The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What IPs should not be blocked

Discussion in 'Security' started by umka83, Jun 8, 2011.

  1. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello dear Cpanel users

    I am setting up few new servers with cpanel. For security and in order to limit the users of the servers geographically i employ default block policy using IPtables

    Code:
    [INDENT]iptables -P INPUT DROP[/INDENT]
    then I add only the IP addresses I need
    Code:
    [INDENT]iptables -A INPUT -s 218.220.181.18 -j ACCEPT
    iptables -A INPUT -s 1.0.16.0/20 -j ACCEPT[/INDENT]
    However, when I do so, many services would randomy go down. Including Apache httpd, Imap, EXIM etc.

    Could anyone please let me know which IP addresses i should add to the whitelist in order to avoid problems with cpanel.

    Also, why is cpanel and apache so dependent on Internet resources. I am only updatein CentOs, Cpanel, Apache manually (of course after flushing iptables) so there should not be any problems i guess.

    Any advice would be much appresiated
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you ensuring to allow the server's IPs and localhost in the firewall? Localhost would be 127.0.0.1
     
  3. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1

    OMG - i think this is it. Localhost mest be the problem. Will check now asap.
    By the way could you please tell me what do you mean by server's IPs. The ip of the server where I am setting up the iptables right?

    Thank you very much for your advise
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Correct, by server IPs, I mean any IP on the machine that you are putting the iptables rules onto so the main server IP and any other IPs you might have added to it as dedicated IPs (if you have added any additional IPs to the machine).
     
  5. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thank you very much for your advice. This seems to have solved most of my problems.

    However, when trying to restart EXIM in WHM>Restart Services I am still getting this error

    Code:
    Waiting for exim to restart...............finished.
    exim (/usr/sbin/exim -bd -q60m) running as mailnull with PID 1940
    exim: [ != 220]
    exim has failed, please contact the sysadmin.
    
    this does not happen when i flush Iptables. anything else i should unblock?

    PS: of course, localhost and server's ips are already in the allow list
     
    #5 umka83, Jun 8, 2011
    Last edited: Jun 9, 2011
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Would you be able to provide your current firewall rules? Do you have port 25 open for incoming and outgoing connections on both the main server IP and localhost?
     
  7. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Ok iptable rules go like this:

    Code:
    #!/bin/bash -x
    /etc/init.d/iptables stop
    
    iptables -P INPUT DROP
    iptables -A INPUT -s 127.0.0.1 -j ACCEPT
    iptables -A INPUT -s (server's mainip) -j ACCEPT
    list of ips accepted including server's ips
    ....................
    ....................
    iptables -A INPUT -p tcp --dport 22  -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22  -j ACCEPT
    
    this means that I have ALL connections on main IP and localhost allowed, right?
    Maybe I should just allow port 110, 25, 587 and whatever IMAP uses for all IPs (Just as i did with port 22 to allow ssh)? if so - could you please advise how to do this?

    Thank you
     
    #7 umka83, Jun 8, 2011
    Last edited: Jun 8, 2011
  8. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I have tried to modify the script to allow ports 25, 26, 587 and 465. But I am still having the same problem with exim.
    here is my new code

    Code:
    #!/bin/bash -x
    /etc/init.d/iptables stop
    
    iptables -P INPUT DROP
    iptables -A INPUT -s 127.0.0.1 -j ACCEPT
    iptables -A INPUT -s (server's mainip) -j ACCEPT
    list of ips accepted including server's ips
    ....................
    ....................
    iptables -A INPUT -p tcp --dport 22  -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22  -j ACCEPT
    iptables -A INPUT -p tcp --dport 21  -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 21  -j ACCEPT
    iptables -A INPUT -p tcp --dport 25  -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 25  -j ACCEPT
    iptables -A INPUT -p tcp --dport 26  -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 26  -j ACCEPT
    iptables -A INPUT -p tcp --dport 465  -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 465  -j ACCEPT
    iptables -A INPUT -p tcp --dport 587  -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 587  -j ACCEPT
    
    here is the contents of my var/log/exim_main.log
    Code:
    2011-06-09 22:54:00 exim 4.69 daemon started: pid=7184, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
    2011-06-09 22:54:00 Start queue run: pid=7185
    2011-06-09 22:54:00 Abandon queue run: pid=7185 (load 5.40, max 3.00)
    2011-06-09 22:54:00 End queue run: pid=7185
    
     
    #8 umka83, Jun 9, 2011
    Last edited: Jun 9, 2011
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would prefer to see the full iptables listing without the actual IP address with line numbers indicated. If you can provide the full complete iptables listing with all rules, that would be great.
     
