How to configure firewall via command line on Linux

If you are looking to configure firewall on Linux, consider CSF (ConfigServer Security & Firewall). CSF is an easy-to-use, yet versatile firewall configuration tool written in Perl. Using CSF, you can easily configure advanced firewall rules such as stateful packet inspection and intrusion detection filters via its command-line interface or CSF configuration file.

CSF is supported on all major Linux distributions including CentOS, Redhat, Fedora, Ubuntu, Debian and openSUSE.

You can use CSF on top of popular web hosting control panel platforms such as cPanel/DirectAdmin, as pre-configuration for such platforms are already available in CSF's default installation.

To install and configure CSF on Linux, follow this guide.

Download CSF and run an installation script.

$ wget http://www.configserver.com/free/csf.tgz
$ tar xvfvz csf.tgz
$ cd csf
$ sudo ./install.sh

Test whether all iptables modules needed by CSF are available.

$ sudo /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

In order for CSF to work properly, you need to make sure that you are not using any other iptables configuration tools such as APF and BFD, since CSF can be in conflict with them. Therefore, run the following script to remove APF/BFD as a safeguard. Don't worry if the script throws "apf: command not found" error.

$ sudo /etc/csf/remove_apf_bfd.sh

Now you are ready to configure CSF on your system. All CSF related scripts and configurations are installed in /etc/csf.

By default, CSF gets started as "Testing" mode, which means that firewall rules are not fully in effect. To disable this "Testing" mode and customize firewall rules, modify a CSF configuration.

$ sudo vi /etc/csf/csf.conf
# Change to 0 to disable TESTING mode
TESTING = "0"
. . .
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123"
. . .

After modifying /etc/csf/csf.conf, make sure to restart CSF as follows. Any necessary change in iptables rules will automatically be made according to modified CSF configuration.

$ sudo csf -r

Besides CSF configuration file, you can also use the csf command to configure firewall via command-line interface. The csf command offers comprehensive options to configure firewall rules as follows.

Usage: /usr/sbin/csf [option] [value]

Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-l6, --status6      List/Show ip6tables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart       Restart firewall rules
-q, --startq        Quick restart (csf restarted by lfd)
-sf, --startf       Force CLI restart regardless of LFDSTART setting
-a, --add ip        Allow an IP and add to /etc/csf.allow
-ar, --addrm ip     Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip       Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip    Unblock an IP and remove from /etc/csf.deny
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temp IP entries and their TTL
-tr, --temprm ip    Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP to the temp IP ban list. ttl is how long to
                    blocks for (default:seconds, can use one suffix of h/m/d).
                    Optional port. Optional direction of block can be one of:
                    in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
                    Add an IP to the temp IP allow list (default:inout)
-tf, --tempf        Flush all IPs from the temp IP entries
-cp, --cping        PING all members in an lfd Cluster
-cd, --cdeny ip     Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip    Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip       Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
                    Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart    Cluster restart csf and lfd
-w, --watch ip      Log SYN packets for an IP across iptables chains
-m, --mail [addr]   Display Server Check in HTML or email to [addr] if present
-lr, --logrun       Initiate Log Scanner report via lfd
-c, --check         Check for updates to csf but do not upgrade
-u, --update        Check for updates to csf and upgrade if available
-uf                 Force an update of csf
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

If you want to uninstall CSF at any point, simply run the following.

$ sudo /etc/csf/uninstall.sh

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

Leave a comment

Your email address will not be published. Required fields are marked *

Current ye@r *