Firewall - Knowledge Base Archives - Hivelocity Hosting

Common Firewall Commands: Iptables, CSF, UFW, & Firewalld

Ashleigh Becker — Mon, 28 Nov 2022 16:37:19 +0000

When running Linux OS, there are a variety of firewalls that can be deployed in your system, all of which require their own commands to operate. As a result, managing and maintaining your system’s firewall can often be difficult without something convenient to use for reference. The goal of this article is to provide you with a basic reference list of common commands useful for handling your Linux OS firewall.

To keep things succinct, the commands will be provided within a table format below following a brief precursor explanation on the various firewalls we’ll be covering here.

Common Firewalls Used in Linux

The following section covers basic background information regarding what firewall types are available within your Linux OS.

iptables

The Linux kernel requires rules for IP packet filtering to be managed in tables. iptables is used to set up, maintain, and inspect these tables of IP packet filtering rules with each table containing built-in chains. The iptables chains are lists of rules which match a set of packets, specifying instructions for each rule on how to handle the packet.

ConfigServer Security & Firewall (CSF)

ConfigServer Security & Firewall or CSF, is a tool that manipulates iptables chains while also providing additional functionality that iptables does not offer. CSF filtering is done on IP addresses, services, and ports.

CSF uses the Login Failure Daemon (lfd) which provides a tool that scans the latest log file entries for login attempts against your server. This is useful for detecting brute-force attacks, allowing lfd to automatically detect the pattern and block the offending IP.

Uncomplicated Firewall (UFW)

Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu and has been developed to ease iptables firewall configuration by providing a friendly method to create an Ipv4 or Ipv6 host-based firewall.

Firewalld

Firewalld is a service daemon with D-bus interface which provides easy management of the network/firewall zones, assigning different levels of trust to a network and its associated connections. Additionally, the interface also provides the ability to add iptables rules directly.

Table of Commands for Firewall Management

The following is a list of common commands that can be made for the four the Firewall types discussed above.

Action	iptables	CSF	UFW	Firewalld
Check Firewall Status	N/A	service csf status or systemctl status csf	service ufw status or systemctl status ufw	service firewalld status (Not required as CSF won’t run if it’s not working)
Viewing/Searching Firewall Rules	iptables -n -L -v –line-numbers	csf -g [IP]	sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.	firewall-cmd –list-all firewall-cmd –list-services firewall-cmd –list-ports
Restart Firewall	Occasionally rebooting the system can help if iptables rules do not take effect.	service csf restart or csf -r or even better to flush rules csf -ra	service ufw restart	service firewalld restart
Adding and Blocking a Port [Make sure to modify the #### entry]	Adding: iptables -I INPUT 1 -p tcp –dport=#### -j ACCEPT — Blocking: iptables -I INPUT 1 -p tcp –dport=#### -j DROP	Edit csf.conf file in /etc/csf/csf.conf and add the following lines with whichever ports you need. Note: The snippet below was taken from the file to show you where you will place the ports in/out. Do not change anything in the file other than the numbers in the following lines: # Allow incoming TCP ports* TCP_IN = “20,443,465,21,22,587,993,25,53,80,110,143,995” # Allow outgoing TCP ports TCP_OUT = “20,21,443,587,22,25,80,110,43,53”	Adding: sudo ufw allow ####, you can use /tcp or /udp here as well — Blocking: sudo ufw deny ####, you can use /tcp or /udp	Adding: firewall-cmd –permanent –add-port=##/TCP or use /UDP — Blocking: firewall-cmd –permanent –remove-port=### /tcp or /udp can be added at the end of that line without a space
Adding and Removing an IP [Make sure to modify the x.x.x.x with an IP]	Adding: iptables -A INPUT -s x.x.x.x -j ACCEPT — Removing: iptables -A INPUT -s ###.###.###.### -j DROP	Adding: csf -a [x.x.x.x] [Optional comment] (Writes information to /etc/csf/csf.allow) — Removing: csf -tr [IP.add.re.ss] (Writes information to /etc/csf/csf.deny)	sudo ufw allow from x.x.x.x [sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.]	firewall-cmd –permanent –add-source=###.###.###.### firewall-cmd –permanent –remove-source=###.###.###.###
Blocking an IP [Make sure to modify the x.x.x.x with an IP]	iptables -A INPUT -s x.x.x.x -j DROP	csf -d [x.x.x.x] [Optional comment] (Writes information to /etc/csf/csf.deny)	sudo ufw deny from x.x.x.x	firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=x.x.x.x’ reject”
Adding and Removing a Service	N/A	N/A	Allow: sudo ufw allow service — Remove: sudo ufw deny service	Allow: firewall-cmd –permanent –add-service=ssh — Remove: firewall-cmd –permanent –remove-service=mysql

-written by Pascal Suissa

The post Common Firewall Commands: Iptables, CSF, UFW, & Firewalld appeared first on Hivelocity Hosting.

