Questions about Host Access Control

antispam

Member
Nov 26, 2012
9
0
51
cPanel Access Level
Root Administrator
Hi,

This is about a new server, just had the installation completed.

I went to Host Access Control to limit the range of IPs permitted to connect to the server and I created the rules through Security Center > Host Access Control in AlmaLinux 8.5, but I faced a few problems:

1. First and foremost, it does not seem to work. Every IP can access the port, instead of only a few intended IPs.
Maybe I did something wrong, or maybe there is an option somewhere else to enable it?
For example, for port 22, the "nft -a list chain inet filter cPanel-HostAccessControl" returns (w.x.y.z are several IP addresses that I want to grant access to):
Code:
table inet filter {
        chain cPanel-HostAccessControl { # handle 1
                ip saddr w1.x1.y1.z1 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 2
                ip saddr w2.x2.y2.z2 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 3
                ip saddr w3.x3.y3.z3 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 4
                ip saddr w4.x4.y4.z4 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 5
                ip saddr w5.x5.y5.z5 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 6
                ip saddr w6.x6.y6.z6 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 7
                ip saddr w7.x7.y.7z7 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 8
                ct state new tcp dport 22 counter packets 0 bytes 0 reject # handle 9
        }
}
Also, the "systemctl status nftables" returns:
Code:
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Tue 2022-01-25 21:24:25 EET; 4h 24min ago
     Docs: man:nft(8)
  Process: 1400 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 1400 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 822260)
   Memory: 0B
   CGroup: /system.slice/nftables.service

Jan 25 21:24:19 my.server.com systemd[1]: Starting Netfilter Tables...
Jan 25 21:24:25 my.server.com systemd[1]: Started Netfilter Tables.
2. In the Documentation Host Access Control page (ver. 100 - last mod. 2021-12-15) it says that in the last (REJECT) rule we should "Enter ALL IP in the IP Address/CIDR text box".
However this brings an error: "IP addresses must be a valid v4 or v6 address".
2022-01-26-CPanelError.png

See attached file.
I found somewhere that "ALL" instead of "ALL IP" could also work, and it seems to create the rule ok. But is it related to that the REJECT rule does not reject any IP?

3. In the same docoumentation page, it states that "You may apply your rule to multiple IP addresses by entering a comma-separated list of IP addresses or a CIDR subnet mask".
However, upon entering "w1.x1.y1.z1,w2.x2.y2.z2" (with actual IPs, of course) it displays the same error: "IP addresses must be a valid v4 or v6 address".
So it does not seem that the comma separated list works.

I tried to search similar problems but I did not find anything related (most entries are about CentOS 7, which does not rely on nftables, as CentOS 8 does).
May I also add that a few (graceful) restarts have been initiated, so it does not seem to be a "restart the service" issue.

I believe the the 3 questions are not related.

Please do not hesitate to ask for any more information.
And please accept my apologies beforehand, if I have missed something.
Thank you for your time.
 

Attachments

Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,843
1,532
313
cPanel Access Level
Root Administrator
I did some testing on my end and I am not able to reproduce issue #1. Here is what my WHM interface looks like:

Screen Shot 2022-01-27 at 2.06.59 PM.png

and I confirmed I can only access SSH from the IP that is blocked out in red. All other addresses received a connection failure:

Code:
rexhatt$ ssh [email protected]
ssh: connect to host 10.2.33.138 port 22: Connection refused
For issues #2, I've filed a documentation case with our team to get that updated, as just "ALL" is correct, when "ALL IP" is not.

The same with issue #3 - I've reported that to our documentation team so they can get that adjusted.

Thanks so much for pointing these out!