  10. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Could you please let me know how do i get that listing?
    Code:
    iptables -L
    would do?
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    To get the line numbers, it would be:

    Code:
    iptables -n -L --line-number
     
  12. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    The seems to be too many entries so only some of them fit into the SSH command prompt screen. Here is what I got using the commnad you kindly provided:


    Code:
    2608 ACCEPT     all  --  210.79.32.0/20       0.0.0.0/0
    2609 ACCEPT     all  --  210.79.128.0/18      0.0.0.0/0
    2610 ACCEPT     all  --  210.79.192.0/20      0.0.0.0/0
    2611 ACCEPT     all  --  210.80.192.0/18      0.0.0.0/0
    2612 ACCEPT     all  --  210.81.0.0/16        0.0.0.0/0
    2613 ACCEPT     all  --  210.87.224.0/20      0.0.0.0/0
    2614 ACCEPT     all  --  210.88.0.0/18        0.0.0.0/0
    2615 ACCEPT     all  --  210.88.64.0/19       0.0.0.0/0
    2616 ACCEPT     all  --  210.88.96.0/21       0.0.0.0/0
    2617 ACCEPT     all  --  210.88.104.0/22      0.0.0.0/0
    2618 ACCEPT     all  --  210.88.108.0/23      0.0.0.0/0
    2619 ACCEPT     all  --  210.88.110.0/24      0.0.0.0/0
    2620 ACCEPT     all  --  210.88.111.0/25      0.0.0.0/0
    2621 ACCEPT     all  --  210.88.111.128/26    0.0.0.0/0
    2622 ACCEPT     all  --  210.88.111.208/28    0.0.0.0/0
    2623 ACCEPT     all  --  210.88.111.224/27    0.0.0.0/0
    2624 ACCEPT     all  --  210.88.112.0/20      0.0.0.0/0
    2625 ACCEPT     all  --  210.88.128.0/17      0.0.0.0/0
    2626 ACCEPT     all  --  210.89.0.0/19        0.0.0.0/0
    2627 ACCEPT     all  --  210.89.96.0/19       0.0.0.0/0
    2628 ACCEPT     all  --  210.89.192.0/18      0.0.0.0/0
    2629 ACCEPT     all  --  210.128.0.0/11       0.0.0.0/0
    2630 ACCEPT     all  --  210.160.0.0/12       0.0.0.0/0
    2631 ACCEPT     all  --  210.185.128.0/19     0.0.0.0/0
    2632 ACCEPT     all  --  210.188.0.0/14       0.0.0.0/0
    2633 ACCEPT     all  --  210.193.64.0/18      0.0.0.0/0
    2634 ACCEPT     all  --  210.194.0.0/16       0.0.0.0/0
    2635 ACCEPT     all  --  210.196.0.0/14       0.0.0.0/0
    2636 ACCEPT     all  --  210.203.192.0/18     0.0.0.0/0
    2637 ACCEPT     all  --  210.211.32.0/19      0.0.0.0/0
    2638 ACCEPT     all  --  210.224.0.0/12       0.0.0.0/0
    2639 ACCEPT     all  --  210.247.0.0/17       0.0.0.0/0
    2640 ACCEPT     all  --  210.248.0.0/13       0.0.0.0/0
    2641 ACCEPT     all  --  211.0.0.0/12         0.0.0.0/0
    2642 ACCEPT     all  --  211.16.0.0/14        0.0.0.0/0
    2643 ACCEPT     all  --  211.120.0.0/13       0.0.0.0/0
    2644 ACCEPT     all  --  211.128.0.0/13       0.0.0.0/0
    2645 ACCEPT     all  --  212.34.71.16/29      0.0.0.0/0
    2646 ACCEPT     all  --  212.63.182.128/26    0.0.0.0/0
    2647 ACCEPT     all  --  212.63.182.192/29    0.0.0.0/0
    2648 ACCEPT     all  --  212.63.182.200/30    0.0.0.0/0
    2649 ACCEPT     all  --  212.63.182.208/28    0.0.0.0/0
    2650 ACCEPT     all  --  212.63.182.224/28    0.0.0.0/0
    2651 ACCEPT     all  --  212.63.182.240/29    0.0.0.0/0
