Control Web Panel
Security => CSF Firewall => Topic started by: AdventureTime on March 09, 2022, 04:10:53 PM
-
Hello,
I believe this is my first post for the year 2022. And I must say I am delighted with how CWP makes everything easy to use. Although I can't get nginx with PHP-fpm to work without a CWP Pro account, I plan to support this unique and hassle-free cPanel-like experience. However, I also needed to have a VPN, so I decided to post my inquiry here.
I am a fan of WireGuard; ever since I have tried it out, I decided to stick to it instead of OpenVPN. I tried the scripts of Nyr (https://github.com/Nyr/wireguard-install) and agristan (https://github.com/angristan/wireguard-install) to install WireGuard, and none of them worked after installing CWP and activating the three security features, Mod Security, Firewall, and Hidden Processes.
The good news is, before installing CWP, all of them worked fine. During the installation of WireGuard, I noticed the port is 51820, so I wonder how to allow it in CWP.
Thanks!
-
- You cant have php-fpm without a pro license.
- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.
- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.
-
- You cant have php-fpm without a pro license.
- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.
- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.
Thank you. May you guide me what to write in the csf.conf file?
Also, what will I do if I see it under Mod_Security?
-
UDP_IN and UDP_OUT should have port 51194 added to start, then restart the firewall with csf -r
-
- You cant have php-fpm without a pro license.
I just got my license for the entire year ;D I am thrilled.
(https://i.imgur.com/WKlbJKg.png)
(https://i.imgur.com/MdGUhPj.png)
I am delighted to support this excellent app.
UDP_IN and UDP_OUT should have port 51194 added to start, then restart the firewall with csf -r
Thank you for this!
-
- You cant have php-fpm without a pro license.
- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.
- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.
UDP_IN and UDP_OUT should have port 51194 added to start, then restart the firewall with csf -r
Thank you for your replies. I have carefully followed your instructions.
I have opened the port 5180 by editing the file.
(https://i.imgur.com/l3EwgbQ.png)
I have edited the file, and restarted the whole server just to be sure.
Apparently, it still does not work. I noticed every time I connect on my phone to the VPN, the listening port changes.
(https://i.imgur.com/EZw1PRO.png)
(https://i.imgur.com/7FqDOPG.png)
Now, I have tried to use this script (https://github.com/Nyr/openvpn-install) and switch over to OpenVPN, I opened UDP 1194 and it still does not work.
I'm thinking of installing the script first then installing CWP after. Do you think that would work?
-
If you are able to connect to it, then it is indeed working. What exactly are you trying to accomplish. BTW, you can put ports 1:65530 in both TCP_OUT and UDP_OUT to not block any outgoing connections from your server (NOt advised, but good for troubleshooting).
-
If you are able to connect to it, then it is indeed working. What exactly are you trying to accomplish. BTW, you can put ports 1:65530 in both TCP_OUT and UDP_OUT to not block any outgoing connections from your server (NOt advised, but good for troubleshooting).
I would like to utilize the VPS server that I am renting by hosting my website and using that machine to encrypt my connection when I am connected through public WiFi networks using a VPN.
I was not aware it is possible to put a range of ports.
I could "send" data but not "receive" data.
-
If you want to utilize it as a "proxy" server, you need to configure the firewall to allow wireguard to access the internet through masquarading. I'm not sure what guide you used, but here is a good example:
https://www.smarthomebeginner.com/linux-wireguard-vpn-server-setup/
-
If you want to utilize it as a "proxy" server, you need to configure the firewall to allow wireguard to access the internet through masquarading. I'm not sure what guide you used, but here is a good example:
https://www.smarthomebeginner.com/linux-wireguard-vpn-server-setup/
This is the script that I used. https://github.com/Nyr/wireguard-install (https://github.com/Nyr/wireguard-install)
And the author replied to me, this is what he said.
(https://i.imgur.com/iNDtrpw.png)
-
And there is your problem. CWP removes firewalld, and installs CSF firewall. Please do the following:
yum remove firewalld
nano /etc/csf/csfpost.sh (and add the following script)
ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
chmod 700 /etc/csf/csfpost.sh
csf -r
Then you should have wireguard working
-
And there is your problem. CWP removes firewalld, and installs CSF firewall. Please do the following:
yum remove firewalld
nano /etc/csf/csfpost.sh (and add the following script)
ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
chmod 700 /etc/csf/csfpost.sh
csf -r
Then you should have wireguard working
You know what, I honestly appreciate what you did, man!
However, I am still a noob. May you please explain what is happening with the code you wrote?
-
CSF firewall uses it's configuration file to write the iptables rules. But it does not have the ability to do masquarading built in. So they have a call in their program to look for 2 files. csfpre.sh, and csfpost.sh where you can customize rules for the firewall that it cannot do itself. If you read the script, line by line:
ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
This get's the "Global" Ip's for 6 and 4. It makes sure that they are not the loopback or private ip's
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
This line is what allows your VPN ip's access to the internet
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
Actually. Delete this line. It's redundant to opening the port in csf.conf
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
These two lines are what allows you to communicate with the server itself, and completely bypass the firewall, giving you full access to all ports.
if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
Similar to the ipv4 block, but makes sure that we have a global ipv6 address. If not, does not execute.
-
I am sorry, it's confusing which files to edit. Do I just edit out the csf.conf or csfpost.sh
I added all of the lines in the /etc/csf/csfpost.sh <-- by the way this path does not work. I edited the file using the CWP Control Panel.
And I tried to remove this:
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
...and apparently, it still does not work.
-
that line is in the script /etc/csf/csfpost.sh . It's going to throw an error because the variable $port is not set. But it should work
-
that line is in the script /etc/csf/csfpost.sh . It's going to throw an error because the variable $port is not set. But it should work
Hello, apparently it does not work, sorry.
I asked helped from the maker of the WireGuard script, and this is what he said:
I am not familiar with CSF, but the following are indeed relevant rules for OpenVPN:
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
If your server has IPv6, the following are also required:
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
You need to replace the words starting with $. For example, $ip should be your public IPv4 address, and $port the port you selected during setup.
As I said I am not familiar with CSF, but a tiny bit of research indicates that you can likely add the commands above to /etc/csf/csfpost.sh and then restart CSF with csf -r
I have no idea what he was saying although I think it is something important?
Or, is there a way to install CWP and not to remove the firewalld thing?
-
what he's saying is $ip needs to be replaced with your actual Global IP
$port needs to be your wireguard port
$ip6 needs to be your global ip for ip6
-
what he's saying is $ip needs to be replaced with your actual Global IP
$port needs to be your wireguard port
$ip6 needs to be your global ip for ip6
can we tweak it to work with the csfpost.sh script?
-
that line is in the script /etc/csf/csfpost.sh . It's going to throw an error because the variable $port is not set. But it should work
Either I put $port = [enter port number] or directly put the port 5108?
-
that line is in the script /etc/csf/csfpost.sh . It's going to throw an error because the variable $port is not set. But it should work
$port=51820; <--- is this right? actually it still does not work.
I tried dnf remove firewalld -y and dnf install firewalld -y; then wireguard script then add the lines and csf -r but it still does not work.
-
he's saying the line should be
/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j ACCEPT
however, putting
port='51820'
at the beginning of the script should have the same effect.
-
he's saying the line should be
/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j ACCEPT
however, putting
port='51820'
at the beginning of the script should have the same effect.
Oh sorry. I guess $port=51820; would not work because I thought bash scripts are similar to PHP.
Unfortunately, it still does not work.
Did I do the right thing by removing and installing firewalld first?
Would you be interested to actually access the server itself? :)
-
that line is in the script /etc/csf/csfpost.sh . It's going to throw an error because the variable $port is not set. But it should work
Sorry for the late reply. I appreciate your efforts! However, to make things a little less complicated, I just purchased a VPN subscription from PureVPN since they have a partnership with LowEndBox, so I got a good deal and discount for five years. I figured I would mainly use this VPS for hosting sites, which CWP is designed to do.