Expertise level: Medium


iptables is the standard Linux firewall. It is extremely powerful and customizable, but can also be incredibly complex to manage as a result. For this reason, iWeb recommends ConfigServer Security & Firewall (CSF) to manage your iptables configuration. CSF is a simplified interface that makes it easy to add or remove IP addresses from your firewall.


This article will discuss managing CSF and iptables from the command line. If you are running WHM/cPanel, please consult the Knowledge Base article specifically for WHM/cPanel. If you wish to manage iptables directly, please consult our iptables Knowledge Base article.


To manage CSF, start by logging into your server using SSH, and switch to the root user.


Enabling or Disabling CSF


You can enable or disable CSF safely without losing your firewall configuration.


To disable CSF:

CODE
csf -x



To enable CSF:

CODE
csf -e



Managing Ports


CSF can open or close ports to any and all IP addresses. This is useful when you have changed your port configuration from the standard port numbers.


Simply edit the following file, using a file editor:

CODE
/etc/csf/csf.conf



Find the following lines, and add the port numbers you wish to open:

CODE
# Allow incoming TCP ports
TCP_IN=20,21,22,25,53,mega_shok.gif,110,143,443,465,587,993,995,26"
# Allow outgoing TCP ports
TCP_OUT=20,21,22,25,37,43,53,mega_shok.gif,110,113,443,587,873"



Blocking ports is as simple as removing the port numbers from the list.


To ensure that the change takes effect, be sure to restart CSF using the following command:
CODE
csf -r



It is also possible to block entire countries. Be warned, however, that some IP ranges might be outdated, in which case you will lose traffic from legitimate visitors. In addition, due to the sheer volume of IP addresses, creating these rules can add an extreme delay to server reboots.


If you still wish to add whole countries to your CSF configuration, open the following file:

CODE
/etc/csf/csf.conf



Search for the section titled "CC_Allow or CC_Deny", and enter one of the following country codes:

CODE
AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA
BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR
CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE
DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM
JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH
MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO
OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL
SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN
TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW



For more information, please consult the official documentation: http://www.configserver.com/techfaq/index.php


Managing IP Addresses


To allow or whitelist specific IP addresses, use the following command:

CODE
csf -a 123.123.123.123



Replace the numbers with the IP address you wish to allow. This IP address will be added to a list of IP addresses allowed to access your server. The list is contained at /etc/csf.conf and can be edited by hand.


You can also remove an IP address from the allow list by using this command:

CODE
csf -ar 123.123.123.123



In the case of an attack, you can also block certain IP addresses. Use the following command:

CODE
csf -d 123.123.123.123



This IP address will be added to the list of IP addresses blocked by iptables and is contained at /etc/csf.deny


You can also remove an IP address by using the following command:

CODE
csf -dr 123.123.123.123



When you have completed your changes, be sure to restart CSF:

CODE
csf -r


Source : http://kb.iweb.com


View the full article