iptables interfering with cpanel


Well-Known Member
Sep 30, 2009
when iptables is running, i can't connect to my server on the cpanel ports, however when i disable iptables, i can. i know that i should keep iptables installed and running, but how can i allow everything cpanel uses through it? thanks!


Well-Known Member
Jul 12, 2006
Hello there,

Your best bet is to use a firewall application that you works with cPanel. I would suggest you look at CSF (Config Server Firewall), as it has a nice interface right through WHM for it.

Alternatively, you can edit your default configuration and allow the needed ports to be opened.



Quality Assurance Analyst
Staff member
Oct 2, 2010
somewhere over the rainbow
cPanel Access Level
Root Administrator
If you are using iptables only as your firewall and you do have that default RH-Firewall-1-INPUT chain, which you can see if you run this command:

/sbin/iptables -n -L|grep RH-Firewall-1-INPUT
Then the following rules will add the cPanel ports for cPanel, WHM and Webmail, although there may be additional ports needing opened as mentioned in the previously provided link by Nick Jackson:

/sbin/iptables -I RH-Firewall-1-INPUT -p tcp -m tcp --dport 2082:2083 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -p tcp -m tcp --dport 2086:2087 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -p tcp -m tcp --dport 2095:2096 -j ACCEPT
Of note, if you only wish the secure ports to be opened for each of those services (cPanel, WHM and Webmail), then only use 2083, 2087 and 2096 for each command indicated.

Upon adding any rules to the firewall, please ensure to save the configuration or the entries will be wiped whenever the machine gets rebooted:

service iptables save
If you are blocked from cPanel access in iptables and it isn't due to having the RH-Firewall-1-INPUT chain, you might try adding the rules at the top of the INPUT chain itself, which will occur before any later incoming chains:

/sbin/iptables -I INPUT -p tcp -m tcp --dport 2082:2083 -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 2086:2087 -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 2095:2096 -j ACCEPT
Some suggestions by other sites might be to use -A rather than -I, but -I will put the rule at the top of the chain. If there are later rules blocking access, then having the rules after the blocks will still not allow access to the ports, since any accept rules must proceed deny rules in order for the port to be opened.