How to open a port for a particular IP address using iptables, CSF and APF – A comparison

This is a very important and useful trick to block some ports to public. And open it for some IP address. It’s quite simple by configuring iptables with the help of applications like CSF or APF. By using iptables commands, blocking or opening particular ports for particular IP address or IP address range is not quite easy.

Here I am explaining the different options to open a port for an IP address using iptables, CSF and APF.

How to open a port for a particular IP address or a range of IP address using iptables?

Using iptables in Linux, you can simply block/open ports for particular IP address. To open a particular port only for a particular IP you need to block the same port globally. The below pasted iptables rule will block a port globally.

iptables -I INPUT -p tcp --dport PORT-NUMBER -j DROP

Example:

iptables -I INPUT -p tcp --dport 22 -j DROP

Here I am blocking the SSH port globally. Make sure that, you have a node access or another SSH login. Because, after blocking the port 22 you will be loged out from the same session. You may chose another port value for testing purpose. 🙂

To open a port for an IP address.

iptables -I INPUT -p tcp -s IP.ADD.RE.SS --dport PORT.NUMBER -j ACCEPT

Example:

iptables -I INPUT -p tcp -s 1.1.1.1 --dport 22 -j ACCEPT
[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  1.1.1.1              anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

IPTables rule to open a port for a range of IP addresses.

It’s simple to open a particular port for an IP range. Here is the command for doing the same,

iptables -I INPUT -p udp -s 1.1.1.1/16 --dport 22 -j ACCEPT

How to open a port for a particular IP address or a range of IP address using CSF?

CSF is most commonly using application for configuring IPTables easily. It’s an open source application and you can simply install this on your server. Do follow this link to Install and configure CSF on Linux server, and this for commonly using CSF commands.

Here we goes to the point “How to open a port for an IP?” It’s very simple with CSF. Do follow the steps below:

Step I : SSH to server as root.
Step II : Open the ‘csf.allow‘ file with your favorite file editor.

# vi /etc/csf/csf.allow
#ADD THE FOLLOWING LINE
----
tcp|in|d=Port|s=xxx.xxx.xxx.xxx
----

Replace xxx.xxx.xxx.xxx with the IP address and Port with port number.
Example:

tcp|in|d=3306|s=132.133.112.100

Step III : Close the door for other IPs on that port.
Open the CSF configuration file, and remove the port entry from “TCP_IN

# vi /etc/csf/csf.conf
---
TCP_IN = "20,21,25,53,80,110,2078,2082,2083,2086,2087,2095,2096,2929,30000:35000"
---

Step IV : Restart CSF.

csf -r

How to open a port for a particular IP address or a range of IP address using APF?

Using APF to open a particular port for an IP is similar to CSF. Like CSF the installation is easy for APF. This will help you to “Install and configure APF on Linux server” and this is for APF command usages.

Steps to open a port for an IP.

Step I : SSH to server as root.
Step II : Open the ‘/etc/apf/allow_hosts.rules‘ file with your favorite file editor.

# vi /etc/apf/allow_hosts.rules
#ADD THE FOLLOWING LINE
----
tcp:in:d=Port:s=xxx.xxx.xxx.xxx
----

Replace xxx.xxx.xxx.xxx with the IP address and Port with port number.
Example:

tcp:in:d=22:s=202.5.1.3

Step III : Close the door for other IPs on that port.
Open the APF configuration file, and remove the port entry from “IG_TCP_CPORTS

# vi /etc/apf/conf.apf
---
IG_TCP_CPORTS="20,21,25,53,80,110,143,443,3306"
---

Step IV : Restart APF.

apf -r

That’s it!! 🙂

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *