Will restarting csf (csf -r) remove already defined custom iptables rules ?

Yep, it will! If you have a custom iptable rule defined in a CSF installed server, it may works, but restarting the CSF (csf -r) will remove the rule. CSF is one of the best free iptables managing tool for Linux servers. It’s also simple to manage through commandline. You can install the CSF simply by dowloading the installation scripts. Here is the link which helps you to install CSF in a Linux server.

How to install CSF in Linux server

Then move on to the topic, is there a way?

How to install/add custom iptables rules in CSF?

Sometimes we have to add custom iptables rules in a CSF installed server (iptables rules does not covered by CSF). Yes, there is a way! CSF provides pre and post scripts which executes before or after CSF rules setup. There are mainly two files csfpre.sh and csfpost.sh in /etc/csf directory to manage this (If the files are not there, just create it). Simply add the iptables rules which you want to add into your CSF.

csfpre.sh: To run external commands before csf configures iptables
csfpost.sh: To run external commands after csf configures iptables

Here is one example.

Allow an IP for SSH access.

The rule is;

iptables -A INPUT -i eth0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Testing without csfpre.sh and csfpost.sh:

Step 1: SSH to server.
Step 2: Adding rule.

iptables -A INPUT -i eth0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@vps ~]# iptables -L -n|grep 1.1.1.1
ACCEPT     tcp  --  1.1.1.1              0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 

It will vanish after restarting the firewall.

[root@vps ~]# iptables -L -n|grep 1.1.1.1
[root@vps ~]#

That’s gone!

Testing with csfpre.sh and csfpost.sh:

Step 1: Add this rule in both csfpre.sh and csfpost.sh:
Step 2: Restarting CSF.

Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Running /etc/csf/csfpre.sh
/etc/csf/csfpre.sh: line 1: tables: command not found
csf: FASTSTART loading DROP no logging (IPv4)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix 
.....
.....
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
Running /etc/csf/csfpost.sh
/etc/csf/csfpost.sh: line 1: tables: command not found
*WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny

The rule will be there 🙂

[root@vps csf]# iptables -L -n|grep 1.1.1.1
ACCEPT     tcp  --  1.1.1.1              0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 
ACCEPT     tcp  --  1.1.1.1              0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED

That’s it!

Other posts

1, CSF commands for Unix/Linux servers
2, Csf command not found in WHM/cPanel server
3, Process tracking with the help of csf
4, How to block countries from server by using csf

Arunlal Ashok

Linux Server Administrator. I’m managing Linux servers since 2012. I started this blog to share and discuss my ideas.

Any questions? Write to arun (@) crybit.com

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *