I almost like CentOS now. That doesn’t mean I can’t get used to this daft yum nonsense, but its alright.
I also almost like cPanel too. Its actually quite good when it works, who knows how to fix it when things go wrong? /scripts/fixeverything doesn’t exactly fill me with confidence.

Anyway, I divulge, I’ve just recently commissioned a few new CentOS/cPanel servers, I always forget to configure the firewall settings as CentOS is restrictive out of the box.

tcp

For full cPanel funtionality, you need to tick SSH, WWW, Secure WWW, FTP & Mail.
Then in other ports, you need to add the following

26:tcp domain:tcp smtps:tcp imap:tcp infowave:tcp radsec:tcp gnunet:tcp elit:cp nbx-ser:tcp nbx-dir:tcp domain:udp pop3:tcp rndc:udp

Save that. Oh, don’t forget to change SELinux to “Permissive” if you haven’t already. cPanel recommends you turn it off, but Permissive should be fine.

A quick iptables should reveal the following rule set.

root@server15 [~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  —  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  —  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere            icmp any
ACCEPT     esp  —  anywhere             anywhere
ACCEPT     ah   —  anywhere             anywhere
ACCEPT     udp  —  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  —  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:26
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:smtps
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:imap
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:infowave
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:radsec
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:gnunet
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:nbx-ser
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:nbx-dir
ACCEPT     udp  —  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:pop3
ACCEPT     udp  —  anywhere             anywhere            state NEW udp dpt:rndc
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  —  anywhere             anywhere            reject-with icmp-host-prohibited