is comparatively hobbled -- you can add rules only to the END of an existing list (after the "reject everybody else" rule, which makes them pretty useless), and you can't move them. That made managing these rules from WHM unsupportable.
So instead, I resorted to the "nft commands" technique recommended in
But I kept running into problems where my entire ruleset would just vanish (and then brute-forcers would swarm on like Wallops Island mosquitos until I re-established them). The vanishing was found to be caused by reboots.
My hosting provider worked the problem, then announced to me that the issue was caused by the "nft commands" technique in that article creating rules that existed only in memory, nowhere in a permanent table. I experimented and verified: rules set up through the Host Access Controls page survive reboots, but rules added through the nft commands in the support article were entirely ephemeral.
My server host says firewalld, which used to keep permanent rules in a known file, is deprecated in AlmaLinux 8, in preference to nftables. (He was a bit cursory about the relevance here so I may not have it entirely right,) While the nft commands in the support article create only temporary, memory-based rules that vanish on reboot, the WHM Host Access Control page clearly not only creates the memory-based rules, but stores them somewhere where they will be reloaded after a reboot.
How can I both perform bulk reconfiguration of these firewall rules via CLI script when necessary, but also get them safestored for reactivation after a reboot, like the WHM facility does?
-
Hey there! I've confirmed that they do indeed seem to be temporary and I'm seeing if I can come up with a plan B. I'll let you know what I find out!
0 -
I went down quite a rabbit hole on Host Access Control while looking into this, but at least I have an idea now.
On the machine where the rules get wiped, can you see if there are any issues with the service itself by running this command?
systemctl status nftables
I'm wondering if there are issues with the service itself processing rules, and that command should show me more details.
0 -
systemctl status nftables
â nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset: disabled)
Active: active (exited) since Sat 2026-01-03 13:51:14 MST; 1 day 23h ago
Docs: man:nft(8)
Process: 639 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 639 (code=exited, status=0/SUCCESS)
CPU: 23ms
Notice: journal has been rotated since unit was started, output may be incomplete.
0 -
Thanks for that. That confirms it wasn't the one case I was thinking of, and I just wanted to confirm that before recommending anything else.
If you need to make the rules that were added on the command line permanent, you can run this:
nft list ruleset > /etc/sysconfig/nftables.conf
Can you try that for me on your end and let me know if that maintains the rules as you expect?
0 -
It solves that problem (thank you!) but introduces another.
I've verified that safestoring the ruleset as you suggested does cause Host Access Control to persist across reboots. Yay!
But the command you provide stores a lot more than the Host Access Control rules. For example, I notice that the CPHulk temp ban IP list is also saved to that file... meaning that every time my server reboots, it's going to lose items recently added to the temp ban list and reassert items that expired long ago. Other chains are also present that could present similar issues (I'm not familiar with the implications of many of them).
This file doesn't exist in the default installation, and presumably cPanel stores its own persistent rules image in some other database. If we create this file (like I just did), do we know that the system will load it first, then overwrite it with whatever cPanel has stored away, or do it in the opposite order, or what? The first would be ideal, the second pessimal.
Is there a variation of the command you supplied that would store JUST the Host Access Control chain? Would loading such a file leave the other chains untouched, or wipe them out (empty them)?
A secondary issue is what happens if I do use the WHM facility to modify the Host Access Control rules (for example, delete one)? That action isn't going to change that file, so that rule will come back after a reboot. (If all the other problem can be solved, I'm willing to limit myself to never using the Host Access Control screen in WHM directly, to avoid this issue.)
0 -
I just wanted to let you know that I'm still looking into this, but I haven't found much on my end yet. Once I have more details I'll be sure to post!
0 -
I'll be honest, I still don't have a good explanation for everything happening here. I think part of the issue is this:
where the records *should* be getting added to the nft chains by default, but since that isn't happening the manual workaround I recommended earlier was adding them for you. That's likely one layer to the puzzle.
Is there any way you can make a ticket on this one?
0 -
Thanks again. Ticket #95901850.
0 -
Great - I've also let the guy know that I was doing troubleshooting with on this about the ticket, and he's likely going to reach out soon there.
0 -
It looks like the solution (at least for me) is to add
nft list chain inet filter cPanel-HostAccessControl > /etc/sysconfig/nftables.confat the end of the shell script that sets my Host Access Control via nft commands.
I didn't have an nftables.conf existing on my server; if someone reading this later does, they will have to create the file somewhere else and put an "include" directive in the existing nftables.conf to drag it in at the end.
0
Please sign in to leave a comment.
Comments
10 comments