Restrict clients using my SQL Server by their IP Address?

Steve Eschweiler — Sun, 14 Nov 2010 11:11:55 +0000

SQL Server has no built-in support for restricting clients by IP address. The most common work-arounds are firewalls, IPSec, or third-party network layer filters to allow only certain source IP addresses and target TCP ports (the port on which SQL Server is listening).

The post Restrict clients using my SQL Server by their IP Address? appeared first on Hivelocity Hosting.

What ports should be open if I’m running my cPanel server behind a firewall?

Steve Eschweiler — Sat, 13 Nov 2010 21:34:13 +0000

Solution

Ports that must be open to run cPanel behind a firewall:

port service protocol direction

20 ftp tcp inbound/outbound

21 ftp tcp,udp inbound/outbound

22 ssh tcp inbound

25 smtp tcp inbound/outbound

26 smtp tcp inbound/outbound

37 rdate tcp outbound

43 whois tcp outbound

53 DNS tcp/udp inbound/outbound
(inbound is only needed if you run your own public DNS server you)

80 http tcp inbound/outbound

110 pop3 tcp inbound

113 ident tcp outbound

143 imap4 tcp inbound

443 https tcp inbound

465 smtp tls/ssl tcp/udp inbound/outbound

873 rsync tcp/udp outbound

993 imap4 ssl tcp inbound

995 pop3 ssl tcp inbound

2082 cpanel tcp inbound

2083 cpanel ssl tcp inbound

2086 whm tcp inbound

2087 whm ssl tcp inbound

2089 cp licence tcp outbound

2095 Webmail tcp inbound

2096 Webmail SSL tcp inbound

3306 mysql tcp (only if you need to connect remotely)

6666 chat tcp inbound

The post What ports should be open if I’m running my cPanel server behind a firewall? appeared first on Hivelocity Hosting.

Can I run cPanel behind NAT?

Steve Eschweiler — Sat, 13 Nov 2010 21:09:37 +0000

Solution Short answer: No, it is not supported. It was once semi-possible to run cPanel behind a NAT firewall, however the system has changed somewhat so that if you use more than one server behind the NAT (more than one appears from behind the same public IP), the license server will lock the public IP …

Can I run cPanel behind NAT? Read More »

The post Can I run cPanel behind NAT? appeared first on Hivelocity Hosting.

Checking Which Ports Are Open When the Firewall Is Activated

Steve Eschweiler — Sat, 13 Nov 2010 19:34:39 +0000

Linux firewall ports are used to allow or deny incoming or outgoing connections to a Linux system. Different firewall products have different commands or methods to open ports, such as iptables, ufw, or firewalld. The port number, protocol, and zone are usually required to specify which port to open. The firewall status and rules should be checked before and after opening ports, and the service may need to be restarted for the changes to take effect.

Using netstat -a you can view a list of all open ports.

Using csf -l you can view all of the ports that CSF is utilizing.

The post Checking Which Ports Are Open When the Firewall Is Activated appeared first on Hivelocity Hosting.

