For those that are having trouble with KissMyFirewall...

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
For those having trouble with KissMyFirewall and Cpanel...

This will fix the issue with now being able to do updates properly as well. :)

http://forum.rackshack.net/showthread.php?s=&postid=137808
http://www.geocities.com/steve93138/

Add these ports to the Special ports (#5)...
Code:
465 993 995 2080:2099
And now add this to the bottom of the firewall and restart it...
Code:
################################################################################
# INPUT - PORT 873 - Rsync
################################################################################
$IPTABLES -A INPUT -i eth0 -p udp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT

################################################################################
# OUTPUT - PORT 873 - Rsync
################################################################################
$IPTABLES -A OUTPUT -o eth0 -p udp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
Hope that helps :)
 
Last edited:

Marty

Well-Known Member
Oct 10, 2001
630
1
318
Won't this interfere with the operation of bandmin?
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
Yea, I would expect that to be true, but note that bandmin is run by cron and flushes iptables and reloads it with it's own info twice an hour. Are you sure that your firewall rules are remaining in place, and if so how. If you go to the geocities page for KISS and run the test to see if you have another firewall running on a clean cpanel install, you will find that it fails the test. Maybe there is something that I am missing here, but I don't see how a firewall that manipulates iptables can coexist with bandmin without disabling bandmin.
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
Well I dont see what you are referring to on bandmin flushing the rules and adding its own. Been running the firewall on the server for over 8 hours along with bandmin and ruleset is still there.

As far as what Steve is referring to on his page is only the 3 basic policies that normally is listed on iptables. If you also do the research on his firewall it was made mainly for Ensim but can be adopted for any server. Cpanel has another policy listed when you run the iptables -L -n command which is where you are referring to. However the part listed as far as his test should be exactly as he has it.

As far as running an iptables or ipchains script along with bandmin or anything else on a Cpanel server is going to do the same thing This also includes Bastille and many others. Yes Bastille is an iptables firewall. However I would never recommend Bastille's use on anything as long as it has the psad packaged along with it.

I cant really see the developers here making anytype of server and have it so you cant run a firewall on it. In todays world you cant have a server too secure. And if you are running without some sort of firewall on your server you might as well leave your keys in your door when you go away for vacation ;)
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
I am just trying to make sure this will work. I mean not offense by my questions. I have tried to add rules before, only have have bandmin drop them later. Anyway, If I do an iptables -L -n right now with no firewall running, here is what I get:

Chain INPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- 0.0.0.0/0 0.0.0.0/0

Chain acctboth (2 references)
target prot opt source destination
tcp -- 64.21.40.2 0.0.0.0/0 tcp dpt:80
tcp -- 0.0.0.0/0 64.21.40.2 tcp spt:80
tcp -- 64.21.40.2 0.0.0.0/0 tcp dpt:25
tcp -- 0.0.0.0/0 64.21.40.2 tcp spt:25
tcp -- 64.21.40.2 0.0.0.0/0 tcp dpt:110
tcp -- 0.0.0.0/0 64.21.40.2 tcp spt:110
icmp -- 64.21.40.2 0.0.0.0/0
icmp -- 0.0.0.0/0 64.21.40.2
tcp -- 64.21.40.2 0.0.0.0/0
tcp -- 0.0.0.0/0 64.21.40.2
udp -- 64.21.40.2 0.0.0.0/0
udp -- 0.0.0.0/0 64.21.40.2
all -- 64.21.40.2 0.0.0.0/0
all -- 0.0.0.0/0 64.21.40.2
tcp -- 64.21.40.10 0.0.0.0/0 tcp dpt:80
tcp -- 0.0.0.0/0 64.21.40.10 tcp spt:80
tcp -- 64.21.40.10 0.0.0.0/0 tcp dpt:25
tcp -- 0.0.0.0/0 64.21.40.10 tcp spt:25
tcp -- 64.21.40.10 0.0.0.0/0 tcp dpt:110
tcp -- 0.0.0.0/0 64.21.40.10 tcp spt:110
icmp -- 64.21.40.10 0.0.0.0/0
icmp -- 0.0.0.0/0 64.21.40.10
tcp -- 64.21.40.10 0.0.0.0/0
tcp -- 0.0.0.0/0 64.21.40.10
udp -- 64.21.40.10 0.0.0.0/0
udp -- 0.0.0.0/0 64.21.40.10
all -- 64.21.40.10 0.0.0.0/0
all -- 0.0.0.0/0 64.21.40.10
tcp -- 64.21.40.11 0.0.0.0/0 tcp dpt:80
tcp -- 0.0.0.0/0 64.21.40.11 tcp spt:80
tcp -- 64.21.40.11 0.0.0.0/0 tcp dpt:25
tcp -- 0.0.0.0/0 64.21.40.11 tcp spt:25
tcp -- 64.21.40.11 0.0.0.0/0 tcp dpt:110
tcp -- 0.0.0.0/0 64.21.40.11 tcp spt:110
icmp -- 64.21.40.11 0.0.0.0/0
icmp -- 0.0.0.0/0 64.21.40.11
tcp -- 64.21.40.11 0.0.0.0/0
tcp -- 0.0.0.0/0 64.21.40.11
udp -- 64.21.40.11 0.0.0.0/0
udp -- 0.0.0.0/0 64.21.40.11

