Managing iptables through CSF (Linux Command Line)

Expertise level: Medium

iptables is the standard Linux firewall. It is extremely powerful and customizable, but can also be incredibly complex to manage as a result. For this reason, iWeb recommends ConfigServer Security & Firewall (CSF) to manage your iptables configuration. CSF is a simplified interface that makes it easy to add or remove IP addresses from your firewall.

This article will discuss managing CSF and iptables from the command line. If you are running WHM/cPanel, please consult the Knowledge Base article specifically for WHM/cPanel. If you wish to manage iptables directly, please consult our iptables Knowledge Base article.

To manage CSF, start by logging into your server using SSH, and switch to the root user.

Enabling or Disabling CSF

You can enable or disable CSF safely without losing your firewall configuration.

To disable CSF:

csf -x

To enable CSF:

csf -e

Managing Ports

CSF can open or close ports to any and all IP addresses. This is useful when you have changed your port configuration from the standard port numbers.

Simply edit the following file, using a file editor:

/etc/csf/csf.conf

Find the following lines, and add the port numbers you wish to open:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,26"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"

Blocking ports is as simple as removing the port numbers from the list.

To ensure that the change takes effect, be sure to restart CSF using the following command:

csf -r

It is also possible to block entire countries. Be warned, however, that some IP ranges might be outdated, in which case you will lose traffic from legitimate visitors. In addition, due to the sheer volume of IP addresses, creating these rules can add an extreme delay to server reboots.

If you still wish to add whole countries to your CSF configuration, open the following file:

/etc/csf/csf.conf

Search for the section titled "CC_Allow or CC_Deny", and enter one of the following country codes:

AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW

For more information, please consult the official documentation: http://www.configserver.com/techfaq/index.php

Managing IP Addresses

To allow or whitelist specific IP addresses, use the following command:

csf -a 123.123.123.123

Replace the numbers with the IP address you wish to allow. This IP address will be added to a list of IP addresses allowed to access your server. The list is contained at /etc/csf.conf and can be edited by hand.

You can also remove an IP address from the allow list by using this command:

csf -ar 123.123.123.123

In the case of an attack, you can also block certain IP addresses. Use the following command:

csf -d 123.123.123.123

This IP address will be added to the list of IP addresses blocked by iptables and is contained at /etc/csf.deny

You can also remove an IP address by using the following command:

csf -dr 123.123.123.123

When you have completed your changes, be sure to restart CSF:

csf -r

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk