What IPs should not be blocked

[umka83]

Hello dear Cpanel users

I am setting up few new servers with cpanel. For security and in order to limit the users of the servers geographically i employ default block policy using IPtables

Code:

iptables -P INPUT DROP

then I add only the IP addresses I need

Code:

iptables -A INPUT -s 218.220.181.18 -j ACCEPT
iptables -A INPUT -s 1.0.16.0/20 -j ACCEPT

However, when I do so, many services would randomy go down. Including Apache httpd, Imap, EXIM etc.

Could anyone please let me know which IP addresses i should add to the whitelist in order to avoid problems with cpanel.

Also, why is cpanel and apache so dependent on Internet resources. I am only updatein CentOs, Cpanel, Apache manually (of course after flushing iptables) so there should not be any problems i guess.

Any advice would be much appresiated

[cPanelTristan]

Are you ensuring to allow the server's IPs and localhost in the firewall? Localhost would be 127.0.0.1

[umka83]

Are you ensuring to allow the server's IPs and localhost in the firewall? Localhost would be 127.0.0.1

OMG - i think this is it. Localhost mest be the problem. Will check now asap.
By the way could you please tell me what do you mean by server's IPs. The ip of the server where I am setting up the iptables right?

Thank you very much for your advise

[cPanelTristan]

Correct, by server IPs, I mean any IP on the machine that you are putting the iptables rules onto so the main server IP and any other IPs you might have added to it as dedicated IPs (if you have added any additional IPs to the machine).

[umka83]

Thank you very much for your advice. This seems to have solved most of my problems.

However, when trying to restart EXIM in WHM>Restart Services I am still getting this error

Code:

Waiting for exim to restart...............finished.
exim (/usr/sbin/exim -bd -q60m) running as mailnull with PID 1940
exim: [ != 220]
exim has failed, please contact the sysadmin.

this does not happen when i flush Iptables. anything else i should unblock?

PS: of course, localhost and server's ips are already in the allow list

[cPanelTristan]

Would you be able to provide your current firewall rules? Do you have port 25 open for incoming and outgoing connections on both the main server IP and localhost?

[umka83]

Ok iptable rules go like this:

Code:

#!/bin/bash -x
/etc/init.d/iptables stop

iptables -P INPUT DROP
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s (server's mainip) -j ACCEPT
list of ips accepted including server's ips
....................
....................
iptables -A INPUT -p tcp --dport 22  -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22  -j ACCEPT

this means that I have ALL connections on main IP and localhost allowed, right?
Maybe I should just allow port 110, 25, 587 and whatever IMAP uses for all IPs (Just as i did with port 22 to allow ssh)? if so - could you please advise how to do this?

Thank you

[umka83]

I have tried to modify the script to allow ports 25, 26, 587 and 465. But I am still having the same problem with exim.
here is my new code

Code:

#!/bin/bash -x
/etc/init.d/iptables stop

iptables -P INPUT DROP
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s (server's mainip) -j ACCEPT
list of ips accepted including server's ips
....................
....................
iptables -A INPUT -p tcp --dport 22  -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22  -j ACCEPT
iptables -A INPUT -p tcp --dport 21  -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21  -j ACCEPT
iptables -A INPUT -p tcp --dport 25  -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25  -j ACCEPT
iptables -A INPUT -p tcp --dport 26  -j ACCEPT
iptables -A OUTPUT -p tcp --dport 26  -j ACCEPT
iptables -A INPUT -p tcp --dport 465  -j ACCEPT
iptables -A OUTPUT -p tcp --dport 465  -j ACCEPT
iptables -A INPUT -p tcp --dport 587  -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587  -j ACCEPT

here is the contents of my var/log/exim_main.log

Code:

2011-06-09 22:54:00 exim 4.69 daemon started: pid=7184, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
2011-06-09 22:54:00 Start queue run: pid=7185
2011-06-09 22:54:00 Abandon queue run: pid=7185 (load 5.40, max 3.00)
2011-06-09 22:54:00 End queue run: pid=7185

[cPanelTristan]

I would prefer to see the full iptables listing without the actual IP address with line numbers indicated. If you can provide the full complete iptables listing with all rules, that would be great.

[umka83]

Could you please let me know how do i get that listing?

Code:

iptables -L

would do?

