Posted: May 14th, 2016
iptables is the standard Linux firewall. It is extremely powerful and customizable, but can also be incredibly complex to manage as a result. For this reason, iWeb recommends ConfigServer Security & Firewall (CSF) to manage your iptables configuration. CSF is a simplified interface that makes it easy to add or remove IP addresses from your firewall.
This article will discuss managing CSF and iptables from the command line. If you are running WHM/cPanel, please consult the Knowledge Base article specifically for WHM/cPanel
To manage CSF, start by logging into your server using SSH, and switch to the root user.
Enabling or Disabling CSF
You can enable or disable CSF safely without losing your firewall configuration.
To disable CSF:
csf -x
To enable CSF:
csf -e
Managing Ports
CSF can open or close ports to any and all IP addresses. This is useful when you have changed your port configuration from the standard port numbers.
Simply edit the following file, using a file editor:
/etc/csf/csf.conf
Find the following lines, and add the port numbers you wish to open:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,26"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"
Blocking ports is as simple as removing the port numbers from the list.
To ensure that the change takes effect, be sure to restart CSF using the following command:
csf -r
It is also possible to block entire countries. Be warned, however, that some IP ranges might be outdated, in which case you will lose traffic from legitimate visitors. In addition, due to the sheer volume of IP addresses, creating these rules can add an extreme delay to server reboots.
If you still wish to add whole countries to your CSF configuration, open the following file:
/etc/csf/csf.conf
Search for the section titled "CC_Allow or CC_Deny", and enter one of the following country codes:
AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW
For more information, please consult the official documentation: http://www.configserver.com/techfaq/index.php
Managing IP Addresses
To allow or whitelist specific IP addresses, use the following command:
csf -a 123.123.123.123
Replace the numbers with the IP address you wish to allow. This IP address will be added to a list of IP addresses allowed to access your server. The list is contained at /etc/csf.conf and can be edited by hand.
You can also remove an IP address from the allow list by using this command:
csf -ar 123.123.123.123
In the case of an attack, you can also block certain IP addresses. Use the following command:
csf -d 123.123.123.123
This IP address will be added to the list of IP addresses blocked by iptables and is contained at /etc/csf.deny
You can also remove an IP address by using the following command:
csf -dr 123.123.123.123
When you have completed your changes, be sure to restart CSF:
csf -r