And that is just the first page. Do you see something similar? This is all info that bandmin uses to track bandwidth. About month ago, a cpanel upgrade screwed bandmin and we got emails everytime the bandmin cron ran saying that the iptable rule was already present. I assumed that was because the new bandmin had a bug that failed to flush the iptables before trying to reload them. I assumed it reloaded them just in case new ip's had been bound to the server. Anyway, I appreciate your instructions, I just didn't want to go throught the work and find out that bandmin would flush my iptables rules ever time it ran and make my firewall ineffective.
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
Hmmm, Havent gotten the first email related to bandmin not working. Also the ruleset is still up and running on the firewall for over 25 hours now and all is well. Here is from iptables -L -n command...

Part 1 of 2....

[email protected] [~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
acctboth all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP all -- 12.34.56.12 0.0.0.0/0
DROP all -- 12.34.56.13 0.0.0.0/0
DROP all -- 12.34.56.14 0.0.0.0/0
DROP all -- 12.34.56.15 0.0.0.0/0
DROP all -- 12.34.56.16 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 12.34.56.0
DROP all -- 0.0.0.0/0 12.34.56.255
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP !udp -- 0.0.0.0/0 224.0.0.0/4
ACCEPT udp -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 240.0.0.0/5 0.0.0.0/0
DROP all -- 0.0.0.0/8 0.0.0.0/0
DROP all -- 169.254.0.0/16 0.0.0.0/0
DROP all -- 192.0.2.0/24 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:465
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:465
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:465
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:465
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:465
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:993
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:993
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:993
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:993
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:993
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:995
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:995
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:995
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:995
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:995
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpts:2080:2099
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpts:2080:2099
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpts:2080:2099
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpts:2080:2099
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpts:2080:2099
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 tcp spts:1024:65535 dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 tcp spts:1024:65535 dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 tcp spts:1024:65535 dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 tcp spts:1024:65535 dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 tcp spts:1024:65535 dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:873 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:873 state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
Part 2 of 2.....

Chain OUTPUT (policy DROP)
target prot opt source destination
acctboth all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
REJECT tcp -- 12.34.56.12 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
REJECT tcp -- 12.34.56.13 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
REJECT tcp -- 12.34.56.14 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
REJECT tcp -- 12.34.56.15 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
REJECT tcp -- 12.34.56.16 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:873 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:873 state NEW

