Run a system command on a cPanel plugin

AlexisMeroni

Active Member
Feb 9, 2013
36
0
6
cPanel Access Level
Root Administrator
Hello,
I need develop' a cPanel plugin for the customers can stop iptables.

I have test with
PHP:
exec('service iptables stop');
but iptables does not stop.

Have you got a solution ? Thanks you.

Regards,
Alexis
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
Hello,
I need develop' a cPanel plugin for the customers can stop iptables.

I have test with
PHP:
exec('service iptables stop');
but iptables does not stop.

Have you got a solution ? Thanks you.

Regards,
Alexis
What user is the plugin running as? Unless it's running as root and a WHM plugin, it's not going to have permissions to stop iptables.

I'd also recommend using $return_var = shell_exec('service iptables stop') which will return the output of the command as a string. You can then check this string to make sure iptables actually stopped/started/etc.
 

AlexisMeroni

Active Member
Feb 9, 2013
36
0
6
cPanel Access Level
Root Administrator
I'ts for cPanel not WHM because FTP Server is blocked to "MLSD" and it's fixed when iptables is stoped. If you can help me with this problem of the FTP server then it would be better :)
Thank You
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
I'ts for cPanel not WHM because FTP Server is blocked to "MLSD" and it's fixed when iptables is stoped. If you can help me with this problem of the FTP server then it would be better :)
Thank You
You should check your ftp configuration file and ftp logs and try to get this issue resolved. Allowing an end-user to disable iptables on your server is not advised. This may present a security risk to all users on the system.

Are you attempting to connect via passive mode? Perhaps the ports listed in your configuration for passive mode are being blocked by iptables?
 

AlexisMeroni

Active Member
Feb 9, 2013
36
0
6
cPanel Access Level
Root Administrator
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Réponse : 220-You are user number 2 of 50 allowed.
Réponse : 220-Local time is now 21:44. Server port: 21.
Réponse : 220-This is a private system - No anonymous login
Réponse : 220-IPv6 connections are also welcome on this server.
Réponse : 220 You will be disconnected after 10 minutes of inactivity.
Commande : USER my**f
Réponse : 331 User my**f OK. Password required
Commande : PASS ********
Réponse : 230 OK. Current restricted directory is /
Commande : SYST
Réponse : 215 UNIX Type: L8
Commande : FEAT
Réponse : 211-Extensions supported:
Réponse : EPRT
Réponse : IDLE
Réponse : MDTM
Réponse : SIZE
Réponse : MFMT
Réponse : REST STREAM
Réponse : MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Réponse : MLSD
Réponse : AUTH TLS
Réponse : PBSZ
Réponse : PROT
Réponse : ESTA
Réponse : PASV
Réponse : EPSV
Réponse : SPSV
Réponse : ESTP
Réponse : 211 End.
Statut : Le serveur ne supporte pas les caractères non-ASCII.
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is your current location
Commande : TYPE I
Réponse : 200 TYPE is now 8-bit binary
Commande : PASV
Réponse : 227 Entering Passive Mode (5,39,*3,21*,234,29)
Commande : MLSD
Réponse : 150 Accepted data connection
Réponse : 226-Options: -a -l
Réponse : 226 25 matches total
Statut : Contenu du dossier affiché avec succès
This is the FTP Client log. It's passive mode ?
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
This is the FTP Client log. It's passive mode ?
Yes. Pure-FTP allows you to specify a range of ports used for passive mode in /etc/pure-ftpd.conf (likely on line 180) like so:

Code:
# Port range for passive connections replies. - for firewalling.

# PassivePortRange          30000 50000
You should allow this port range to be open on your firewall (you may want to restrict it to a smaller range) for passive connections, or instruct FTP users to not use passive mode in their FTP clients.
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
Ok, I've uncommented the line. How can i open this port range on iptables ?
The command is:

Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 30000:50000 -j ACCEPT
then save the ruleset with:

Code:
service iptables save
You may want to look into CSF as Michael suggested for managing firewall rules or read over the iptables wiki: HowTos/Network/IPTables - CentOS Wiki