The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPTables on or off?

Discussion in 'Security' started by skyrie, Apr 25, 2012.

  1. skyrie

    skyrie Registered

    Joined:
    Apr 5, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Installing Cpanel/WHM requires me to deactivate iptables. However it doesn’t say anywhere that I need to reactivate it. Any software I install that requires the use of a port works by default, without having to open said port. So CPanel/WHM did not reactivate it automatically. Do I need to activate iptables manually, or do I have to leave it off for some reason?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    This is not true. cPanel can and does work alongside iptables. What you're likely referring to is that the default firewall rules (if deployed upon OS installation) understandably do not make any accommodations in the ruleset for cPanel specific ports. You can continue to utilize iptables happily as long as you manually open up the necessary ports to allow cPanel to be accessed and function properly.

    A list of these ports are available right in our online documentation:

    Linux FAQ

    As iptables itself is an operating system level feature that's largely left alone by cPanel & WHM, it is left up to you (the server owner) to decide if you want to use iptables. If so, it's then at your responsibility to configure iptables correctly to permit the above mentioned ports to be utilized. If you chose not to use iptables, be aware that "SMTP Tweak" will not function for you. This feature requires iptables functionality if you want to use it.

    Note that there is a 3rd party product that aims to make this process easier in the form of a WHM Plugin. You may wish to check it out and see if it's something you want.

    ConfigServer Security & Firewall

    The question of whether you should utilize iptables is analogous to asking "should I utilize a firewall or not?". Just bear in mind that act of ipables 'running' isn't what provides the firewall functionality, it's the configuration/ruleset you deploy with it. You'd want to read up further on using iptables or further investigate ConfigServer's CSF if this interests you.
     
  4. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    As a point of clarification ... Cpanel does not require you to deactivate or uninstall iptables!

    I think what you are confused just a little bit about is that in CentOS 5 and above, there exists a default iptables firewall configuration which leaves all the ports closed that you would need to access WHM after it is installed so if you don't flush those default rules, you are unable to login to WHM after you finish the base install.

    You need to kill that default iptables firewall configuration --- but NOT iptables itself!

    The default iptables configuration is usually stored in /etc/sysconfig so the easiest way to tackle that issue is usually to remove the file /etc/sysconfig/iptables before installing Cpanel / WHM.

    This is not removing the iptables program itself, only the default configuration that has been loaded into iptables.

    You need to also restart iptables after you remove the config file either through "/etc/rc.d/init.d/iptables restart" or from "service iptables restart" (either of those should work on CentOS) to make sure iptables is cleared empty. The reason for removing the iptables config file verses just simply issuing a rule flush command to iptables is by doing that, it prevents those rules from being automatically reloaded again.

    You can verify iptables doesn't have anything loaded with "iptables -L"

    Then you would install Cpanel / WHM normally and after the installation program is finished, you should be able to login to WHM on port 2086 (or if using SSL, 2087) and won't have any firewall rules blocking you anymore but iptables itself would still be running, just without any firewall rules loaded.

    For firewall security, I recommend installing CSF after you install Cpanel / WHM. CSF is a wrapper for iptables and depends upon iptables being installed but it is a very well written and robust firewall and I definitely support and recommend its use.

    You can get CSF Firewall from the author's site here --> ConfigServer Security & Firewall
     
  5. skyrie

    skyrie Registered

    Joined:
    Apr 5, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for getting back to me, guys.
    I disabled iptables because of Step 5: Configure Your Operating System.
    It says if I am installing a CentOS OS I should deactivate the default firewall and check for updates. It does not tell me to reactivate the firewall after I have updated, which led to my confusion.
     
Loading...

Share This Page