23 Jan 2012
| Command | Description |
|---|---|
| csf -s | Start the firewall rules |
| csf -f | Flush/Stop firewall rules (note: lfd may restart csf) |
| csf -r | Restart the firewall rules |
| csf -a [IP.add.re.ss] [comment] | Allow an IP and add to /etc/csf/csf.allow |
| csf -tr [IP.add.re.ss] | Remove an IP from the temporary IP ban or allow list. |
| csf -tf | Flush all IPs from the temporary IP entries |
| csf -d [IP.add.re.ss] [comment] | Deny an IP and add to /etc/csf/csf.deny |
| csf -dr [IP.add.re.ss] | Unblock an IP and remove from /etc/csf/csf.deny |
| csf -df | Remove and unblock all entries in /etc/csf/csf.deny |
| csf -g [IP.add.re.ss] | Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number) |
| csf -t | Displays the current list of temporary allow and deny IP entries with their TTL and comment |
How to block an IP using iptables?
$ iptables -A INPUT -s xx.xx.xx.xx -j DROP
How to block an IP for a specific port:
$ iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport PORT -j DROP
How to allow access to an IP?
$ iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT
How to allow access to an IP to a specific port using iptables?
$ iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport PORT -j ACCEPT
where, xx.xx.xx.xx is the remote IP address and PORT is the port number you wish to allow/deny access to.
How to block a scanner on your server for example “w00tw00t.at.ISC.SANS” using iptables?
$ iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
by nixcraft on january 23, 2009
last updated february 15, 2011
in bash shell, centos, debian / ubuntu
I am a brand new user of a Linux iptables and I can't find how to instruct my iptables to delete or unblock an IP address listed in iptables firewall. I'm using Debian Linux version. Can you help please?
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. You can delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
List existing chains
Type the following command to list current IPs in tables:
iptables -L -n
iptables -L -n -v
iptables -L chain-name -n -v
iptables -L spamips -n -v
List existing chains with line number
To display line number along with other information, enter:
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L spamips -n -v --line-numbers
iptables -L spamips -n -v --line-numbers | grep 202.54.1.2
Chain droplist (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG 0 -- * * 116.199.128.0/19 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
2 0 0 DROP 0 -- * * 116.199.128.0/19 0.0.0.0/0
3 0 0 LOG 0 -- * * 116.50.8.0/21 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
4 0 0 DROP 0 -- * * 116.50.8.0/21 0.0.0.0/0
5 0 0 LOG 0 -- * * 128.199.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
6 0 0 DROP 0 -- * * 128.199.0.0/16 0.0.0.0/0
7 0 0 LOG 0 -- * * 132.232.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
8 0 0 DROP 0 -- * * 132.232.0.0/16 0.0.0.0/0
9 342 23317 LOG 0 -- * * 134.175.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
10 342 23317 DROP 0 -- * * 134.175.0.0/16 0.0.0.0/0
11 0 0 LOG 0 -- * * 134.33.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DR
You will get the list of all blocked IP. Look at the number on the left, then use number to delete it. For example delete line number 10 (subner 134.175.0.0/16), enter:
$ iptables -D INPUT 10
You can also use the following syntax to delete / unblock an IP use the following syntax:
iptables -D INPUT -s xx.xxx.xx.xx -j DROP
iptables -D INPUT -s xx.xxx.xx.xx/yy -j DROP
iptables -D spamlist -s 202.54.1.2 -d 0/0 -j DROP
iptables -D spamlist -s 202.54.1.2/29 -d 0/0 -j DROP
Finally, make sure you save the firewall. Under CentOS / Fedora / RHEL / Redhat Linux type the following command:
$ service iptables save
Block an IP from the server
csf -d 192.168.1.2
csf -d 192.168.0/24
Remove an IP from the blocklist
csf -dr 192.168.1.2
Allow an IP
csf -a 172.16.20.1
Do note that when you allow an IP, it will still be blocked by lfd if it starts brute forcing. See below, "Don't block IP addresses from the allow list with lfd" to see how to disable it.
Search for an IP:
csf -g 192.168.1.2
View Ports listening for external connections and the executables running behind them
csf -p
Disable csf and lfd
csf -x
Enable csf and lfd
csf -e
Restart csf
csf -r
Mail yourself a general security check of the server
csf -m [email protected]
These can be placed in either csf.allow or csf.deny.
Allow connections over port 443 to a range of IP addresses:
tcp|out|d=443|d=12.34.56.78/27 # csf.allow
Allow SSH from one IP:
tcp|in|d=22|s=23.45.67.88 # csf.allow
Block traffic to port 80 from a specific range:
tcp|out|d=80|d=12.34.56.78/24 #csf.deny
The syntax for the advanced rules:
tcp/udp|in/out|s/d=port|s/d=ip|u=uid
tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored