Categories

1.Domain Names
81
2.Web Hosting Essentials
201
3.VPS Advanced Techniques
125
4.Web Development & Code
158
5.Troubleshooting & Debugging
31
6.Web Security & Best Practices
32
7.Cutting-Edge Technologies
21
8.Resources & Guides
39

  Categories

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

Managing CSF Firewall Rules on CentOS 8 with nftables Print

  • 0

🔥 Managing CSF Firewall Rules on CentOS 8 with nftables

🚀 Introduction

CentOS 8 introduces nftables as its default firewall framework, replacing the legacy iptables system. This transition means that ConfigServer Security & Firewall (CSF) now operates through an nftables compatibility layer rather than directly on iptables.

📌 Key Takeaways:

  • CentOS 8 does not support reverting to iptables-legacy.

  • CSF translates its firewall rules into nftables automatically.

  • Best practice: Let CSF manage firewall rules instead of modifying nftables manually.

🛠️ 1️⃣ The New Landscape: nftables on CentOS 8

🔍 What Changed?

Default Framework: CentOS 8 has fully migrated from iptables-legacy to nftables. ✅ No iptables-legacy Package: Unlike other distributions, CentOS 8 does not provide a supported way to revert to iptables-legacy.

🎯 Why nftables?

🚀 Performance & Efficiency:

  • Faster processing compared to iptables.

  • Supports stateful packet filtering.

  • Provides native support for sets and maps, reducing redundancy in rule management.

🛡️ Modern Firewall Management:

  • Simplified syntax for rule management.

  • Enhanced security and scalability.

🔥 2️⃣ How CSF Operates with nftables

🔄 CSF and the Compatibility Layer

Originally designed for iptables, CSF now works through a nftables compatibility layer on CentOS 8.

🔹 Automatic Translation: When you execute:

csf -r

CSF automatically translates iptables-style commands into nftables syntax.

🔹 Managed Tables: You may see warnings like:

# Warning: table ip filter is managed by iptables-nft, do not touch!

What This Means: The system manages these tables automatically through CSF, and manual modifications are discouraged.

🛑 Best Practices: Let CSF Manage the Firewall

🚫 Avoid Manual Changes:

  • Do NOT modify the auto-generated tables using nft or direct iptables commands.

  • Instead, make all adjustments via CSF’s configuration files.

Use CSF Commands:

csf -r   # Reload firewall rules
csf -g <port>  # Check rules for a specific port

🔧 3️⃣ Managing CSF Configuration on CentOS 8

📝 Making Adjustments via CSF

All modifications should be performed through CSF’s configuration files:

  • Main Configuration: /etc/csf/csf.conf

  • Allow/Deny Lists: /etc/csf/csf.allow & /etc/csf/csf.deny

🛠️ Whitelisting or Blacklisting IPs/Ports

To allow/block IPs or ports, edit the relevant file and reload CSF:

nano /etc/csf/csf.allow  # Whitelist IPs
nano /etc/csf/csf.deny   # Blacklist IPs
csf -r  # Apply changes

🏗 Custom Rules in CSF

If you need to define custom firewall rules, always do so within CSF’s configuration instead of modifying nftables directly.

📊 4️⃣ Verifying Active Rules

Even though you shouldn’t modify nftables manually, it’s useful to review applied rules.

Run the following command to inspect the active ruleset:

nft list ruleset

🔍 What You’ll See:

  • Multiple tables like ip filter, ip raw, and ip mangle.

  • Rules that are maintained by the iptables-nft compatibility layer.

🔥 5️⃣ Advantages of Using nftables with CSF

🛡️ Enhanced Security & Performance

Modern Syntax & Flexibility:

  • Supports sets, maps, and efficient rule processing.

  • Reduces the complexity of firewall configurations.

CSF Compatibility:

  • CSF seamlessly works with nftables.

  • Allows continued use of familiar CSF commands while leveraging nftables' modern capabilities.

🎯 Streamlined Management

📌 Centralized Control:

  • Managing the firewall through CSF configuration files ensures that changes are consistent.

  • Reduces the risk of conflicts with system-managed tables.

📌 Reduced Configuration Drift:

  • Prevents accidental overwrites or errors from manual nftables modifications.

  • Ensures that security policies remain correctly enforced.

🏁 Conclusion

Managing CSF firewall rules on CentOS 8 means embracing the nftables framework. Since reverting to iptables-legacy is not an option, administrators should:

🔹 Use CSF commands & configuration files for all changes. 🔹 Avoid direct modifications to nftables-managed tables. 🔹 Verify rule translations using nft list ruleset to ensure security policies are correctly enforced.

By following these best practices, you maintain a secure, high-performance firewall configuration on CentOS 8 while still using the familiar CSF interface. 🚀🔥

 

Was this answer helpful?

Related Articles

Supporting Software & Tools for Securing Shared Hosting Servers 🏆 Introduction Ensuring the security of shared hosting servers is vital for web hosting... Securing Shared Hosting Servers: A Guide for CentOS and AlmaLinux Introduction As a web hosting provider, ensuring the security of your shared hosting servers is... SSH, Using Key-Based Authentication and Disabling Password Access Introduction:In this article, we will walk you through the process of accessing your VPS via SSH... Configuring and managing firewalls Title: Configuring and Managing Firewalls for Your VPS Introduction:Firewalls play a vital role... SSL certificates and installation Title: Installing and Managing SSL Certificates on Your VPS Introduction: Secure Sockets Layer...
« Back

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket