security:csf-lfd:allow-an-ip-to-access-a-closed-port

How to create a rule in CSF to allow an IP to access a specific port

In a firewall sometimes you only want to allow an IP through on a certain port without fully whitelisting them. To do so in CSF is pretty straight forward and the concept is the same as on many home routers. This tutorial will show you how to do it both via WHM's CSF GUI and via command line.

Create single-port CSF rule via WHM

Difficulty
Medium

  1. Login to WHM and navigate to the "ConfigServer Security & Firewall" page. This is generally at the very bottom under the "Plugins" category.
  2. On this page, press the "Firewall Allow IPs" button. It's about mid-way down the page.
  3. On this page you'll see a list of IPs that you've whitelisted unless you've previously otherwise modified this page. The top section where each line is preceeded by a # symbol is not read by the system and is helpful tips. It should look similar to the following:
    • ###############################################################################
      # Copyright 2006-2013, Way to the Web Limited
      # URL: http://www.configserver.com
      # Email: [email protected]
      [email protected]##############
      # The following IP addresses will be allowed through iptables.
      # One IP address per line.
      # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
      # Only list IP addresses, not domain names (they will be ignored)
      #
      # Advanced port+ip filtering allowed with the following format
      # tcp/udp|in/out|s/d=port|s/d=ip
      # See readme.txt for more information
      #
      # Note: IP addressess listed in this file will NOT be ignored by lfd, so they
      # can still be blocked. If you do not want lfd to block an IP address you must
      # add it to csf.ignore
    • From this we can see that the format we will be using is tcp/udp|in/out|s/d=port|s/d=ip
  4. Create your desired rule. For example if we want to create a rule to allow inbound MySQL connections from IP 67.222.0.1 it would look like this:
    • tcp|in|d=3306|s=67.222.0.1
      • Lets look at what we've defined above:
        1. tcp defines the protocol we're using. MySQL uses TCP sockets.
        2. in defines that this rule pertains to inbound traffic or traffic coming into your system from an external one.
        3. d=3306 is the port number which MySQL uses by default.
        4. s=67.222.0.1 is the IP address we want to allow into our system on the port and protocol specified above.
    • You can put one rule per line.
    • IP ranges in CIDR format are accepted. Port ranges are not accepted and you must have one rule per line per port per protocol.

  5. In order to apply this rule, on the next page click "Restart csf+lfd".

Create single-port CSF rule via SSH

Difficulty
Hard

  1. Login to SSH.
  2. Open /etc/csf/csf.allow in your preferred text editor. For the sake of this tutorial I'll be using nano.
  3. Add your rules to this file, one per line.
    • We'll be adding lines in the same format as above, tcp/udp|in/out|s/d=port|s/d=ip.
  4. Save the file. If you're in nano, use ^X (Ctrl+X) and tell it "Y" to overwrite the file.
  5. Restart CSF using csf -r.
security/csf-lfd/allow-an-ip-to-access-a-closed-port.txt · Last modified: 2015/01/22 18:55 by Jonathan W.