Chain acctboth (2 references)
target prot opt source destination
tcp -- 12.34.56.12 0.0.0.0/0 tcp dpt:80
tcp -- 0.0.0.0/0 12.34.56.12 tcp spt:80
tcp -- 12.34.56.12 0.0.0.0/0 tcp dpt:25
tcp -- 0.0.0.0/0 12.34.56.12 tcp spt:25
tcp -- 12.34.56.12 0.0.0.0/0 tcp dpt:110
tcp -- 0.0.0.0/0 12.34.56.12 tcp spt:110
icmp -- 12.34.56.12 0.0.0.0/0
icmp -- 0.0.0.0/0 12.34.56.12
tcp -- 12.34.56.12 0.0.0.0/0
tcp -- 0.0.0.0/0 12.34.56.12
udp -- 12.34.56.12 0.0.0.0/0
udp -- 0.0.0.0/0 12.34.56.12
all -- 12.34.56.12 0.0.0.0/0
all -- 0.0.0.0/0 12.34.56.12
all -- 0.0.0.0/0 0.0.0.0/0
[email protected] [~]#
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
Holly,

Thanks, I may give this a try.
 

FWC

Well-Known Member
May 13, 2002
354
0
316
Ontario, Canada
Originally posted by HollyRidge
Hope that helps :)
This is working great. Thanks for the rsync tip. :)

Bandmin loads it's rules in after the KISS rules and they seem to coexist with no problem. Now I need to do the other servers. :cool:
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
I hope Steve doesn't mind, and if he does, he can let me know, but I wrote a php script to help configure KISS My Firewall. You can got to:

www.tlcwe.com/firewall.php and fill out the form. It has an option to tell it that you are running cpanel to open RSYNC. You still have to add the cpanel ports in the additional ports section. I didn't get that sophisticated, but I could, I guess. Just fill out the forum and click submit. It will display the shell script that you can copy and paste into pico or whatever to replace the firewall.txt script in the directions that Steve posted here:

http://forum.rackshack.net/showthread.php?s=&threadid=14401

Also, note that I have traceroutes and pings ENABLED by default, so if you want to disable those, you will have to comment them out after you paste into a text editter.

Enjoy!
 
Last edited:

Marty

Well-Known Member
Oct 10, 2001
630
1
318
I am still refining it a bit. I am contemplating modifying it so that you can install a configurator on a server a configure it with a mysql backend, and rather than a shell script you would have a php script that would execute it all.

Send me an email and I will drop you a copy of what I have right now.
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Hollyridge, I tried KISS once again with your modifications, but this still doesn't enable rdate though.

When upcp is being run at night you see this in the backups section of the e-mail:


rdate: couldn't connect to host rdate.darkorb.net: Connection timed out.

Aside from that it seems to work perfectly with CPanel now!
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
Jamesbond,
For rdate you will have to also add tcp port 37 to section 5. Or alternativly you can do the same thing by adding this also to the end (dont do both)...
Code:
####################################
# OUTPUT - PORT 37 - TIMESERVER (rdate)
####################################
for server_ips in $SERVER_IPS; do
    $IPTABLES -A OUTPUT -o eth0 -s $server_ips -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport 37 -j ACCEPT
done
 
Last edited:

FWC

Well-Known Member
May 13, 2002
354
0
316
Ontario, Canada
Originally posted by Marty
You can got to:

www.tlcwe.com/firewall.php and fill out the form. It has an option to tell it that you are running cpanel to open RSYNC. You still have to add the cpanel ports in the additional ports section. I didn't get that sophisticated, but I could, I guess. Just fill out the forum and click submit.
That's very handy, Marty. Thanks! :cool:
 

wizital

Registered
Apr 22, 2003
1
0
151
I've got

-A: command not found (four times)
after I added the code above and re-run KISS
any idea guys?
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
wizital,
Check and make sure you dont have any lines starting with -A. If you do I would suggest re-running the script now and make sure it doesnt do that. There was an error in the script for a little while last night where php sees the $ as a varable. Therefore it was blocking it out. Anyway it was fixed last night shortly after it was posted.
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Also note that in the rdate addition there is a $ missing.

The iptables line shoud start with $iptables and not iptables