CentOS / cPanel Firewall Setup
I almost like CentOS now. That doesn't mean I can't get used to this daft yum nonsense, but its alright.
I also almost like cPanel too. Its actually quite good when it works, who knows how to fix it when things go wrong? /scripts/fixeverything doesn't exactly fill me with confidence.
Anyway, I divulge, I've just recently commissioned a few new CentOS/cPanel servers, I always forget to configure the firewall settings as CentOS is restrictive out of the box.
For full cPanel funtionality, you need to tick SSH, WWW, Secure WWW, FTP & Mail.
Then in other ports, you need to add the following
26:tcp domain:tcp smtps:tcp imap:tcp infowave:tcp radsec:tcp gnunet:tcp elit:cp nbx-ser:tcp nbx-dir:tcp domain:udp pop3:tcp rndc:udp
Save that. Oh, don't forget to change SELinux to "Permissive" if you haven't already. cPanel recommends you turn it off, but Permissive should be fine.
A quick iptables should reveal the following rule set.
root@server15 [~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:26
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-dir
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT udp -- anywhere anywhere state NEW udp dpt:rndc
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Related posts:
- Advanced Policy Firewall (for cPanel)
More retro software that has been with us for years - APF - Advanced Policy... - [Snippet] CentOS Server Firewall Configuration
CentOS 5 Server has a nice text interface to configuring your firewall. ... - Installing memcached on CentOS (cPanel)
Welcome to hell. No really, compared to installing memcached on Ubuntu, CentOSs really sucks. CentOS... - Extending Advanced Policy Firewall with Brute Force Detection
In my previous article I discussed setting up the Advanced Policy Firewall on your servers.... - Installing mod_evasive on cPanel and/or Apache
This guide details how to install mod_evasive on cPanel to help protect against DDOS attacks,...
What this article useful to you?
Let me know, buy me a beer!
Alternatively, if you're feeling impecunious, you may like to subscribe to my RSS feed, or see other articles in the Linux, cPanel/WHM category.
August 14th, 2009 - 12:49
life is very hard.