[cPanelTristan]

To get the line numbers, it would be:

Code:

iptables -n -L --line-number

[umka83]

The seems to be too many entries so only some of them fit into the SSH command prompt screen. Here is what I got using the commnad you kindly provided:

Code:

2608 ACCEPT     all  --  210.79.32.0/20       0.0.0.0/0
2609 ACCEPT     all  --  210.79.128.0/18      0.0.0.0/0
2610 ACCEPT     all  --  210.79.192.0/20      0.0.0.0/0
2611 ACCEPT     all  --  210.80.192.0/18      0.0.0.0/0
2612 ACCEPT     all  --  210.81.0.0/16        0.0.0.0/0
2613 ACCEPT     all  --  210.87.224.0/20      0.0.0.0/0
2614 ACCEPT     all  --  210.88.0.0/18        0.0.0.0/0
2615 ACCEPT     all  --  210.88.64.0/19       0.0.0.0/0
2616 ACCEPT     all  --  210.88.96.0/21       0.0.0.0/0
2617 ACCEPT     all  --  210.88.104.0/22      0.0.0.0/0
2618 ACCEPT     all  --  210.88.108.0/23      0.0.0.0/0
2619 ACCEPT     all  --  210.88.110.0/24      0.0.0.0/0
2620 ACCEPT     all  --  210.88.111.0/25      0.0.0.0/0
2621 ACCEPT     all  --  210.88.111.128/26    0.0.0.0/0
2622 ACCEPT     all  --  210.88.111.208/28    0.0.0.0/0
2623 ACCEPT     all  --  210.88.111.224/27    0.0.0.0/0
2624 ACCEPT     all  --  210.88.112.0/20      0.0.0.0/0
2625 ACCEPT     all  --  210.88.128.0/17      0.0.0.0/0
2626 ACCEPT     all  --  210.89.0.0/19        0.0.0.0/0
2627 ACCEPT     all  --  210.89.96.0/19       0.0.0.0/0
2628 ACCEPT     all  --  210.89.192.0/18      0.0.0.0/0
2629 ACCEPT     all  --  210.128.0.0/11       0.0.0.0/0
2630 ACCEPT     all  --  210.160.0.0/12       0.0.0.0/0
2631 ACCEPT     all  --  210.185.128.0/19     0.0.0.0/0
2632 ACCEPT     all  --  210.188.0.0/14       0.0.0.0/0
2633 ACCEPT     all  --  210.193.64.0/18      0.0.0.0/0
2634 ACCEPT     all  --  210.194.0.0/16       0.0.0.0/0
2635 ACCEPT     all  --  210.196.0.0/14       0.0.0.0/0
2636 ACCEPT     all  --  210.203.192.0/18     0.0.0.0/0
2637 ACCEPT     all  --  210.211.32.0/19      0.0.0.0/0
2638 ACCEPT     all  --  210.224.0.0/12       0.0.0.0/0
2639 ACCEPT     all  --  210.247.0.0/17       0.0.0.0/0
2640 ACCEPT     all  --  210.248.0.0/13       0.0.0.0/0
2641 ACCEPT     all  --  211.0.0.0/12         0.0.0.0/0
2642 ACCEPT     all  --  211.16.0.0/14        0.0.0.0/0
2643 ACCEPT     all  --  211.120.0.0/13       0.0.0.0/0
2644 ACCEPT     all  --  211.128.0.0/13       0.0.0.0/0
2645 ACCEPT     all  --  212.34.71.16/29      0.0.0.0/0
2646 ACCEPT     all  --  212.63.182.128/26    0.0.0.0/0
2647 ACCEPT     all  --  212.63.182.192/29    0.0.0.0/0
2648 ACCEPT     all  --  212.63.182.200/30    0.0.0.0/0
2649 ACCEPT     all  --  212.63.182.208/28    0.0.0.0/0
2650 ACCEPT     all  --  212.63.182.224/28    0.0.0.0/0
2651 ACCEPT     all  --  212.63.182.240/29    0.0.0.0/0
2652 ACCEPT     all  --  212.63.182.248/30    0.0.0.0/0
2653 ACCEPT     all  --  212.63.191.0/27      0.0.0.0/0
2654 ACCEPT     all  --  212.63.191.32/29     0.0.0.0/0
2655 ACCEPT     all  --  212.63.191.44/30     0.0.0.0/0
2656 ACCEPT     all  --  212.63.191.48/28     0.0.0.0/0
2657 ACCEPT     all  --  212.63.191.64/26     0.0.0.0/0
2658 ACCEPT     all  --  212.63.191.128/26    0.0.0.0/0
2659 ACCEPT     all  --  212.63.191.192/27    0.0.0.0/0
2660 ACCEPT     all  --  212.63.191.224/30    0.0.0.0/0
