You can add custom rules to the CSF to be defined before or after csf configures iptables by creating the files /etc/csf/csfpre.sh and /etc/csf/csfpost.sh and adding the iptables commands into one or the other.

You can see the following when you restart the csf

LOCALOUTPUT all opt — in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt — in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Running /etc/csf/csfpost.sh

For eg:

While enabling a port, don’t enable it in the csf.conf file. Instead, make a file /etc/csf/csfpost.sh and add iptables rule, so that it is executed always when csf is restarted.

To enable a port incoming
———————–
iptables -I OUTPUT -s 0/0 -p tcp –dport 995 -j ACCEPT

Outgoing
————
iptables -I OUTPUT -s 0/0 -p tcp –dport 995 -j ACCEPT

so csf.conf is left unaltered

When adding port to a specific IP we can do that in csf.allow file. But don’t make changes to csf.conf file, if we need to make global changes that needs to be done on all servers we can do it on puppet. All servers will have identical config.

When we do csf -r we can see it executing like below:

PS: Please check for errors while restaring CSF

===========
ACCEPT all opt — in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt — in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Restarting bandmin acctboth chains for cPanel
acctboth all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0
acctboth all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0
acctboth all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0
acctboth all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt — in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt — in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Running /etc/csf/csfpost.sh
===========