CSF - Allow an IP to a specific port

How to create a rule in CSF to allow an IP to access a specific port

In a firewall sometimes you only want to allow an IP through on a certain port without fully whitelisting them. To do so in CSF is pretty straight forward and the concept is the same as on many home routers. This tutorial will show you how to do it both via WHM's CSF GUIand via command line.

Create single-port CSF rule via WHM

 

  1. Login to WHM and navigate to the "ConfigServer Security & Firewall" page. This is generally at the very bottom under the "Plugins" category.
  2. On this page, press the "Firewall Allow IPs" button. It's about mid-way down the page.
  3. On this page you'll see a list of IPs that you've whitelisted unless you've previously otherwise modified this page. The top section where each line is preceeded by a #symbol is not read by the system and is helpful tips. It should look similar to the following:
    • ###############################################################################
      # Copyright 2006-2013, Way to the Web Limited
      # URL: http://www.configserver.com
      # Email: sales@waytotheweb.com
      ###############################################################################
      # The following IP addresses will be allowed through iptables.
      # One IP address per line.
      # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
      # Only list IP addresses, not domain names (they will be ignored)
      #
      # Advanced port+ip filtering allowed with the following format
      # tcp/udp|in/out|s/d=port|s/d=ip
      # See readme.txt for more information
      #
      # Note: IP addressess listed in this file will NOT be ignored by lfd, so they
      # can still be blocked. If you do not want lfd to block an IP address you must
      # add it to csf.ignore
    • From this we can see that the format we will be using is tcp/udp|in/out|s/d=port|s/d=ip
  4. Create your desired rule. For example if we want to create a rule to allow inbound MySQL connections from IP 67.222.0.1 it would look like this:
    • tcp|in|d=3306|s=67.222.0.1
      • Lets look at what we've defined above:
        1. tcp defines the protocol we're using. MySQL uses TCP sockets.
        2. in defines that this rule pertains to inbound traffic or traffic coming into your system from an external one.
        3. d=3306 is the port number which MySQL uses by default.
        4. s=67.222.0.1 is the IP address we want to allow into our system on the port and protocol specified above.
    • You can put one rule per line.
    • IP ranges in CIDR format are accepted. Port ranges are not accepted and you must have one rule per line per port per protocol.

  5. In order to apply this rule, on the next page click "Restart csf+lfd".

Create single-port CSF rule via SSH

 

  1. Login to SSH.
  2. Open /etc/csf/csf.allow in your preferred text editor. For the sake of this tutorial I'll be using nano.
  3. Add your rules to this file, one per line.
    • We'll be adding lines in the same format as above, tcp/udp|in/out|s/d=port|s/d=ip.
  4. Save the file. If you're in nano, use ^X (Ctrl+X) and tell it "Y" to overwrite the file.
  5. Restart CSF using csf -r.

Was this answer helpful?

 Print this Article

Also Read

What Virtual Solution is implemented at GoHosting?

GoHosting uses a mixture of VMware, XEN and OpenVZ over a variety of hardware platforms. Our...

What is cPanel and why do i need it for my Virtual Server?

Most of the time when a customer comes to us asking for a Linux Virtual Server to host their...

What is a Virtual Server?

A Virtual Server is a product where for a set monthly fee, you hire a slice of our Virtual...