The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

For those that are having trouble with KissMyFirewall...

Discussion in 'General Discussion' started by HollyRidge, Apr 18, 2003.

  1. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    For those having trouble with KissMyFirewall and Cpanel...

    This will fix the issue with now being able to do updates properly as well. :)

    http://forum.rackshack.net/showthread.php?s=&postid=137808
    http://www.geocities.com/steve93138/

    Add these ports to the Special ports (#5)...
    Code:
    465 993 995 2080:2099
    And now add this to the bottom of the firewall and restart it...
    Code:
    ################################################################################
    # INPUT - PORT 873 - Rsync
    ################################################################################
    $IPTABLES -A INPUT -i eth0 -p udp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
    $IPTABLES -A INPUT -i eth0 -p tcp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
    
    ################################################################################
    # OUTPUT - PORT 873 - Rsync
    ################################################################################
    $IPTABLES -A OUTPUT -o eth0 -p udp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
    Hope that helps :)
     
    #1 HollyRidge, Apr 18, 2003
    Last edited: Apr 18, 2003
  2. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Won't this interfere with the operation of bandmin?
     
  3. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Working fine here from what I can tell. Figures are going up as they should and different days are created and moving up as well.
     
  4. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Yea, I would expect that to be true, but note that bandmin is run by cron and flushes iptables and reloads it with it's own info twice an hour. Are you sure that your firewall rules are remaining in place, and if so how. If you go to the geocities page for KISS and run the test to see if you have another firewall running on a clean cpanel install, you will find that it fails the test. Maybe there is something that I am missing here, but I don't see how a firewall that manipulates iptables can coexist with bandmin without disabling bandmin.
     
  5. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Well I dont see what you are referring to on bandmin flushing the rules and adding its own. Been running the firewall on the server for over 8 hours along with bandmin and ruleset is still there.

    As far as what Steve is referring to on his page is only the 3 basic policies that normally is listed on iptables. If you also do the research on his firewall it was made mainly for Ensim but can be adopted for any server. Cpanel has another policy listed when you run the iptables -L -n command which is where you are referring to. However the part listed as far as his test should be exactly as he has it.

    As far as running an iptables or ipchains script along with bandmin or anything else on a Cpanel server is going to do the same thing This also includes Bastille and many others. Yes Bastille is an iptables firewall. However I would never recommend Bastille's use on anything as long as it has the psad packaged along with it.

    I cant really see the developers here making anytype of server and have it so you cant run a firewall on it. In todays world you cant have a server too secure. And if you are running without some sort of firewall on your server you might as well leave your keys in your door when you go away for vacation ;)
     
  6. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    I am just trying to make sure this will work. I mean not offense by my questions. I have tried to add rules before, only have have bandmin drop them later. Anyway, If I do an iptables -L -n right now with no firewall running, here is what I get:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    acctboth all -- 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    acctboth all -- 0.0.0.0/0 0.0.0.0/0

    Chain acctboth (2 references)
    target prot opt source destination
    tcp -- 64.21.40.2 0.0.0.0/0 tcp dpt:80
    tcp -- 0.0.0.0/0 64.21.40.2 tcp spt:80
    tcp -- 64.21.40.2 0.0.0.0/0 tcp dpt:25
    tcp -- 0.0.0.0/0 64.21.40.2 tcp spt:25
    tcp -- 64.21.40.2 0.0.0.0/0 tcp dpt:110
    tcp -- 0.0.0.0/0 64.21.40.2 tcp spt:110
    icmp -- 64.21.40.2 0.0.0.0/0
    icmp -- 0.0.0.0/0 64.21.40.2
    tcp -- 64.21.40.2 0.0.0.0/0
    tcp -- 0.0.0.0/0 64.21.40.2
    udp -- 64.21.40.2 0.0.0.0/0
    udp -- 0.0.0.0/0 64.21.40.2
    all -- 64.21.40.2 0.0.0.0/0
    all -- 0.0.0.0/0 64.21.40.2
    tcp -- 64.21.40.10 0.0.0.0/0 tcp dpt:80
    tcp -- 0.0.0.0/0 64.21.40.10 tcp spt:80
    tcp -- 64.21.40.10 0.0.0.0/0 tcp dpt:25
    tcp -- 0.0.0.0/0 64.21.40.10 tcp spt:25
    tcp -- 64.21.40.10 0.0.0.0/0 tcp dpt:110
    tcp -- 0.0.0.0/0 64.21.40.10 tcp spt:110
    icmp -- 64.21.40.10 0.0.0.0/0
    icmp -- 0.0.0.0/0 64.21.40.10
    tcp -- 64.21.40.10 0.0.0.0/0
    tcp -- 0.0.0.0/0 64.21.40.10
    udp -- 64.21.40.10 0.0.0.0/0
    udp -- 0.0.0.0/0 64.21.40.10
    all -- 64.21.40.10 0.0.0.0/0
    all -- 0.0.0.0/0 64.21.40.10
    tcp -- 64.21.40.11 0.0.0.0/0 tcp dpt:80
    tcp -- 0.0.0.0/0 64.21.40.11 tcp spt:80
    tcp -- 64.21.40.11 0.0.0.0/0 tcp dpt:25
    tcp -- 0.0.0.0/0 64.21.40.11 tcp spt:25
    tcp -- 64.21.40.11 0.0.0.0/0 tcp dpt:110
    tcp -- 0.0.0.0/0 64.21.40.11 tcp spt:110
    icmp -- 64.21.40.11 0.0.0.0/0
    icmp -- 0.0.0.0/0 64.21.40.11
    tcp -- 64.21.40.11 0.0.0.0/0
    tcp -- 0.0.0.0/0 64.21.40.11
    udp -- 64.21.40.11 0.0.0.0/0
    udp -- 0.0.0.0/0 64.21.40.11

