How to configure firewall via command line on Linux
Last updated on July 11, 2020 by Dan Nanni
When you are looking to configure firewall on Linux, iptables might be the first tool that comes to your mind. Of course there are GUI-frontends for iptables that may ease the learning curve for iptables. However, if you are not a big fan of GUI tools, you can consider CSF (ConfigServer Security & Firewall). CSF is an easy-to-use, yet versatile firewall configuration tool written in Perl, that works out nicely in headless server environments. Using CSF, you can easily configure advanced firewall rules such as stateful packet inspection and intrusion detection filters via its command-line interface or a CSF configuration file.
CSF is supported on all major Linux distributions including CentOS, Redhat, Fedora, Ubuntu, Debian and openSUSE. As of this writing, the current version supports CenOS/RHEL v7-v8, Debian v8-v10, Ubuntu v18-v20 and Fedora v30.
You can use CSF on top of popular web hosting control panel platforms such as cPanel/DirectAdmin, as pre-configuration for such platforms are already available in CSF's default installation.
The following guide describes how to install and configure firewall rules with CSF on Linux
Install CSF on Linux
You can download CSF from the official site. The tar archive of CSF comes with an installation script.
$ wget https://download.configserver.com/csf.tgz $ tar xvfvz csf.tgz $ cd csf $ sudo ./install.sh
Configure CSF the First Time
Test whether all iptables modules needed by CSF are available.
$ sudo /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
In order for CSF to work properly, you need to make sure that you are not using any other iptables configuration tools such as APF and BFD, since CSF can be in conflict with them. Therefore, run the following script to remove APF/BFD as a safeguard. Don't worry if the script throws "apf: command not found" error.
$ sudo /etc/csf/remove_apf_bfd.sh
Now you are ready to configure CSF on your system. All CSF related scripts and configurations are installed in /etc/csf.
By default, CSF gets started as Testing mode, which means that firewall rules are not fully in effect. To disable this Testing mode and customize firewall rules, modify a CSF configuration.
$ sudo vi /etc/csf/csf.conf
# Change to 0 to disable TESTING mode TESTING = "0" . . . # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports UDP_OUT = "20,21,53,113,123" . . .
After modifying /etc/csf/csf.conf, make sure to restart CSF as follows. Any necessary change in iptables rules will automatically be made according to modified CSF configuration.
$ sudo csf -r
Besides CSF configuration file, you can also use the csf command to configure firewall via command-line interface. The csf command offers comprehensive options to configure firewall rules as follows.
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-l6, --status6 List/Show ip6tables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart Restart firewall rules
-q, --startq Quick restart (csf restarted by lfd)
-sf, --startf Force CLI restart regardless of LFDSTART setting
-a, --add ip Allow an IP and add to /etc/csf.allow
-ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, --denyf Remove and unblock all entries in /etc/csf.deny
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temp IP entries and their TTL
-tr, --temprm ip Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, --tempf Flush all IPs from the temp IP entries
-cp, --cping PING all members in an lfd Cluster
-cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart Cluster restart csf and lfd
-w, --watch ip Log SYN packets for an IP across iptables chains
-m, --mail [addr] Display Server Check in HTML or email to [addr] if present
-lr, --logrun Initiate Log Scanner report via lfd
-c, --check Check for updates to csf but do not upgrade
-u, --update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version
If you want to uninstall CSF at any point, simply run the following.
$ sudo /etc/csf/uninstall.sh
Support Xmodulo
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean