cP-Firewall-1-INPUT iptable chain

ca2236

Well-Known Member
Feb 2, 2018
103
13
18
Nebraska
cPanel Access Level
DataCenter Provider
Hi,

We are trying to find out rules are automatically getting opened in this iptables chain: cP-Firewall-1-INPUT

Can someone shed some light on this chain and if it is related to cphulkd?

I found a related thread. But I'm uncertain if this addresses our questions adequately.
SOLVED - [CPANEL-28146] iptables rules automatically overwritten

We remove rules, and they keep getting added back. Does Cpanel need SSH open to the world to function/update?

Thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
This is actually part of a cPanel script at
Code:
/scripts/cofigure_firewall_for_cpanel
the chain when added opens standard ports cPanel needs to function - this is discussed here: How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

You can see the full chain here:

Code:
[[email protected] ~]# iptables --list-rules cP-Firewall-1-INPUT
-N cP-Firewall-1-INPUT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 579 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2079 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
 

ca2236

Well-Known Member
Feb 2, 2018
103
13
18
Nebraska
cPanel Access Level
DataCenter Provider
Thanks for the reply, I had ran across this. However, opening up all these ports to the world doesn't make good security practice. Is there any way to lock down at least some of these (like port 22) to only certain IP ranges without having your work overwrote due to an update etc.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
You can still impose blocks using your firewall or host access control for ports/services you'd like to be restricted.
 

ca2236

Well-Known Member
Feb 2, 2018
103
13
18
Nebraska
cPanel Access Level
DataCenter Provider
I started looking into this, I still had a follow up question, is there still something that is auto opening ports? It seems if we block access in to port 25 in the firewall, it gets re-opened.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
Hi @ca2236

I'd suggest opening a ticket at this point, especially if you're unsure whether or not you have CSF or APF.
Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
Hello @ca2236

What was the ticket ID or the issue that was causing the problem?