How to create a rule in CSF to allow an IP to access a specific port
How to create a rule in CSF to allow an IP to access a specific port
Config Server Firewall alias CSF is a free and advanced firewall for most Linux distributions and Linux based servers. In addition to the basic functionality of a firewall filtering packets CSF includes other security features, such as login/intrusion/flood detections. CSF provides UI integration for control panels like cPanel, DirectAdmin etc. It has a lot of advantages. CSF can detect many attacks such as port scans, SYN floods, and login brute force attacks on many services of the server. It is configured to temporarily block clients who are suspected to be attacking server. It is not recommended to open unused ports in the server, because of security reasons. If it is insisted to be, so we can add custom rules to CSF and open the ports. In this tutorial let’s have a look into how we can provide access to a specific port for a particular IP address in the server without opening the port publicly in the CSF conf.
1) Login to the WHM of your server.
2) You can find the location of your firewall in two places:
- In the left search bar, type firewall. Select ConfigServer Security & Firewall in the menu.
3. Scroll down to the csf - ConfigServer Firewall section. Click on Firewall Allow IPs.
4. This is the content of your csf.allow file. Normally, you'd add IP addresses to this list if you want those IPs to always be allowed through your firewall, no matter their activity. Allowing IP addresses through specific ports follows the same idea, but you need a little more syntax. You'll use this syntax:
protocol:in:d=port:s=IP
You'll replace "protocol" with the protocol, "tcp," "udp," or "icmp" (TCP is used by HTTP, so you will most likely be using TCP), "port" with the port number, and "IP" with the IP address or range. So if we want to allow IP address 192.0.2.0 to access MySQL on port 3306, add this to the csf.allow file.
tcp:in:d=3306:s=192.0.2.0
Tip: |
Use the # character to write a comment about these special IP rules so you if you're making edits later, you'll know why you allowed those IPs. |
5. You can enter as many of these rules as necessary. Once you're done, click Change
6. Restart CSF to make sure your changes are enacted by clicking Restart csf+lfd. Once you've restarted your firewall, you're all set!