Default IPTables Configuaration for HSphere

Steve Eschweiler — Sat, 13 Nov 2010 13:58:14 +0000

Below is a ‘template’ firewall for a single server HSphere install

Notes:
192.168.1.1 is the example base IP address of the server, You need to change this
192.168.1.2 is *your* IP address. You *must* change this otherwise you’ll lock yourself out of the server.
This example would be saved to file /etc/sysconfig/iptables
You need to load the ip_conntrack_ftp module into the kernel when iptables is started. You add this module name in /etc/rc.d/init.d/iptables
Change;
IPTABLES_MODULES=””
To;
IPTABLES_MODULES=”ip_conntrack_ftp”
################################################## #####
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK_NET – [0:0]
# Handle Passive FTP (remember to enable ip_conntrack_ftp module)
-A OUTPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state RELATED,ESTABLISHED -j ACCEPT
# Server Base IP address
-A INPUT -s 192.168.1.1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Management IPs (VERY IMPORTANT TO PUT YOUR IP HERE otherwise you’ll be locked out)
-A INPUT -s 192.168.1.2 -j ACCEPT
# End Management IPs
# Run Block bad networks chain
-A INPUT -j BLOCK_NET
# Handle Passive FTP (remember to enable ip_conntrack_ftp module in the iptables init script)
A INPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state ESTABLISHED -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 113 -j DROP
-A INPUT -p tcp -m tcp –dport 135 -j DROP
-A INPUT -p tcp -m tcp –dport 136 -j DROP
-A INPUT -p tcp -m tcp –dport 137 -j DROP
-A INPUT -p tcp -m tcp –dport 138 -j DROP
-A INPUT -p tcp -m tcp –dport 139 -j DROP
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 445 -j DROP
-A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 593 -j DROP
-A INPUT -p tcp -m tcp –dport 777 -j DROP
-A INPUT -p tcp -m tcp –dport 778 -j DROP
-A INPUT -p tcp -m tcp –dport 837 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1025 -j DROP
-A INPUT -p tcp -m tcp –dport 1080 -j DROP
-A INPUT -p tcp -m tcp –dport 1434 -j DROP
-A INPUT -p tcp -m tcp –dport 1433 -j DROP
-A INPUT -p tcp -m tcp –dport 3128 -j DROP
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4321 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4444 -j DROP
-A INPUT -p tcp -m tcp –dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6667 -j DROP
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8443 -j ACCEPT
-A INPUT -p udp -m udp –dport 137:138 –sport 137:138 -j DROP
# Logging to /var/log/messages
-A INPUT -p tcp -m tcp -j LOG –log-prefix “AUDIT TCP “
-A INPUT -p tcp -m tcp -j REJECT –reject-with tcp-reset
-A INPUT -p udp -m udp -j LOG –log-prefix “AUDIT UDP “
-A INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp –icmp-type 8 -j LOG
# mangle section
*mangle
REROUTING ACCEPT [1591876424:227299011220]
:INPUT ACCEPT [1591816598:227294667655]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1765890237:977040975279]
:POSTROUTING ACCEPT [1765890154:977040909847]COMMIT
# NAT section
*nat
PREROUTING ACCEPT [10032111:558215684]
:POSTROUTING ACCEPT [5152283:290989829]
:OUTPUT ACCEPT [3923347:241838349]
COMMIT
################################################## #####

The post Default IPTables Configuaration for HSphere appeared first on Hivelocity Hosting.

How do I fix DCOM Issue between Web Server and Remote Secondary Machines?

Steve Eschweiler — Sat, 13 Nov 2010 13:24:16 +0000

When service pack 1 is applied on HC primary or remote Mail/DNS 2003 machines then DCOM communication problem occurs. It is because Microsoft has shipped the service pack 1 for 2003 Server with Windows built-in firewall service i.e. [Windows Firewall/Internet Connection Sharing (ICS) service.] which disturbs remote DCOM communication. Following these instructions on remote Mail/DNS machines, fixes DCOM related problems. These instructions should be applied on both HC Primary as well as on all remote machines.

Note: Steps 1-3 are specifically for 2003 Service Pack1, rest are for both 2000 and 2003 machines.

Go to Start => Run=>DComcnfg => Component Services => My Computer => Properties => COM Security =>

Access Permissions =>Edit Limits & Edit Defaults and give both ANONYMOUS LOGON and Everyone all given full permissions. E.g. [Local Access, Remote Access]
Launch and Activation Permissions => Edit Limits & Edit Defaults and give both ANONYMOUS LOGON and Everyone all given full permissions. E.g. [Local Launch, Remote Launch, Local Activation, Remote Activation]
Go to Start => Run=>DComcnfg => Component Services => My Computer => DCOM Config =>Hosting Controller =>Properties => Security =>
Launch and Activation Permissions =>Customize=> Edit and give full permissions to both ANONYMOUS LOGON and Everyone.
Access Permissions =>Customize=> Edit and full permissions to both ANONYMOUS LOGON and Everyone.
Configuration Permissions=>Customize=> Edit and full permissions to both ANONYMOUS LOGON and Everyone.
Open your services control manager as follows:
Start=>Run=>Services.msc and stop and disable the Windows Firewall/Internet Connection Sharing (ICS) service.
RPC and HC Services should be running on both machines. For further detailed information read this article. https://www.hostingcontroller.com/english/support/kb/HCKB-Article101.html
“Enable Distributed COM” & “Enable COM Internet Services on this Computer” on both HC Primary and Remote machines. Both of them can be enabled as follows:
Start=>Run=>Dcomcnfg=>Component Services=>My Computer=>Propertiese=>Default Properties Tab.
DCOM should be properly configured on all machines. For further details about configuring DCOM please read. https://www.hostingcontroller.com/english/support/kb/HCKB-Article42.html
The HC Secondary Installer should be with latest hot fix on remote machines. https://hostingcontroller.com/english/downloads/hcsec.exe (HCv6.1 Windows Secondary Installer)
https://hostingcontroller.com/english/sp/index.html (Latest Hot fix)
Register HCDcomClient.dll by giving the following command on both machines.
*X\dll\regsvr32 HCDComClient.dll
In case of firewalls open related ports of firewall for proper. https://hostingcontroller.com/english/support/kb/HCKB-Article60.html
HC uses built-in DCom of Microsoft for remote communication which is comparatively a slow method of communication. In case your machines are in different physical locations, it is recommended to move all machines with in the same LAN to avoid any problem.
NOTE:

