CentOS / cPanel Firewall Setup

I almost like CentOS now. That doesn’t mean I can’t get used to this daft yum nonsense, but its alright.
I also almost like cPanel too. Its actually quite good when it works, who knows how to fix it when things go wrong? /scripts/fixeverything doesn’t exactly fill me with confidence.

Anyway, I divulge, I’ve just recently commissioned a few new CentOS/cPanel servers, I always forget to configure the firewall settings as CentOS is restrictive out of the box.

tcp

For full cPanel funtionality, you need to tick SSH, WWW, Secure WWW, FTP & Mail.
Then in other ports, you need to add the following

26:tcp domain:tcp smtps:tcp imap:tcp infowave:tcp radsec:tcp gnunet:tcp elit:cp nbx-ser:tcp nbx-dir:tcp domain:udp pop3:tcp rndc:udp

Save that. Oh, don’t forget to change SELinux to “Permissive” if you haven’t already. cPanel recommends you turn it off, but Permissive should be fine.

A quick iptables should reveal the following rule set.

root@server15 [~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  —  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  —  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere            icmp any
ACCEPT     esp  —  anywhere             anywhere
ACCEPT     ah   —  anywhere             anywhere
ACCEPT     udp  —  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  —  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:26
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:smtps
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:imap
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:infowave
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:radsec
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:gnunet
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:nbx-ser
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:nbx-dir
ACCEPT     udp  —  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:pop3
ACCEPT     udp  —  anywhere             anywhere            state NEW udp dpt:rndc
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  —  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  —  anywhere             anywhere            reject-with icmp-host-prohibited

Author: Kieran Barnes

Kieran is a PHP developer with 15 years commercial experience. Specialist in WordPress, CakePHP, CubeCart and all things PHP.

2 thoughts on “CentOS / cPanel Firewall Setup”

  1. Would this firewall really work? The default policy of the INPUT chain is ACCEPT already, so even if no match is found, it’s still accepted… It should be more restrictive!

Leave a Reply

Your email address will not be published. Required fields are marked *