The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables and outbound traffic to external DNS Only server

Discussion in 'Security' started by hmalekib, Sep 17, 2010.

  1. hmalekib

    hmalekib Member

    Joined:
    Nov 8, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hello:

    We are trying to fix the iptables policies for our cPanel servers so that they can communicate out with our DNS only servers and update, etc...

    Here is the error were currently getting:

    There was an error while processing your request: Cpanel::Accounting returned [HTTP/1.0 900 NET OR SSL ERROR /usr/local/cpanel/whostmgr/docroot/cgi/trustclustermaster.cgi 6938: open_tcp_connection: failed `IP_HERE', 2087 (Connection timed out) ]

    Here is our iptable rules:

    #Name Servers
    DNS1=""
    DNS2=""

    #Default Deny
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP

    #Allow Loopback
    iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

    #Deny Bad Pckets
    iptables -A INPUT -f -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

    #Deny Packets from Invalid Address Space
    iptables -A INPUT -s 10.0.0.0/8 -j DROP
    iptables -A INPUT -s 127.0.0.0/8 -j DROP
    iptables -A INPUT -s 172.16.0.0/12 -j DROP
    iptables -A INPUT -s 192.168.0.0/16 -j DROP
    iptables -A INPUT -s 224.0.0.0/3 -j DROP

    #Allow ICMP(Ping)
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A OUTPUT -p icmp -j ACCEPT

    #Allow DNS
    iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS1 --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -s $DNS1 --sport 53 --dport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS2 --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -s $DNS2 --sport 53 --dport 1024:65535 -j ACCEPT

    iptables -A INPUT -i eth0 -p UDP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i eth0 -p TCP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p UDP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
    iptables -A OUTPUT -o eth0 -p TCP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT

    ## Allow Selective Inbound Connections

    #DNS
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -j ACCEPT

    #HTTP (Web Server)
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT

    #HTTPS (Web Server)
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

    #FTP
    iptables -A INPUT -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p tcp --dport 20 --sport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p tcp --dport 3000:3100 --sport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 3000:3100 --dport 1024:65535 -j ACCEPT

    #SSH
    iptables -A INPUT -p tcp --dport 4777 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 4777 --dport 1024:65535 -j ACCEPT

    #SMTP
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT

    #Secure SMTP
    iptables -A INPUT -p tcp --dport 465 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 465 --dport 1024:65535 -j ACCEPT

    #IMAP
    iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 143 --dport 1024:65535 -j ACCEPT

    #Secure IMAP
    iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 993 --dport 1024:65535 -j ACCEPT

    #POP3
    iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 110 --dport 1024:65535 -j ACCEPT

    #Secure POP3
    iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 995 --dport 1024:65535 -j ACCEPT

    #cPanel
    iptables -A INPUT -p tcp --dport 2082 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2082 --dport 1024:65535 -j ACCEPT

    #Secure cPanel
    iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2083 --dport 1024:65535 -j ACCEPT

    #Web Host Manager
    iptables -A INPUT -p tcp --dport 2086 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2086 --dport 1024:65535 -j ACCEPT

    #Secure Web Host Manager
    iptables -A INPUT -p tcp --dport 2087 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2087 --dport 1024:65535 -j ACCEPT

    iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 2087 -j ACCEPT

    #Webmail
    iptables -A INPUT -p tcp --dport 2095 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2095 --dport 1024:65535 -j ACCEPT

    #Secure Webmail
    iptables -A INPUT -p tcp --dport 2096 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2096 --dport 1024:65535 -j ACCEPT

    ## Allow Selective Outbound Connections

    #SMTP
    iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT

    #HTTP
    iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT

    #HTTPS
    iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

    #cPanel Licensing
    iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 2089 -j ACCEPT
    iptables -A INPUT -p tcp --sport 2089 --dport 1024:65535 -j ACCEPT

    #WHOIS
    iptables -A OUTPUT -p udp --sport 1024:65535 --dport 43 -j ACCEPT
    iptables -A INPUT -p udp --sport 43 --dport 1024:65535 -j ACCEPT

    any ideas what we need to change?
     
Loading...

Share This Page