iptables and outbound traffic to external DNS Only server

**hmalekib** · 09-17-2010 01:37 AM

Hello:

We are trying to fix the iptables policies for our cPanel servers so that they can communicate out with our DNS only servers and update, etc...

Here is the error were currently getting:

There was an error while processing your request: Cpanel::Accounting returned [HTTP/1.0 900 NET OR SSL ERROR /usr/local/cpanel/whostmgr/docroot/cgi/trustclustermaster.cgi 6938: open_tcp_connection: failed `IP_HERE', 2087 (Connection timed out) ]

Here is our iptable rules:

#Name Servers
DNS1=""
DNS2=""

#Default Deny
iptables -P INPUT DROP
iptables -P OUTPUT DROP

#Allow Loopback
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

#Deny Bad Pckets
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

#Deny Packets from Invalid Address Space
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP

#Allow ICMP(Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

#Allow DNS
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS1 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS2 --sport 53 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p UDP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT

## Allow Selective Inbound Connections

#DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -j ACCEPT

#HTTP (Web Server)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT

#HTTPS (Web Server)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

#FTP
iptables -A INPUT -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000:3100 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3000:3100 --dport 1024:65535 -j ACCEPT

#SSH
iptables -A INPUT -p tcp --dport 4777 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4777 --dport 1024:65535 -j ACCEPT

#SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT

#Secure SMTP
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 465 --dport 1024:65535 -j ACCEPT

#IMAP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 --dport 1024:65535 -j ACCEPT

#Secure IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 --dport 1024:65535 -j ACCEPT

#POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 --dport 1024:65535 -j ACCEPT

#Secure POP3
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 --dport 1024:65535 -j ACCEPT

#cPanel
iptables -A INPUT -p tcp --dport 2082 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2082 --dport 1024:65535 -j ACCEPT

#Secure cPanel
iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2083 --dport 1024:65535 -j ACCEPT

#Web Host Manager
iptables -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2086 --dport 1024:65535 -j ACCEPT

#Secure Web Host Manager
iptables -A INPUT -p tcp --dport 2087 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2087 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 2087 -j ACCEPT

#Webmail
iptables -A INPUT -p tcp --dport 2095 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2095 --dport 1024:65535 -j ACCEPT

#Secure Webmail
iptables -A INPUT -p tcp --dport 2096 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2096 --dport 1024:65535 -j ACCEPT

## Allow Selective Outbound Connections

#SMTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT

#HTTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT

#HTTPS
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

#cPanel Licensing
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 2089 -j ACCEPT
iptables -A INPUT -p tcp --sport 2089 --dport 1024:65535 -j ACCEPT

#WHOIS
iptables -A OUTPUT -p udp --sport 1024:65535 --dport 43 -j ACCEPT
iptables -A INPUT -p udp --sport 43 --dport 1024:65535 -j ACCEPT

any ideas what we need to change?

LinkBack

Thread Tools

iptables and outbound traffic to external DNS Only server

iptables and outbound traffic to external DNS Only server

How do I force cpkeyclt to use a specific IP address for outbound traffic?

Monitoring Outbound SMTP Traffic Per-User

eggdrop / maxed outbound traffic