csf-VPN

Making CSF work with OpenVPN

nano /etc/csf/csfpre.sh

If the file does not exist, you can create it. If it already exists, you should append to it.

1 2 3 4 5

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.45.67.89

- You may need to replace 10.8.0.0/24 with the designated server IP you assigned for your openvpn. Typically that you set in /etc/openvpn/server.conf in CentOS/RHEL. 10.8.0.0/24 is the default.
- If your network interface is different, you may also need to replace eth0 with another. Run ifconfig to check.
- Lastly for this file, you will need to change 123.45.67.89 to your own server’s public IP.

CSF port Allow: : TCP 443, TCP 943, UDP 1194

nano /etc/csf/csf.conf

And add the above ports to the lines:

TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT

Save, and restart CSF and you’re done!

csf -r

These rules in csfpre.sh will break many services on WHM/cPanel servers, mail servers, etc.

Use this instead, replace tun0, eth0 and 10.8.0.0 with values specific to your server if they are different.

iptables -A INPUT -i tun0 -j ACCEPT

iptables -A OUTPUT -o tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

------------------ X -----------------------

Configure CSF To Play Nice With OpenVPN

We need to do a little extra work for these 2 to play nice.

nano /etc/csf/csfpre.sh

Paste the following into that file:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

Note: replace 123.123.123.123 with your actual server IP. Save, exit, and restart csf.

csf -r

Add The OpenVPN Port And Remove Others

nano /etc/csf/csf.conf

First option you will see is Testing = “1”. Change that to > Testing = “0”

Now scroll down until you see the port lines, you want to remove all ports except 22 (SSH), and add port 1194 which is OpenVPN assuming you went with the default setting on install. It should look like this when done:

# Allow incoming TCP ports

TCP_IN = "22,1194"

# Allow outgoing TCP ports

TCP_OUT = "22,1194"

# Allow incoming UDP ports

UDP_IN = "1194"

# Allow outgoing UDP ports

# To allow outgoing traceroute add 33434:33523 to this list

UDP_OUT = "1194"

Save, exit, and restart CSF.

PPTP VPN with CSF firewall

1) type the following command:

nano /etc/csf/csfpre.sh

2) Put the following into the file:

iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT

iptables -A INPUT -i venet0 -p gre -j ACCEPT

iptables -A OUTPUT -p gre -j ACCEPT

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 10.84.1.0/24 -j SNAT --to-source ww.xx.yy.zz

iptables -A FORWARD -i ppp+ -o venet0 -j ACCEPT

iptables -A FORWARD -i venet0 -o ppp+ -j ACCEPT

Note: ww.xxy… is your VPS/server ip , 10.84.1.0/24 is the ip you allocated to the pptp

3) Type:

nano /etc/csf/csfpost.sh

4) Put the following there:

service pptpd stop

service pptpd start

Restart your VPS , connect to it and enjoy. Also make sure your 1723 port is open in Csf

------------------------X-----------------------

----------