In coming version .Net Technology will be used instead of DCOM, which will minimize this threat.
If the problem persists even after following these steps, send the respective HC DCOM logs located at *X:\Logs on HC primary machine to HC support for further investigation.
support@hostingcontroller.com
“X” refers to the path where HC is installed. In most cases it might be as follows:
C:\Program Files\Advanced Communications\Hosting Controller

The post How do I fix DCOM Issue between Web Server and Remote Secondary Machines? appeared first on Hivelocity Hosting.

Use Windows to block IP’s and IP ranges

Steve Eschweiler — Sat, 13 Nov 2010 12:20:48 +0000

If you dont have control over a router or firewall you can block IP’s at the server via Windows.

Click ‘Start’ > ‘Run’ >type ‘MMC’ press ok.

In the console click > ‘File’ > ‘Add/Remove Snap in’

In the ‘Standalone Tab’ click The ‘add’ button

Seclect ‘IP Security Policy Managment’ > ‘ADD’ > ‘Local Computer’ > ‘finish’ > ‘close’ > ‘ok’

You should now be back to the console.

In the left frame right click ‘IP security policies on local computer’ > ‘Create IP security policy’

Click Next and then name your policy ‘Block IP’ and type a description.

Click ‘Next’ then leave ‘activate’ ticked then click ‘Next’

leave the ‘edit properties ticked and click ‘Finish’

You should now have the properties window open.

Click ‘ADD’ then click ‘Next’ to continue.

Leave ‘This rule does not specify a tunnel’ selected and click ‘next’

Leave ‘all network connections’ selected and click ‘next’

You should now be on the IP filter list. You need to create a new filter, so dont select any of the default ones. Click ‘ADD’

Type a Name for your list, call it ‘IP block list’
Type a description in, can be same as name.
Click ‘ADD’ then click ‘Next’ to continue.

In the description box type a description. As its the first IP you are blocking call it ‘IP1’ or ‘IP Range 1’
Leave ticked the ‘Mirrored. Match packets with the exact opposite source and destination addresses’
Click ‘Next’

The ‘Source address’ should be left as ‘My IP address’ click ‘Next’

You can now select ‘A Specific IP address’ or ‘A Specific Subnet’ for the Destination address.
Type in the IP address you want to block and if blocking a subnet type in the subnet block. Click ‘next’

Leave the protocol type as ‘Any’ and click ‘Next’ and then ‘Finish’

You have now blocked your first IP or IP range.

The post Use Windows to block IP’s and IP ranges appeared first on Hivelocity Hosting.

How to Enable the Firewall in Windows Server 2003

Steve Eschweiler — Sat, 13 Nov 2010 12:09:44 +0000

Enabling the Windows Server 2003 Firewall in 6 Easy Steps

To turn on the ICF (Internet Connection Firewall) feature in Windows Server 2003, follow these steps:

First, navigate to your Network Connections by clicking on the Start menu -> Settings -> Control Panel, and then double-clicking on Network Connections.
Right-click the connection that you want to enable the Firewall for and then click Properties on the shortcut menu that appears.
Click on the Advanced tab, and then click to select the “Protect my computer and network by limiting or preventing access to this computer from the Internet” check box.
Click on Settings. In the Services list, click to select the check boxes of services on the computer which you want to permit external access (if that is what you want).
*Note: By default, no services are selected. This is known as a default deny stance. You must explicitly permit external access to the computer. For the most secure environment, do not select any of the check boxes.
Click OK twice.
When you’re finished, close the Network Connections window.

And there you have it!

Popular Links

Looking for more information on Firewalls? Search our Knowledge Base!

Interested in more articles about Security? Navigate to our Categories page using the bar on the left or check out these popular articles:

Popular tags within this category include: YUM, Maldet, SSL, and more.

Don’t see what you’re looking for? Use the search bar at the top to search our entire Knowledge Base.

The Hivelocity Difference

Seeking a better Dedicated Server solution? In the market for Private Cloud or Colocation services? Check out Hivelocity’s extensive list of products for great deals and offers.

With best-in-class customer service, affordable pricing, a wide-range of fully-customizable options, and a network like no other, Hivelocity is the hosting solution you’ve been waiting for.

Unsure which of our services is best for your particular needs? Call or live chat with one of our sales agents today and see the difference Hivelocity can make for you.

The post How to Enable the Firewall in Windows Server 2003 appeared first on Hivelocity Hosting.