If you are looking to configure firewall on Linux, consider CSF (ConfigServer Security & Firewall). CSF is an easy-to-use, yet versatile firewall configuration tool written in Perl. Using CSF, you can easily configure advanced firewall rules such as stateful packet inspection and intrusion detection filters via its command-line interface or CSF configuration file.
CSF is supported on all major Linux distributions including CentOS, Redhat, Fedora, Ubuntu, Debian and openSUSE.
You can use CSF on top of popular web hosting control panel platforms such as cPanel/DirectAdmin, as pre-configuration for such platforms are already available in CSF's default installation.
To install and configure CSF on Linux, follow this guide.
Download CSF and run an installation script.
$ tar xvfvz csf.tgz
$ cd csf
$ sudo ./install.sh
Test whether all iptables modules needed by CSF are available.
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
In order for CSF to work properly, you need to make sure that you are not using any other iptables configuration tools such as APF and BFD, since CSF can be in conflict with them. Therefore, run the following script to remove APF/BFD as a safeguard. Don't worry if the script throws "apf: command not found" error.
Now you are ready to configure CSF on your system. All CSF related scripts and configurations are installed in /etc/csf.
By default, CSF gets started as "Testing" mode, which means that firewall rules are not fully in effect. To disable this "Testing" mode and customize firewall rules, modify a CSF configuration.
# Change to 0 to disable TESTING mode TESTING = "0" . . . # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports UDP_OUT = "20,21,53,113,123" . . .
After modifying /etc/csf/csf.conf, make sure to restart CSF as follows. Any necessary change in iptables rules will automatically be made according to modified CSF configuration.
Besides CSF configuration file, you can also use the csf command to configure firewall via command-line interface. The csf command offers comprehensive options to configure firewall rules as follows.
Usage: /usr/sbin/csf [option] [value] Option Meaning -h, --help Show this message -l, --status List/Show iptables configuration -l6, --status6 List/Show ip6tables configuration -s, --start Start firewall rules -f, --stop Flush/Stop firewall rules (Note: lfd may restart csf) -r, --restart Restart firewall rules -q, --startq Quick restart (csf restarted by lfd) -sf, --startf Force CLI restart regardless of LFDSTART setting -a, --add ip Allow an IP and add to /etc/csf.allow -ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule -d, --deny ip Deny an IP and add to /etc/csf.deny -dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny -df, --denyf Remove and unblock all entries in /etc/csf.deny -g, --grep ip Search the iptables rules for an IP match (incl. CIDR) -t, --temp Displays the current list of temp IP entries and their TTL -tr, --temprm ip Remove an IPs from the temp IP ban and allow list -td, --tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in) -ta, --tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default:inout) -tf, --tempf Flush all IPs from the temp IP entries -cp, --cping PING all members in an lfd Cluster -cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny -ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow -cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny -cc, --cconfig [name] [value] Change configuration option [name] to [value] in a Cluster -cf, --cfile [file] Send [file] in a Cluster to /etc/csf/ -crs, --crestart Cluster restart csf and lfd -w, --watch ip Log SYN packets for an IP across iptables chains -m, --mail [addr] Display Server Check in HTML or email to [addr] if present -lr, --logrun Initiate Log Scanner report via lfd -c, --check Check for updates to csf but do not upgrade -u, --update Check for updates to csf and upgrade if available -uf Force an update of csf -x, --disable Disable csf and lfd -e, --enable Enable csf and lfd if previously disabled -v, --version Show csf version
If you want to uninstall CSF at any point, simply run the following.
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.
Did you find this tutorial helpful? Then please be generous and support Xmodulo!
Latest posts by Dan Nanni (see all)
- How to install Suricata intrusion detection system on Linux - September 3, 2015
- How to switch from NetworkManager to systemd-networkd on Linux - August 31, 2015
- How to set up a system status page of your infrastructure - August 25, 2015