Your Webhosting Questions
Answered by the Webhosting Experts
Tags
...
...

Common Firewall Commands: Iptables, CSF, UFW, & Firewalld

When running Linux OS, there are a variety of firewalls that can be deployed in your system, all of which require their own commands to operate. As a result, managing and maintaining your system’s firewall can often be difficult without something convenient to use for reference. The goal of this article is to provide you with a basic reference list of common commands useful for handling your Linux OS firewall.

To keep things succinct, the commands will be provided within a table format below following a brief precursor explanation on the various firewalls we’ll be covering here.

Common Firewalls Used in Linux

The following section covers basic background information regarding what firewall types are available within your Linux OS.

iptables

The Linux kernel requires rules for IP packet filtering to be managed in tables. iptables is used to set up, maintain, and inspect these tables of IP packet filtering rules with each table containing built-in chains. The iptables chains are lists of rules which match a set of packets, specifying instructions for each rule on how to handle the packet.

ConfigServer Security & Firewall (CSF)

ConfigServer Security & Firewall or CSF, is a tool that manipulates iptables chains while also providing additional functionality that iptables does not offer. CSF filtering is done on IP addresses, services, and ports.

CSF uses the Login Failure Daemon (lfd) which provides a tool that scans the latest log file entries for login attempts against your server. This is useful for detecting brute-force attacks, allowing lfd to automatically detect the pattern and block the offending IP.

Uncomplicated Firewall (UFW)

Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu and has been developed to ease iptables firewall configuration by providing a friendly method to create an Ipv4 or Ipv6 host-based firewall.

Firewalld

Firewalld is a service daemon with D-bus interface which provides easy management of the network/firewall zones, assigning different levels of trust to a network and its associated connections. Additionally, the interface also provides the ability to add iptables rules directly.

Table of Commands for Firewall Management

The following is a list of common commands that can be made for the four the Firewall types discussed above.

Action iptables CSF UFW Firewalld
Check Firewall Status N/A service csf status or systemctl status csf service ufw status or systemctl status ufw service firewalld status (Not required as CSF won’t run if it’s not working)
Viewing/Searching Firewall Rules iptables -n -L -v –line-numbers csf -g [IP] sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.

firewall-cmd –list-all

firewall-cmd –list-services

firewall-cmd –list-ports

Restart Firewall Occasionally rebooting the system can help if iptables rules do not take effect. service csf restart or csf -r or even better to flush rules csf -ra service ufw restart service firewalld restart
Adding and Blocking a Port [Make sure to modify the #### entry]

Adding: iptables -I INPUT 1 -p tcp –dport=#### -j ACCEPT

Blocking: iptables -I INPUT 1 -p tcp –dport=#### -j DROP

Edit csf.conf file in /etc/csf/csf.conf and add the following lines with whichever ports you need.

*Note: The snippet below was taken from the file to show you where you will place the ports in/out. Do not change anything in the file other than the numbers in the following lines:

# Allow incoming TCP ports

TCP_IN = “20,443,465,21,22,587,993,25,53,80,110,143,995”

# Allow outgoing TCP ports

TCP_OUT = “20,21,443,587,22,25,80,110,43,53”

Adding: sudo ufw allow ####, you can use /tcp or /udp here as well

Blocking: sudo ufw deny ####, you can use /tcp or /udp

Adding: firewall-cmd –permanent –add-port=##/TCP or use /UDP

Blocking: firewall-cmd –permanent –remove-port=###

/tcp or /udp can be added at the end of that line without a space

Adding and Removing an IP [Make sure to modify the x.x.x.x with an IP]

Adding: iptables -A INPUT -s x.x.x.x -j ACCEPT

Removing: iptables -A INPUT -s ###.###.###.### -j DROP

Adding: csf -a [x.x.x.x] [Optional comment]

(Writes information to /etc/csf/csf.allow)

Removing: csf -tr [IP.add.re.ss]

(Writes information to /etc/csf/csf.deny)

sudo ufw allow from x.x.x.x

[sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.]

firewall-cmd –permanent –add-source=###.###.###.###

firewall-cmd –permanent –remove-source=###.###.###.###

Blocking an IP [Make sure to modify the x.x.x.x with an IP]

iptables -A INPUT -s x.x.x.x -j DROP

csf -d [x.x.x.x] [Optional comment]

(Writes information to /etc/csf/csf.deny)

sudo ufw deny from x.x.x.x firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=x.x.x.x’ reject”
Adding and Removing a Service N/A N/A

Allow: sudo ufw allow service

Remove: sudo ufw deny service

Allow: firewall-cmd –permanent –add-service=ssh

Remove: firewall-cmd –permanent –remove-service=mysql

-written by Pascal Suissa

Need More Personalized Help?

If you have any further issues, questions, or would like some assistance checking on this or anything else, please reach out to us from your my.hivelocity.net account and provide your server credentials within the encrypted field for the best possible security and support.

If you are unable to reach your my.hivelocity.net account or if you are on the go, please reach out from your valid my.hivelocity.net account email to us here at: support@hivelocity.net. We are also available to you through our phone and live chat system 24/7/365.

Tags +
...