The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems after migration to Rackspace cloud server

Discussion in 'General Discussion' started by medennis, Nov 5, 2012.

  1. medennis

    medennis Registered

    Joined:
    Nov 5, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We're in the process of migrating two cpanel installations to cloud services using Express Transfer via ssh.
    The first to TekTonic, all 90 domains migrated smoothly and are working properly.

    From the second, two domains were migrated to RackSpace - there were no errors in the transfer, but one continued to time out and it was necessary to change the dns back to the original server.
    At the time, host lookups returned the new server ip, and pings were successful. Traceroutes timed out one hop short of the server, which may have complicated matters, but are completing now.

    For the second, the page usually times out, but when it loads it doesn't display any of the graphics.

    Also, even though "Enable mod_userdir Protection" is unchecked, sites timeout when accessed via http://fqdn(or ip)/~username.

    --------------------------------
    Just before opening a trouble ticket with the above, I thought for thoroughness I should try shutting off the firewall. That was it. Everything worked correctly with it off, and still worked after installing an edited copy of the iptables from the original server.

    Here's what was on the Rackspace server:
    Code:
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [50:4650]
    -A INPUT -p tcp -m tcp --dport 2087 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2086 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
    -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    
    Here's what was on the new server at Tectonic:
    Code:
    *nat
    :PREROUTING ACCEPT [528117:31259433]
    :POSTROUTING ACCEPT [136925:9621749]
    :OUTPUT ACCEPT [136925:9621749]
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mailman -j RETURN
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mail -j RETURN
    -A OUTPUT -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner cpanel -j RETURN
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner root -j RETURN
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -j REDIRECT
    COMMIT
    *filter
    :INPUT ACCEPT [59217:5429689]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [44553:104488134]
    :acctboth - [0:0]
    -A INPUT -j acctboth
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mailman -j ACCEPT
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mail -j ACCEPT
    -A OUTPUT -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner cpanel -j ACCEPT
    -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner root -j ACCEPT
    -A OUTPUT -j acctboth
    -A acctboth -s ipaddress ! -i lo -p tcp -m tcp --dport 80
    -A acctboth -d ipaddress ! -i lo -p tcp -m tcp --sport 80
    -A acctboth -s ipaddress ! -i lo -p tcp -m tcp --dport 25
    -A acctboth -d ipaddress ! -i lo -p tcp -m tcp --sport 25
    -A acctboth -s ipaddress ! -i lo -p tcp -m tcp --dport 110
    -A acctboth -d ipaddress ! -i lo -p tcp -m tcp --sport 110
    -A acctboth -s ipaddress ! -i lo -p icmp
    -A acctboth -d ipaddress ! -i lo -p icmp
    -A acctboth -s ipaddress ! -i lo -p tcp
    -A acctboth -d ipaddress ! -i lo -p tcp
    -A acctboth -s ipaddress ! -i lo -p udp
    -A acctboth -d ipaddress ! -i lo -p udp
    -A acctboth -s ipaddress ! -i lo
    -A acctboth -d ipaddress ! -i lo
    -A acctboth ! -i lo
    COMMIT
    
    I'm still curious why the iptables rules turned out so different from the original or another new install.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    One firewall appears to be configured for cPanel, the other does not.
     
Loading...

Share This Page