    And that is just the first page. Do you see something similar? This is all info that bandmin uses to track bandwidth. About month ago, a cpanel upgrade screwed bandmin and we got emails everytime the bandmin cron ran saying that the iptable rule was already present. I assumed that was because the new bandmin had a bug that failed to flush the iptables before trying to reload them. I assumed it reloaded them just in case new ip's had been bound to the server. Anyway, I appreciate your instructions, I just didn't want to go throught the work and find out that bandmin would flush my iptables rules ever time it ran and make my firewall ineffective.
     
  7. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Hmmm, Havent gotten the first email related to bandmin not working. Also the ruleset is still up and running on the firewall for over 25 hours now and all is well. Here is from iptables -L -n command...

    Part 1 of 2....

    root@srv1 [~]# iptables -L -n
    Chain INPUT (policy DROP)
    target prot opt source destination
    acctboth all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    DROP all -- 12.34.56.12 0.0.0.0/0
    DROP all -- 12.34.56.13 0.0.0.0/0
    DROP all -- 12.34.56.14 0.0.0.0/0
    DROP all -- 12.34.56.15 0.0.0.0/0
    DROP all -- 12.34.56.16 0.0.0.0/0
    DROP all -- 10.0.0.0/8 0.0.0.0/0
    DROP all -- 172.16.0.0/12 0.0.0.0/0
    DROP all -- 192.168.0.0/16 0.0.0.0/0
    DROP all -- 127.0.0.0/8 0.0.0.0/0
    DROP all -- 255.255.255.255 0.0.0.0/0
    DROP all -- 0.0.0.0/0 0.0.0.0
    DROP all -- 0.0.0.0/0 12.34.56.0
    DROP all -- 0.0.0.0/0 12.34.56.255
    DROP all -- 0.0.0.0/0 255.255.255.255
    DROP all -- 224.0.0.0/4 0.0.0.0/0
    DROP !udp -- 0.0.0.0/0 224.0.0.0/4
    ACCEPT udp -- 0.0.0.0/0 224.0.0.0/4
    DROP all -- 240.0.0.0/5 0.0.0.0/0
    DROP all -- 0.0.0.0/8 0.0.0.0/0
    DROP all -- 169.254.0.0/16 0.0.0.0/0
    DROP all -- 192.0.2.0/24 0.0.0.0/0
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:20
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:20
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:20
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:20
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:20
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:465
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:465
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:465
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:465
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:465
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:993
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:993
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:993
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:993
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:993
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:995
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:995
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:995
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:995
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:995
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpts:2080:2099
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpts:2080:2099
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpts:2080:2099
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpts:2080:2099
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpts:2080:2099
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 tcp spts:1024:65535 dpt:21 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 tcp spts:1024:65535 dpt:21 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 tcp spts:1024:65535 dpt:21 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 tcp spts:1024:65535 dpt:21 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 tcp spts:1024:65535 dpt:21 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:110
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:110
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:110
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:110
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:110
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:143
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:143
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:143
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:143
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:143
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.12 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.13 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.14 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.15 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 0.0.0.0/0 12.34.56.16 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53 state NEW
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53 state NEW
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:873 state NEW
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:873 state NEW

    Chain FORWARD (policy DROP)
    target prot opt source destination
     
  8. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Part 2 of 2.....

