Add custom iptables rule to csf

You can add custom rules to the CSF to be defined before or after csf configures iptables by creating the files /etc/csf/csfpre.sh and /etc/csf/csfpost.sh and adding the iptables commands into one or the other.

You can see the following when you restart the csf

 

LOCALOUTPUT  all opt — in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt — in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Running /etc/csf/csfpost.sh

For eg:

While enabling a port, don’t enable it in the csf.conf file. Instead, make a file /etc/csf/csfpost.sh and add iptables rule, so that it is executed always when csf is restarted.

To enable a port incoming
———————–
iptables -I OUTPUT -s 0/0  -p tcp –dport 995 -j ACCEPT

Outgoing
————
iptables -I OUTPUT -s 0/0  -p tcp –dport 995 -j ACCEPT

so csf.conf is left unaltered

When adding port to a specific IP we can do that in csf.allow file. But don’t make changes to csf.conf file, if we need to make global changes that needs to be done on all servers we can do it on puppet. All servers will have identical config.

When we do csf -r we can see it executing like below:

PS: Please check for errors while restaring CSF

===========
ACCEPT  all opt — in * out lo  0.0.0.0/0  -> 0.0.0.0/0
LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOGDROPIN  all opt — in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Restarting bandmin acctboth chains for cPanel
acctboth  all opt — in * out *  0.0.0.0/0  -> 0.0.0.0/0
acctboth  all opt — in * out *  0.0.0.0/0  -> 0.0.0.0/0
acctboth  all opt — in * out *  0.0.0.0/0  -> 0.0.0.0/0
acctboth  all opt — in * out *  0.0.0.0/0  -> 0.0.0.0/0
LOCALOUTPUT  all opt — in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt — in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Running /etc/csf/csfpost.sh
===========

 

Advertisements

One thought on “Add custom iptables rule to csf

  1. Tokke says:

    Thanks! This is a really awesome trick!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s