The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel & Firewalls

Discussion in 'General Discussion' started by tnet, Jul 7, 2010.

  1. tnet

    tnet Registered

    Joined:
    Jul 7, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I am setting up my VMAir virtual cloud server and just installed cPanel over CentOS 5.5. The install went fine but I could not access WHM so I called the virtual cloud provider who informed me that I needed to turn off the firewall in order to make cPanel work. I did and it now works.

    I am not comfortable with the idea that I have to turn off the firewall in order to be able to use cPanel. Is it possible to configure it so that I can have a firewall and use Cpanel? If so can you tell me how?

    Thank you.
     
    #1 tnet, Jul 7, 2010
    Last edited: Jul 7, 2010
  2. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    Without seeing your existing firewall rules, it would be difficult to know what in the firewall is blocking the access.

    If you turn the firewall back on, please provide the output for the following command:

    /sbin/iptables -n -L --line-number

    Please block out your IPs in the output you provide here as we wouldn't want to have personal details like your server IP or IPs.

    Normally, you'll simply need to add rules above the ones denying the ports like this:

    Code:
    /sbin/iptables -I INPUT -p tcp -m tcp --dport 2082:2083 -j ACCEPT 
    /sbin/iptables -I INPUT -p tcp -m tcp --dport 2086:2087 -j ACCEPT 
    /sbin/iptables -I INPUT -p tcp -m tcp --dport 2095:2096 -j ACCEPT
    This would put the ports 2082 and 2083 (cPanel http and https), 2086 and 2087 (WHM http and https), and 2095 and 2096 (webmail http and https) into the INPUT chain of the firewall for ACCEPT (allow) rules. The reason we need to see your actual firewall rules is that your INPUT chain might be forwarded to a different chain name. Some firewalls use RH-Firewall-1-INPUT instead of INPUT as the main incoming connection chain, while others use LOCALINPUT (CSF calls the chain this as far as I'm aware), so we need to see the firewall chains to know where the rules should go.

    After you do insert the right rules into the firewall, you would then need to save them:

    Code:
    service iptables save
    If you don't save the new chain rules, then they will disappear on server reboot.
     
    #2 Miraenda, Jul 7, 2010
    Last edited: Jul 7, 2010
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Linux Firewall Configuration and cPanel/WHM

    Most Linux servers, including those that run RHEL or CentOS, can use the built-in firewall functionality of "iptables" or a derivative thereof; to add, remove, or edit iptables rules you can use the command "iptables" on the server with appropriate command-line "arguments" or "switches" to define the rules you wish to setup.

    To read more about how to do this you can view the manual page for iptables by using the following command via root SSH access:
    Code:
    # man iptables
    The included initialization script may be used to start, stop, restart, and save currently loaded iptables rules:
    Code:
    # /etc/init.d/iptables
    Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
    A handful of related configuration options can be found, and optionally modified, within the following file; if customizing default entries please ensure to save a backup copy beforehand in case you need to easily revert any new changes (and to have an original copy to compare against):
    Code:
    /etc/sysconfig/iptables-config
    Here is a command you may use to save a backup copy (via root SSH access):
    Code:
    # cp -av /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config.backup
    When using the init script to save your currently-loaded rules, the information will be retained in the following plain-text file that you may also want to consider saving backups of:
    Code:
    /etc/sysconfig/iptables
    To create a backup copy of your newly-saved rules, try a command like the following:
    Code:
    # cp -av /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
    If you'd like to compare the currently saved rules with that of a backup, you may use "diff" as seen in the following example:
    Code:
    # diff -us /etc/sysconfig/iptables.backup /etc/sysconfig/iptables
    The information posted by Miraenda is an excellent guide to get started with defining rules via command-line access (e.g., via SSH or console).

    You may use any firewall, internal or external, with a system running cPanel and WHM; the only requirement is that your firewall configuration allows access on the network ports that you wish to provide service on. For a full list of ports that you may want to allow access on I recommend the following areas of our web site and documentation:

    To ease the setup process of a firewall I would consider using an iptables wrapper script, usually available from a third-party source. Some common firewall scripts used with cPanel-based servers are APF and CSF, but both of these are third-party products and so you would need to contact their vendors or developers with any questions or support requests regarding them. For a starting suggestion I would consider CSF as I believe it might be easier to quickly perform initial setup and regular maintenance while also being able to inquire and research within its active community of users and free support via their forums. Like CSF, you may usually find discussions about using and configuring APF on various forums.

    "ConfigServer Security & Firewall" (CSF) can be found here:
    http://www.configserver.com/
    http://forum.configserver.com/
    http://www.configserver.com/cp/csf.html
    http://www.configserver.com/contact.html
    http://www.configserver.com/support.html

    "Advanced Policy Firewall" (APF) can be found here:
    http://www.rfxn.com/projects/advanced-policy-firewall/
     
Loading...

Share This Page