How to set custom iptables rules in APF

Is there a convention for adding custom rules to iptables via APF? I’ve read through the docs and understand how to add rules allowing/denying specific IPs and ports, but I’m looking for a way to add rules for setting rate limits, specific logging, and such. Is there an established way to do this? Thanks in advance.

Hi

Welcome to IW forums

There is a CSF alternative to APF but I cannot remember the user or address and I’m not infront of a computer

Just search forum for CSF and it should bring it up and it’s free

I would also buy the CSX as well. It works lovely

Many thanks

John

Hi John,

Thanks for the reply. I’m not really looking to change from APF. I’d rather stay with what Interworx provides. I’m really just looking for a way to add custom rules. Seems like that shouldn’t be a tall order, but if it is, I’ll can just add custom rules to rc.local or something. Why is CSF better? Thanks.

Hi

Many thanks

It’s a personal choice to be honest

I used to be a big fan of APF myself and took a while before moving to CSF

The CSF replaces APF in interworx and IW are aware and gave help I think

It’s something server but just cannot recall

The CSF does all that your looking to do and is easy and it’s free

If like me you were skeptical try it on a test server first

It’s good and has advantages not in APF such as rate limit allow resellers to unblock or block IP etc… and more

It’ll be tonight before k can login to one of our servers and post the name

Many thanks

John

Hello–

It is not possible to set up rules like that from the GUI interface. However, APF is just a front end for iptables, so you can make any edits to iptables, itself, that you want, from the command line and, as far as I am aware, they should be applied.

As a note, Configserver provides the alternate firewall that John suggested: https://www.configserver.com/

Thanks
-Jenna
Friendly Neighborhood InterWorx Support Manager

Hi Jenna,

Thanks for the reply. I’ll take a look at CSF, but would really prefer to stick with APF, as that is what IW provides. I understand these kinds of custom rules can’t be added from the GUI and that iptables can be modified directly. I don’t mind editing files from the command line, and I’m familiar with iptables syntax. I was just hoping APF supported adding custom rules to a config file, similar to UFW (iptables front-end common on Ubuntu systems). That would be easier than replacing it or scripting something to edit iptables directly.

Thanks.
~Michael

Most of the apf/*.rules files are just bash scripts. Some get over written by updates I think but it looks like you can safely use postroute.rules or prerouting.rules files.

Example of a ratelimit rule setup from https://making.pusher.com/per-ip-rate-limiting-with-iptables/:

# cat postroute.rules 
eout "{glob} loading postroute.rules"

# place your custom routing rules below
iptables --new-chain RATE-LIMIT
iptables --append INPUT --match conntrack --ctstate NEW --jump RATE-LIMIT
iptables --append RATE-LIMIT --match limit --limit 50/sec --limit-burst 20 --jump ACCEPT
iptables --append RATE-LIMIT --jump DROP
apf -r

Result:

# iptables -L -n
Chain INPUT (policy ACCEPT)
...
RATE-LIMIT  all  --  0.0.0.0/0            0.0.0.0/0           ctstate NEW 
...
Chain RATE-LIMIT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 50/sec burst 20 
DROP       all  --  0.0.0.0/0            0.0.0.0/0    

I have not tested\used this rule but the iptables -L -n output looks like using the postroute.rules file has added these correctly.

Thank you, Joseph. I was just exploring this, although I’m testing with the main.rules file. I assumed preroute and postroute would be writing to the nat table, but I suppose if it’s expecting the whole command, the table can be specified as needed. It’s taking a bit for apf to restart because my deny_hosts.rules file is little long, but I’ll update with what I find.

Thanks.
~Michael

So, I tried adding rules to each of the files: main.rules, preroute.rules, and postroute.rules. And for all of them the rules are added. The difference is where (or when). Rules added to preroute and postroute are added before and after the main rules in the filter table, respectively, as one might expect. This would not serve my use case. Rules appended to main.rules are added just before the DROP rules at the end of the filter table after all other allow/deny rules. Rules added to main.rules before the default lines:

# conf.apf configurable common ports
. /etc/apf/internals/cports.common

are executed after all custom allow/deny rules and denied ports but before allowed ports. I found this to be optimal for my use case, as I want to rate limit and log packets that are not explicitly allowed or denied but would otherwise be allowed. In particular I’m targeting ssh, but will probably try using for mail ports as well.

Thanks for your input, all!
~Michael