2661 ACCEPT     all  --  212.63.191.228/31    0.0.0.0/0
2662 ACCEPT     all  --  212.63.191.230       0.0.0.0/0
2663 ACCEPT     all  --  212.63.191.232/29    0.0.0.0/0
2664 ACCEPT     all  --  212.63.191.240/28    0.0.0.0/0
2665 ACCEPT     all  --  212.63.206.145       0.0.0.0/0
2666 ACCEPT     all  --  212.63.206.146       0.0.0.0/0
2667 ACCEPT     all  --  212.63.213.16/28     0.0.0.0/0
2668 ACCEPT     all  --  216.38.50.226/31     0.0.0.0/0
2669 ACCEPT     all  --  216.38.50.228/31     0.0.0.0/0
2670 ACCEPT     all  --  216.38.52.143        0.0.0.0/0
2671 ACCEPT     all  --  216.38.52.144/31     0.0.0.0/0
2672 ACCEPT     all  --  216.38.52.146        0.0.0.0/0
2673 ACCEPT     all  --  216.38.62.218/31     0.0.0.0/0
2674 ACCEPT     all  --  216.38.62.220/31     0.0.0.0/0
2675 ACCEPT     all  --  216.98.113.176/28    0.0.0.0/0
2676 ACCEPT     all  --  216.119.137.24/29    0.0.0.0/0
2677 ACCEPT     all  --  216.131.81.40/29     0.0.0.0/0
2678 ACCEPT     all  --  216.131.115.144/28   0.0.0.0/0
2679 ACCEPT     all  --  216.156.92.16/28     0.0.0.0/0
2680 ACCEPT     all  --  216.198.225.0/26     0.0.0.0/0
2681 ACCEPT     all  --  216.206.250.32/27    0.0.0.0/0
2682 ACCEPT     all  --  216.218.134.200/29   0.0.0.0/0
2683 ACCEPT     all  --  216.218.196.152/29   0.0.0.0/0
2684 ACCEPT     all  --  216.218.213.136/29   0.0.0.0/0
2685 ACCEPT     all  --  216.255.224.0/20     0.0.0.0/0
2686 ACCEPT     all  --  217.140.104.0/23     0.0.0.0/0
2687 ACCEPT     all  --  217.197.222.0/24     0.0.0.0/0
2688 ACCEPT     all  --  218.33.128.0/17      0.0.0.0/0
2689 ACCEPT     all  --  218.40.0.0/13        0.0.0.0/0
2690 ACCEPT     all  --  218.100.5.0/24       0.0.0.0/0
2691 ACCEPT     all  --  218.100.6.0/23       0.0.0.0/0
2692 ACCEPT     all  --  218.100.8.0/23       0.0.0.0/0
2693 ACCEPT     all  --  218.100.15.0/24      0.0.0.0/0
2694 ACCEPT     all  --  218.100.42.0/24      0.0.0.0/0
2695 ACCEPT     all  --  218.100.45.0/24      0.0.0.0/0
2696 ACCEPT     all  --  218.100.67.0/24      0.0.0.0/0
2697 ACCEPT     all  --  218.110.0.0/16       0.0.0.0/0
2698 ACCEPT     all  --  218.112.0.0/12       0.0.0.0/0
2699 ACCEPT     all  --  218.128.0.0/12       0.0.0.0/0
2700 ACCEPT     all  --  218.176.0.0/13       0.0.0.0/0
2701 ACCEPT     all  --  218.185.128.0/18     0.0.0.0/0
2702 ACCEPT     all  --  218.216.0.0/13       0.0.0.0/0
2703 ACCEPT     all  --  218.224.0.0/13       0.0.0.0/0
2704 ACCEPT     all  --  218.251.0.0/16       0.0.0.0/0
2705 ACCEPT     all  --  219.0.0.0/15         0.0.0.0/0
2706 ACCEPT     all  --  219.2.0.0/16         0.0.0.0/0
2707 ACCEPT     all  --  219.3.0.0/18         0.0.0.0/0
2708 ACCEPT     all  --  219.3.64.0/19        0.0.0.0/0
2709 ACCEPT     all  --  219.3.96.0/24        0.0.0.0/0
2710 ACCEPT     all  --  219.3.98.0/23        0.0.0.0/0
2711 ACCEPT     all  --  219.3.100.0/22       0.0.0.0/0
2712 ACCEPT     all  --  219.3.104.0/21       0.0.0.0/0
2713 ACCEPT     all  --  219.3.112.0/20       0.0.0.0/0
2714 ACCEPT     all  --  219.3.128.0/17       0.0.0.0/0
2715 ACCEPT     all  --  219.4.0.0/14         0.0.0.0/0
2716 ACCEPT     all  --  219.8.0.0/13         0.0.0.0/0
2717 ACCEPT     all  --  219.16.0.0/12        0.0.0.0/0
2718 ACCEPT     all  --  219.32.0.0/11        0.0.0.0/0
2719 ACCEPT     all  --  219.66.0.0/15        0.0.0.0/0
2720 ACCEPT     all  --  219.73.128.0/17      0.0.0.0/0
2721 ACCEPT     all  --  219.75.128.0/17      0.0.0.0/0
2722 ACCEPT     all  --  219.94.128.0/17      0.0.0.0/0
2723 ACCEPT     all  --  219.96.0.0/11        0.0.0.0/0
2724 ACCEPT     all  --  219.160.0.0/11       0.0.0.0/0
2725 ACCEPT     all  --  219.192.0.0/12       0.0.0.0/0
2726 ACCEPT     all  --  219.208.0.0/13       0.0.0.0/0
2727 ACCEPT     all  --  220.0.0.0/10         0.0.0.0/0
2728 ACCEPT     all  --  220.96.0.0/14        0.0.0.0/0
2729 ACCEPT     all  --  220.100.0.0/16       0.0.0.0/0
2730 ACCEPT     all  --  220.102.0.0/16       0.0.0.0/0
2731 ACCEPT     all  --  220.104.0.0/13       0.0.0.0/0
2732 ACCEPT     all  --  220.144.0.0/14       0.0.0.0/0
2733 ACCEPT     all  --  220.148.0.0/16       0.0.0.0/0
2734 ACCEPT     all  --  220.150.0.0/15       0.0.0.0/0
2735 ACCEPT     all  --  220.152.0.0/18       0.0.0.0/0
2736 ACCEPT     all  --  220.152.64.0/19      0.0.0.0/0
2737 ACCEPT     all  --  220.152.96.0/20      0.0.0.0/0
2738 ACCEPT     all  --  220.152.120.0/21     0.0.0.0/0
2739 ACCEPT     all  --  220.153.0.0/16       0.0.0.0/0
2740 ACCEPT     all  --  220.156.0.0/17       0.0.0.0/0
2741 ACCEPT     all  --  220.156.128.0/19     0.0.0.0/0
2742 ACCEPT     all  --  220.156.192.0/18     0.0.0.0/0
2743 ACCEPT     all  --  220.157.0.0/18       0.0.0.0/0
2744 ACCEPT     all  --  220.157.128.0/17     0.0.0.0/0
2745 ACCEPT     all  --  220.158.0.0/15       0.0.0.0/0
2746 ACCEPT     all  --  220.208.0.0/12       0.0.0.0/0
2747 ACCEPT     all  --  220.247.0.0/17       0.0.0.0/0
2748 ACCEPT     all  --  220.247.184.0/21     0.0.0.0/0
2749 ACCEPT     all  --  220.254.0.0/16       0.0.0.0/0
2750 ACCEPT     all  --  221.12.192.0/18      0.0.0.0/0
2751 ACCEPT     all  --  221.16.0.0/12        0.0.0.0/0
2752 ACCEPT     all  --  221.32.0.0/11        0.0.0.0/0
2753 ACCEPT     all  --  221.64.0.0/11        0.0.0.0/0
2754 ACCEPT     all  --  221.96.0.0/12        0.0.0.0/0
2755 ACCEPT     all  --  221.112.0.0/13       0.0.0.0/0
2756 ACCEPT     all  --  221.120.168.0/21     0.0.0.0/0
2757 ACCEPT     all  --  221.121.160.0/20     0.0.0.0/0
2758 ACCEPT     all  --  221.121.176.0/21     0.0.0.0/0
2759 ACCEPT     all  --  221.121.192.0/18     0.0.0.0/0
2760 ACCEPT     all  --  221.132.96.0/20      0.0.0.0/0
2761 ACCEPT     all  --  221.132.120.0/21     0.0.0.0/0
2762 ACCEPT     all  --  221.132.128.0/18     0.0.0.0/0
2763 ACCEPT     all  --  221.133.64.0/18      0.0.0.0/0
2764 ACCEPT     all  --  221.133.220.224/27   0.0.0.0/0
2765 ACCEPT     all  --  221.170.0.0/15       0.0.0.0/0
2766 ACCEPT     all  --  221.184.0.0/13       0.0.0.0/0
2767 ACCEPT     all  --  221.240.0.0/12       0.0.0.0/0
2768 ACCEPT     all  --  222.0.0.0/12         0.0.0.0/0
2769 ACCEPT     all  --  222.144.0.0/13       0.0.0.0/0
2770 ACCEPT     all  --  222.158.0.0/15       0.0.0.0/0
2771 ACCEPT     all  --  222.224.0.0/14       0.0.0.0/0
2772 ACCEPT     all  --  222.228.0.0/16       0.0.0.0/0
2773 ACCEPT     all  --  222.229.0.0/18       0.0.0.0/0
2774 ACCEPT     all  --  222.229.64.0/20      0.0.0.0/0
2775 ACCEPT     all  --  222.229.96.0/19      0.0.0.0/0
