Managing iptables through CSF
Csf is most popular firewall in linux we will recommend it in cPanel. It's easy to use.
You can enable or disable CSF safely without losing your firewall configuration.
You can enable or disable CSF safely without losing your firewall configuration.
To disable CSF:
csf -x
To enable CSF:
csf -e
Managing Ports
CSF can open or close ports to any and all IP addresses. This is useful when you have changed your port configuration from the standard port numbers.
Simply edit the following file, using a file editor:
/etc/csf/csf.conf
Find the following lines, and add the port numbers you wish to open:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,26"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"
Blocking ports is as simple as removing the port numbers from the list.
To ensure that the change takes effect, be sure to restart CSF using the following command:
csf -r
It is also possible to block entire countries. Be warned, however, that some IP ranges might be outdated, in which case you will lose traffic from legitimate visitors. In addition, due to the sheer volume of IP addresses, creating these rules can add an extreme delay to server reboots.
If you still wish to add whole countries to your CSF configuration, open the following file:
/etc/csf/csf.conf
Search for the section titled "CC_Allow or CC_Deny", and enter one of the following country codes:
AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW
For more information, please consult the official documentation: http://www.configserver.com/techfaq/index.php
Managing IP Addresses
To allow or whitelist specific IP addresses, use the following command:
csf -a 123.123.123.123
Replace the numbers with the IP address you wish to allow. This IP address will be added to a list of IP addresses allowed to access your server. The list is contained at /etc/csf.conf and can be edited by hand.
You can also remove an IP address from the allow list by using this command:
csf -ar 123.123.123.123
In the case of an attack, you can also block certain IP addresses. Use the following command:
csf -d 13.123.123.123
This IP address will be added to the list of IP addresses blocked by iptables and is contained at /etc/csf.deny
You can also remove an IP address by using the following command:
csf -dr 123.123.123.123
When you have completed your changes, be sure to restart CSF:
csf -r
Enabling the firewall:-
csf -e
- disabling the firewall
csf –d or csf
-disable
Starting firewall / applying rules
csf –s or csf -start
- stopping firewall / flushing rules
csf –stop and csf -f
To find the blocked IP
csf –g 1.2.13.14
To remove the ip from blaclist
csf –dr 1.2.13.14
and csf –tr 1.2.13.14
Comments