I've got an haproxy server with csf listening at port 2222 forwarding some ssh to a remote server on port 22 (inside a private VPN, that's why the haproxy is forwarding ssh). I've got our office ip into csf.allow, and port 22 in TCP_OUT in csf.conf.
What i want is to not list port 2222 in TCP_IN but being able to connect from the whitelisted ip (our office). I though that's the expected with my setup, but i'm being filtered
PD: If i list 2222 in TCP_IN it works, but i only want our office ip to be able to connect through that port (and others i've got the same problem with).
Chain num pkts bytes target prot opt in out source destination
No matches found for xx.xx.xx.xx in ip6tables
csf.allow: xx.xx.xx.xx
Where xx.xx.xx.xx is our office ip.
It's listed in csf.allow (tested both listing the ip and "tcp|in|d=2222|s=<office ip>" as you suggested). As i said the port i want to reach is not listed in TCP_OUT, but as the source ip is whitelisted this should be working, right?
Ok, this was azure related, not csf related. Azure monitors some of my ports for load-balancing. If i don't allow azure's ips too, the server seems closed to azure monitor, so their firewall (not csf) begin to drop packets to that target.
