How to Add Custom Iptables Rules with CSF

CSF (ConfigServer Firewall) is an iptables based firewall, provides easier way to implement iptables rules. Sometimes we need to add specific rules (e.g. iptables rules not covered by CSF) to add in CSF. If we add these rules using iptables command directly from the shell, they will be erased on next CSF restart. After installing CSF firewall on Linux, This article will help you to add custom iptables rules in CSF firewall.

CSF provides pre and post scripts, where pre is executed before and post is executed after applying the rules by the CSF firewall. For example you want to open port 3306 ( Default MySQL ) to specific ip. You can add following rules to pre or post script

csfpre.sh – To run external commands before csf configures iptables
csfpost.sh – To run external commands after csf configures iptables

Before CSF Rules

Create a file /etc/csf/csfpre.sh and add the iptables rules, which you want to execute before CSF applied own rules.

iptables -I INPUT -s 1.2.3.4 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

After CSF Rules

Create an file /etc/csf/csfpost.sh and add the iptables rules, which you want to apply after CSF add its own rules to firewall.

iptables -I INPUT -s 1.2.3.4 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

Restart CSF

To restart CSF simply type below command and watch the results. CSF produce lots of output so you may not see entire output in one script, so also add more command to see page wise results.

csf -r | more

See below the few part of output

...
...
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Running /etc/csf/csfpre.sh
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:67
DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:67
...
...
...
ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.8.8  tcp dpt:53
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Running /etc/csf/csfpost.sh

Thank you! for using this article. Click here to read more about CSF configuration.

4 Comments

Júlio C. on December 19, 2017 6:36 pm
Perfect, Thanks!
yashar esmaildokht on December 10, 2016 3:50 pm
thanks , good article .
Jon on May 27, 2016 2:39 pm
I’ve been looking for exactly this, thank you!
Salcoder on May 12, 2015 7:31 am
Great info!
Thanks for sharing.

How to Add Custom iptables Rules in CSF Firewall

Before CSF Rules

After CSF Rules

Restart CSF

How to Switch Python Version in Ubuntu & Debian

How to Create SFTP Only User in Debian 11

Common Apache Commands on Ubuntu & Debian

4 Comments

Leave A Reply Cancel Reply

Latest Articles

How To Install and Switch Desktop Environments in Fedora

How to Git Remove File but Keep Local Version

How to Clone a Git Repository Into a Specific Folder

How To Install NVIDIA Drivers on Fedora

How to Add Custom iptables Rules in CSF Firewall

Before CSF Rules

After CSF Rules

Restart CSF

Related Posts

How to Switch Python Version in Ubuntu & Debian

How to Create SFTP Only User in Debian 11

Common Apache Commands on Ubuntu & Debian

4 Comments

Leave A Reply Cancel Reply

How To Install and Switch Desktop Environments in Fedora

How to Git Remove File but Keep Local Version

How to Clone a Git Repository Into a Specific Folder

How To Install NVIDIA Drivers on Fedora