thank you very much mr. nick for your help

after added your code i saw same result in the firewall service not running and failed

but if i removed -w and make it

iptables  -I INPUT

working fine with me.

what is the -w and -i ?

also i have last question about this point my friend and i appreciated your effort with me
how to change the webconfig port 81? and the web proxy port 8080 when user access it from browser he input 8080

thank you very much my friend i am very happy to see your help with me and i hope to contact with you on message to talk with you.

Ooops. I've missed a bit. If you have more than one port in a rule, add "-m multiport" to the rule. I'll edit my post.

now i have removed my rule in incoming

and added this rule only in custom firewall

iptables -w -I INPUT -p tcp --dports 22,81 -j DROP

after that i am still access webconfig & SSH from all computers in lan

so i have restarted the firewall by

/sbin/service firewall restart

and it's shown failed and if removed this rule from custom firewall the firewall service working fine !!

i think there are problem with this code or what?

also how to add the switch in code as you said on my LAN only

If you remove SSH and Webconfig from the incoming firewall, it only affects the WAN. The whole server is open to the LAN, so you don't have to do anything to gain access to it from anywhere on your LAN. If you want you can use the rules I posted to restrict LAN access to a few machines, but it is then best if they have static IP's or permanently assigned leases in the DHCP server.

Note you should really also add the switch "-i your_LAN_interface" to the above rules if you want them to operate on the LAN only but they should be safe without as the LAN IP's should never exist on the WAN.

my firewall have public IP and must be in safe all time

so i will close the ssh from external network and make webconfig can access from specific IP in LAN & WAN

Thank you my friend

in my incoming i have opened webconfig and ssh only

so can i remove this rule from incoming ? or must make it in incoming with your code in custom firewall ?

after your reply i want make ssh from LAN only how to make that ?

By default the server is completely open to your LAN and it is generally acceptable.

I really don't recommend opening up SSH to the WAN. There are too many bots out there trying to crack SSH passwords. I normally suggest using OpenVPN instead. Then you can connect by SSH as if you are on your LAN.

If you really want to open SSH to the WAN and use firewall rules then you want something like:

iptables -w -I INPUT -p tcp -m multiport --dports 22,81 -j DROP

iptables -w -I INPUT -p tcp -m multiport --dports 22,81 -s allowed_IP_1 -j ACCEPT

iptables -w -I INPUT -p tcp -m multiport --dports 22,81 -s allowed_IP_2 -j ACCEPT

These should be custom firewall rules placed in that order. Alternatively you can add them to /etc/clearos/firewall.d/local, but replace "iptables -w" with "$IPTABLES".