csf-VPN
--
Making CSF work with OpenVPN
nano /etc/csf/csfpre.sh
If the file does not exist, you can create it. If it already exists, you should append to it.
1 2 3 4 5
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.45.67.89
You may need to replace 10.8.0.0/24 with the designated server IP you assigned for your openvpn. Typically that you set in /etc/openvpn/server.conf in CentOS/RHEL. 10.8.0.0/24 is the default.
If your network interface is different, you may also need to replace eth0 with another. Run ifconfig to check.
Lastly for this file, you will need to change 123.45.67.89 to your own server’s public IP.
CSF port Allow: : TCP 443, TCP 943, UDP 1194
1
nano /etc/csf/csf.conf
And add the above ports to the lines:
1
TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT
Save, and restart CSF and you’re done!
1
csf -r
These rules in csfpre.sh will break many services on WHM/cPanel servers, mail servers, etc.
Use this instead, replace tun0, eth0 and 10.8.0.0 with values specific to your server if they are different.
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
------------------ X -----------------------
Configure CSF To Play Nice With OpenVPN
We need to do a little extra work for these 2 to play nice.
nano /etc/csf/csfpre.sh
Paste the following into that file:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Note: replace 123.123.123.123 with your actual server IP. Save, exit, and restart csf.
csf -r
Add The OpenVPN Port And Remove Others
nano /etc/csf/csf.conf
First option you will see is Testing = “1”. Change that to > Testing = “0”
Now scroll down until you see the port lines, you want to remove all ports except 22 (SSH), and add port 1194 which is OpenVPN assuming you went with the default setting on install. It should look like this when done:
# Allow incoming TCP ports
TCP_IN = "22,1194"
# Allow outgoing TCP ports
TCP_OUT = "22,1194"
# Allow incoming UDP ports
UDP_IN = "1194"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "1194"
Save, exit, and restart CSF.
--
PPTP VPN with CSF firewall
1) type the following command:
nano /etc/csf/csfpre.sh
2) Put the following into the file:
iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i venet0 -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.84.1.0/24 -j SNAT --to-source ww.xx.yy.zz
iptables -A FORWARD -i ppp+ -o venet0 -j ACCEPT
iptables -A FORWARD -i venet0 -o ppp+ -j ACCEPT
Note: ww.xxy… is your VPS/server ip , 10.84.1.0/24 is the ip you allocated to the pptp
3) Type:
nano /etc/csf/csfpost.sh
4) Put the following there:
service pptpd stop
service pptpd start
Restart your VPS , connect to it and enjoy. Also make sure your 1723 port is open in Csf
------------------------X-----------------------
----------