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    acctboth all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
    ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
    ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
    REJECT tcp -- 12.34.56.12 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
    REJECT tcp -- 12.34.56.13 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
    REJECT tcp -- 12.34.56.14 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
    REJECT tcp -- 12.34.56.15 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
    REJECT tcp -- 12.34.56.16 0.0.0.0/0 tcp spts:1024:65535 dpt:113 flags:0x16/0x02 state NEW reject-with tcp-reset
    ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
    ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
    ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
    ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
    ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
    ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
    ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53 state NEW
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53 state NEW
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
    ACCEPT tcp -- 12.34.56.12 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
    ACCEPT tcp -- 12.34.56.13 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
    ACCEPT tcp -- 12.34.56.14 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
    ACCEPT tcp -- 12.34.56.15 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
    ACCEPT tcp -- 12.34.56.16 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:873 state NEW
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:873 state NEW

    Chain acctboth (2 references)
    target prot opt source destination
    tcp -- 12.34.56.12 0.0.0.0/0 tcp dpt:80
    tcp -- 0.0.0.0/0 12.34.56.12 tcp spt:80
    tcp -- 12.34.56.12 0.0.0.0/0 tcp dpt:25
    tcp -- 0.0.0.0/0 12.34.56.12 tcp spt:25
    tcp -- 12.34.56.12 0.0.0.0/0 tcp dpt:110
    tcp -- 0.0.0.0/0 12.34.56.12 tcp spt:110
    icmp -- 12.34.56.12 0.0.0.0/0
    icmp -- 0.0.0.0/0 12.34.56.12
    tcp -- 12.34.56.12 0.0.0.0/0
    tcp -- 0.0.0.0/0 12.34.56.12
    udp -- 12.34.56.12 0.0.0.0/0
    udp -- 0.0.0.0/0 12.34.56.12
    all -- 12.34.56.12 0.0.0.0/0
    all -- 0.0.0.0/0 12.34.56.12
    all -- 0.0.0.0/0 0.0.0.0/0
    root@srv1 [~]#
     
  9. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Holly,

    Thanks, I may give this a try.
     
  10. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    This is working great. Thanks for the rsync tip. :)

    Bandmin loads it's rules in after the KISS rules and they seem to coexist with no problem. Now I need to do the other servers. :cool:
     
  11. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    I hope Steve doesn't mind, and if he does, he can let me know, but I wrote a php script to help configure KISS My Firewall. You can got to:

    www.tlcwe.com/firewall.php and fill out the form. It has an option to tell it that you are running cpanel to open RSYNC. You still have to add the cpanel ports in the additional ports section. I didn't get that sophisticated, but I could, I guess. Just fill out the forum and click submit. It will display the shell script that you can copy and paste into pico or whatever to replace the firewall.txt script in the directions that Steve posted here:

    http://forum.rackshack.net/showthread.php?s=&threadid=14401

    Also, note that I have traceroutes and pings ENABLED by default, so if you want to disable those, you will have to comment them out after you paste into a text editter.

    Enjoy!
     
    #11 Marty, Apr 21, 2003
    Last edited: Apr 21, 2003
  12. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Cool deal Marty!! I cant speak for Steve but I dont see how he would mind a bit. Do you mind if I work with your script a little and maybe use a modified form of it?
     
  13. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    I am still refining it a bit. I am contemplating modifying it so that you can install a configurator on a server a configure it with a mysql backend, and rather than a shell script you would have a php script that would execute it all.

    Send me an email and I will drop you a copy of what I have right now.
     
  14. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Hollyridge, I tried KISS once again with your modifications, but this still doesn't enable rdate though.

    When upcp is being run at night you see this in the backups section of the e-mail:


    rdate: couldn't connect to host rdate.darkorb.net: Connection timed out.

    Aside from that it seems to work perfectly with CPanel now!
     
  15. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Jamesbond,
    For rdate you will have to also add tcp port 37 to section 5. Or alternativly you can do the same thing by adding this also to the end (dont do both)...
    Code:
    ####################################
    # OUTPUT - PORT 37 - TIMESERVER (rdate)
    ####################################
    for server_ips in $SERVER_IPS; do
        $IPTABLES -A OUTPUT -o eth0 -s $server_ips -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport 37 -j ACCEPT
    done
     
     
    #15 HollyRidge, Apr 21, 2003
    Last edited: Apr 22, 2003
  16. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Thank you HollyRidge! :)
     
  17. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    That's very handy, Marty. Thanks! :cool:
     
  18. wizital

    wizital Registered

    Joined:
    Apr 22, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I've got

    -A: command not found (four times)
    after I added the code above and re-run KISS
    any idea guys?
     
  19. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    wizital,
    Check and make sure you dont have any lines starting with -A. If you do I would suggest re-running the script now and make sure it doesnt do that. There was an error in the script for a little while last night where php sees the $ as a varable. Therefore it was blocking it out. Anyway it was fixed last night shortly after it was posted.
     
  20. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Also note that in the rdate addition there is a $ missing.

    The iptables line shoud start with $iptables and not iptables
     
Loading...

Share This Page