2776 ACCEPT     all  --  222.229.128.0/17     0.0.0.0/0
2777 ACCEPT     all  --  222.230.0.0/16       0.0.0.0/0
2778 ACCEPT     all  --  222.231.64.0/18      0.0.0.0/0
2779 ACCEPT     all  --  222.231.128.0/17     0.0.0.0/0
2780 ACCEPT     all  --  223.25.128.0/18      0.0.0.0/0
2781 ACCEPT     all  --  223.27.68.0/22       0.0.0.0/0
2782 ACCEPT     all  --  223.27.72.0/21       0.0.0.0/0
2783 ACCEPT     all  --  223.27.116.0/22      0.0.0.0/0
2784 ACCEPT     all  --  223.27.124.0/22      0.0.0.0/0
2785 ACCEPT     all  --  223.27.180.0/22      0.0.0.0/0
2786 ACCEPT     all  --  223.29.0.0/17        0.0.0.0/0
2787 ACCEPT     all  --  223.29.176.0/20      0.0.0.0/0
2788 ACCEPT     all  --  223.29.244.0/22      0.0.0.0/0
2789 ACCEPT     all  --  223.132.0.0/14       0.0.0.0/0
2790 ACCEPT     all  --  223.165.20.0/22      0.0.0.0/0
2791 ACCEPT     all  --  223.165.32.0/19      0.0.0.0/0
2792 ACCEPT     all  --  223.165.80.0/20      0.0.0.0/0
2793 ACCEPT     all  --  223.216.0.0/14       0.0.0.0/0
2794 ACCEPT     all  --  223.223.0.0/17       0.0.0.0/0
2795 ACCEPT     all  --  223.223.160.0/21     0.0.0.0/0
2796 ACCEPT     all  --  223.223.208.0/21     0.0.0.0/0
2797 ACCEPT     all  --  223.223.224.0/19     0.0.0.0/0
2798 ACCEPT     all  --  174.138.163.214      0.0.0.0/0
2799 ACCEPT     all  --  49.133.0.0/16        0.0.0.0/0
2800 ACCEPT     all  --  49.134.0.0/16        0.0.0.0/0
2801 ACCEPT     all  --  184.95.35.186        0.0.0.0/0
2802 ACCEPT     all  --  66.71.240.242        0.0.0.0/0
2803 ACCEPT     all  --  49.134.0.0/16        0.0.0.0/0
2804 ACCEPT     all  --  98.142.209.74        0.0.0.0/0
2805 ACCEPT     all  --  49.134.0.0/16        0.0.0.0/0
2806 ACCEPT     all  --  174.138.163.214      0.0.0.0/0
2807 ACCEPT     all  --  209.188.20.2         0.0.0.0/0
2808 ACCEPT     all  --  122.224.6.89         0.0.0.0/0
2809 ACCEPT     all  --  75.127.67.98         0.0.0.0/0
2810 ACCEPT     all  --  75.127.67.101        0.0.0.0/0
2811 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2812 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
2813 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
2814 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:26
2815 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
2816 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:25
2    ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:587
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:26
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587

[cPanelTristan]

Could you attach it as a txt file then? The issue here is that DROP rules preceding ACCEPT rules can block the ACCEPT rule from working, so it's difficult without the full ruleset to see what it might have.

[umka83]

I do not see the full list of my SSH screen (if you understand what I mean.) i would be glad to attach a txt file - but it will be the same contents as above.

Is there any way to save the results of

Code:

iptables -n -L --line-number

to a text file?

[cPanelTristan]

Yes, with this command:

Code:

iptables -n -L --line-number > /home/username/public_html/iptables.txt

This would save the file in a cPanel account with the username username in the public_html folder by the name of iptables.txt