Configserver Security & Firewall (CSF) is well known iptables based firewall for Linux (Iptables is application used to configure tables, chains and rules provided by the Linux Kernel Firewall. CFS is easy to configure editing well documented /etc/csf/csf.config file.
(Please note, paths / commands are shown as on CentOS 7. If you are using other distro, paths / commands might need to be modified. however, functionality should be the same.)
In some situations you might want to add custom iptables rules in addition to rules configured using CSF. (For example when adding iptables rules not covered by CSF.)
If you just edit /etc/sysconfig/iptables file (iptables configuration file), configuration gets erased when you restart CSF and related LFD (Login Failure Deamon), for example using command csf -ra.
If you want to add custom iptables rules while using CSF, you need to add pre and/or post scripts which executes before or after CSF rules setup.
You can do that using /etc/csf/csfpre.sh to run external commands before and /etc/csf/csfpost.sh to run external commands after CSF configures iptables.
For example, if you want open MySQL default port for remote connections for the specific IP, you can add the following line on /etc/csf/csfpost.sh. (Remember to change MY.IP.ADDRESS to your IP.)
iptables -A INPUT -i eth0 -s MY.IP.ADDRESS -p tcp --destination-port 3306 -j ACCEPT
After creating pre / post files, restart CSF. It creates a lot of output, so you might want split output in multiple pages, you can do that using the command csf – r | more