Managing iptables through CSF (Linux Command Line)

Posted:  May 14th, 2016

 

iptables is the standard Linux firewall. It is extremely powerful and customizable, but can also be incredibly complex to manage as a result. For this reason, iWeb recommends ConfigServer Security & Firewall (CSF) to manage your iptables configuration. CSF is a simplified interface that makes it easy to add or remove IP addresses from your firewall.

 

This article will discuss managing CSF and iptables from the command line. If you are running WHM/cPanel, please consult the Knowledge Base article specifically for WHM/cPanel

 

To manage CSF, start by logging into your server using SSH, and switch to the root user.

 

Enabling or Disabling CSF

 

You can enable or disable CSF safely without losing your firewall configuration.

 

To disable CSF:

 

    csf -x

 

To enable CSF:

 

csf -e

 

Managing Ports

 

CSF can open or close ports to any and all IP addresses. This is useful when you have changed your port configuration from the standard port numbers.

 

Simply edit the following file, using a file editor:

 

    /etc/csf/csf.conf

 

Find the following lines, and add the port numbers you wish to open:

 

    # Allow incoming TCP ports

    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,26"

    # Allow outgoing TCP ports

    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"

    Blocking ports is as simple as removing the port numbers from the list.

 

To ensure that the change takes effect, be sure to restart CSF using the following command:

 

    csf -r

 

It is also possible to block entire countries. Be warned, however, that some IP ranges might be outdated, in which case you will lose traffic from legitimate visitors. In addition, due to the sheer volume of IP addresses, creating these rules can add an extreme delay to server reboots.

 

If you still wish to add whole countries to your CSF configuration, open the following file:

 

/etc/csf/csf.conf

 

Search for the section titled "CC_Allow or CC_Deny", and enter one of the following country codes:

 

AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW

 

For more information, please consult the official documentation: http://www.configserver.com/techfaq/index.php

 

Managing IP Addresses

 

To allow or whitelist specific IP addresses, use the following command:

 

    csf -a 123.123.123.123

 

Replace the numbers with the IP address you wish to allow. This IP address will be added to a list of IP addresses allowed to access your server. The list is contained at /etc/csf.conf and can be edited by hand.

 

You can also remove an IP address from the allow list by using this command:

 

csf -ar 123.123.123.123

 

In the case of an attack, you can also block certain IP addresses. Use the following command:

 

    csf -d 123.123.123.123

 

This IP address will be added to the list of IP addresses blocked by iptables and is contained at /etc/csf.deny

 

You can also remove an IP address by using the following command:

 

    csf -dr 123.123.123.123

 

When you have completed your changes, be sure to restart CSF:

 

    csf -r