ConfigServer Community Forum

Hi,

I've got an haproxy server with csf listening at port 2222 forwarding some ssh to a remote server on port 22 (inside a private VPN, that's why the haproxy is forwarding ssh). I've got our office ip into csf.allow, and port 22 in TCP_OUT in csf.conf.

What i want is to not list port 2222 in TCP_IN but being able to connect from the whitelisted ip (our office). I though that's the expected with my setup, but i'm being filtered

PD: If i list 2222 in TCP_IN it works, but i only want our office ip to be able to connect through that port (and others i've got the same problem with).

Any clue?

I managed it to work. I've got a comment after the ip in csf.allow separated by a tab instead a single space as documentation specify.

Sorry, it doesn't still work. I've just tested too quick after editing and restarting.

Use CSF --grep to see the iptables rules:

eg:
# csf --grep <office ip> (Should show you if the IP address is whitelisted).

CSF supports advanced rules. You should be able to only allow your office IP to connect to port 2222

eg. Add the line to /etc/csf/csf.allow ( change <office ip> with your office IP address):

Output of csf --grep:

Chain num pkts bytes target prot opt in out source destination

ALLOWIN 2 1228 144K ACCEPT all -- !lo * xx.xx.xx.xx 0.0.0.0/0

ALLOWOUT 1 796 238K ACCEPT all -- * !lo 0.0.0.0/0 xx.xx.xx.xx

ip6tables:

Chain num pkts bytes target prot opt in out source destination
No matches found for xx.xx.xx.xx in ip6tables

csf.allow: xx.xx.xx.xx

Where xx.xx.xx.xx is our office ip.
It's listed in csf.allow (tested both listing the ip and "tcp|in|d=2222|s=<office ip>" as you suggested). As i said the port i want to reach is not listed in TCP_OUT, but as the source ip is whitelisted this should be working, right?

Ok, this was azure related, not csf related. Azure monitors some of my ports for load-balancing. If i don't allow azure's ips too, the server seems closed to azure monitor, so their firewall (not csf) begin to drop packets to that target.

Thank you.