How to open a port for a particular IP address using iptables, CSF and APF – A comparison

This is a very important and useful trick to block some ports from public.

And open it for some IP address. It’s quite simple by configuring iptables with the help of applications like CSF or APF. By using iptables commands, blocking or opening particular ports for particular IP address or IP address range is not quite easy [if you don’t know how to write a rule in iptables].

Here I am explaining the different options to open a port for an IP address using iptables, CSF and APF.

How to open a port for a particular IP address or a range of IP address using iptables?

Using iptables in Linux, you can simply block/open ports for particular IP address. To open a particular port only for a particular IP you need to block the same port globally. The below pasted iptables rule will block a port globally.

iptables -I INPUT -p tcp --dport PORT-NUMBER -j DROP

Example:

iptables -I INPUT -p tcp --dport 22 -j DROP

Here I am blocking the SSH port globally. Make sure that, you have a node access or another SSH login. Because, after blocking the port 22 you will be loged out from the same session. You may chose another port value for testing purpose. 🙂

To open a port for an IP address.

iptables -I INPUT -p tcp -s IP.ADD.RE.SS --dport PORT.NUMBER -j ACCEPT

Example:

iptables -I INPUT -p tcp -s 1.1.1.1 --dport 22 -j ACCEPT
[root@CryBit ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  1.1.1.1              anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

IPTables rule to open a port for a range of IP addresses.

It’s simple to open a particular port for an IP range. Here is the command for doing the same,

iptables -I INPUT -p udp -s 1.1.1.1/16 --dport 22 -j ACCEPT

How to open a port for a particular IP address or a range of IP address using CSF?

CSF is most commonly using application for configuring IPTables easily. It’s an open source application and you can simply install this on your server. Do follow this link to Install and configure CSF on Linux server, and this for commonly using CSF commands.

Here we goes to the point “How to open a port for an IP?” It’s very simple with CSF. Do follow the steps below:

Step I : SSH to server as root.
Step II : Open the ‘csf.allow‘ file with your favorite file editor.

# vi /etc/csf/csf.allow
#ADD THE FOLLOWING LINE
----
tcp|in|d=Port|s=xxx.xxx.xxx.xxx
----

Replace xxx.xxx.xxx.xxx with the IP address and Port with port number.
Example:

tcp|in|d=3306|s=132.133.112.100

Step III : Close the door for other IPs on that port.
Open the CSF configuration file, and remove the port entry from “TCP_IN

# vi /etc/csf/csf.conf
---
TCP_IN = "20,21,25,53,80,110,2078,2082,2083,2086,2087,2095,2096,2929,30000:35000"
---

Step IV : Restart CSF.

csf -r

How to open a port for a particular IP address or a range of IP address using APF?

Using APF to open a particular port for an IP is similar to CSF. Like CSF the installation is easy for APF. This will help you to “Install and configure APF on Linux server” and this is for APF command usages.

Steps to open a port for an IP.

Step I : SSH to server as root.
Step II : Open the ‘/etc/apf/allow_hosts.rules‘ file with your favorite file editor.

# vi /etc/apf/allow_hosts.rules
#ADD THE FOLLOWING LINE
----
tcp:in:d=Port:s=xxx.xxx.xxx.xxx
----

Replace xxx.xxx.xxx.xxx with the IP address and Port with port number.
Example:

tcp:in:d=22:s=202.5.1.3

Step III : Close the door for other IPs on that port.
Open the APF configuration file, and remove the port entry from “IG_TCP_CPORTS

# vi /etc/apf/conf.apf
---
IG_TCP_CPORTS="20,21,25,53,80,110,143,443,3306"
---

Step IV : Restart APF.

apf -r

That’s it!! 🙂

Introduction to IAAC [Infrastructure As A Code] tools

It’s time that I had to write an article on IAAC. All giant’s infra are now set and manage as IAAC. Infrastructure As A Code is shorted as IAAC.

I hope you guys are already aware of these tools and you are already started working on that. This is a simple, straight intro to those tools. This will help you to start your journey as an automation engineer.

, ,

Post navigation

Arunlal A

Senior System Developer at Zeta. Linux lover. Traveller. Let's connect! Whether you're a seasoned DevOps pro or just starting your journey, I'm always eager to engage with like-minded individuals. Follow my blog for regular updates, connect on social media, and let's embark on this DevOps adventure together! Happy coding and deploying!

4 thoughts on “How to open a port for a particular IP address using iptables, CSF and APF – A comparison

  1. I can able to see the website in our ISP network even when ip is blocked. I found that there is no issue is with CSF firewall since I have checked with ping request after denying ISP IP.

    Is this issue due to any other Firewall running issue?If so how to solve it.

Leave a Reply

Your email address will not be published. Required fields are marked *