    2652 ACCEPT     all  --  212.63.182.248/30    0.0.0.0/0
    2653 ACCEPT     all  --  212.63.191.0/27      0.0.0.0/0
    2654 ACCEPT     all  --  212.63.191.32/29     0.0.0.0/0
    2655 ACCEPT     all  --  212.63.191.44/30     0.0.0.0/0
    2656 ACCEPT     all  --  212.63.191.48/28     0.0.0.0/0
    2657 ACCEPT     all  --  212.63.191.64/26     0.0.0.0/0
    2658 ACCEPT     all  --  212.63.191.128/26    0.0.0.0/0
    2659 ACCEPT     all  --  212.63.191.192/27    0.0.0.0/0
    2660 ACCEPT     all  --  212.63.191.224/30    0.0.0.0/0
    2661 ACCEPT     all  --  212.63.191.228/31    0.0.0.0/0
    2662 ACCEPT     all  --  212.63.191.230       0.0.0.0/0
    2663 ACCEPT     all  --  212.63.191.232/29    0.0.0.0/0
    2664 ACCEPT     all  --  212.63.191.240/28    0.0.0.0/0
    2665 ACCEPT     all  --  212.63.206.145       0.0.0.0/0
    2666 ACCEPT     all  --  212.63.206.146       0.0.0.0/0
    2667 ACCEPT     all  --  212.63.213.16/28     0.0.0.0/0
    2668 ACCEPT     all  --  216.38.50.226/31     0.0.0.0/0
    2669 ACCEPT     all  --  216.38.50.228/31     0.0.0.0/0
    2670 ACCEPT     all  --  216.38.52.143        0.0.0.0/0
    2671 ACCEPT     all  --  216.38.52.144/31     0.0.0.0/0
    2672 ACCEPT     all  --  216.38.52.146        0.0.0.0/0
    2673 ACCEPT     all  --  216.38.62.218/31     0.0.0.0/0
    2674 ACCEPT     all  --  216.38.62.220/31     0.0.0.0/0
    2675 ACCEPT     all  --  216.98.113.176/28    0.0.0.0/0
    2676 ACCEPT     all  --  216.119.137.24/29    0.0.0.0/0
    2677 ACCEPT     all  --  216.131.81.40/29     0.0.0.0/0
    2678 ACCEPT     all  --  216.131.115.144/28   0.0.0.0/0
    2679 ACCEPT     all  --  216.156.92.16/28     0.0.0.0/0
    2680 ACCEPT     all  --  216.198.225.0/26     0.0.0.0/0
    2681 ACCEPT     all  --  216.206.250.32/27    0.0.0.0/0
    2682 ACCEPT     all  --  216.218.134.200/29   0.0.0.0/0
    2683 ACCEPT     all  --  216.218.196.152/29   0.0.0.0/0
    2684 ACCEPT     all  --  216.218.213.136/29   0.0.0.0/0
    2685 ACCEPT     all  --  216.255.224.0/20     0.0.0.0/0
    2686 ACCEPT     all  --  217.140.104.0/23     0.0.0.0/0
    2687 ACCEPT     all  --  217.197.222.0/24     0.0.0.0/0
    2688 ACCEPT     all  --  218.33.128.0/17      0.0.0.0/0
    2689 ACCEPT     all  --  218.40.0.0/13        0.0.0.0/0
    2690 ACCEPT     all  --  218.100.5.0/24       0.0.0.0/0
    2691 ACCEPT     all  --  218.100.6.0/23       0.0.0.0/0
    2692 ACCEPT     all  --  218.100.8.0/23       0.0.0.0/0
    2693 ACCEPT     all  --  218.100.15.0/24      0.0.0.0/0
    2694 ACCEPT     all  --  218.100.42.0/24      0.0.0.0/0
    2695 ACCEPT     all  --  218.100.45.0/24      0.0.0.0/0
    2696 ACCEPT     all  --  218.100.67.0/24      0.0.0.0/0
    2697 ACCEPT     all  --  218.110.0.0/16       0.0.0.0/0
    2698 ACCEPT     all  --  218.112.0.0/12       0.0.0.0/0
    2699 ACCEPT     all  --  218.128.0.0/12       0.0.0.0/0
    2700 ACCEPT     all  --  218.176.0.0/13       0.0.0.0/0
    2701 ACCEPT     all  --  218.185.128.0/18     0.0.0.0/0
    2702 ACCEPT     all  --  218.216.0.0/13       0.0.0.0/0
    2703 ACCEPT     all  --  218.224.0.0/13       0.0.0.0/0
    2704 ACCEPT     all  --  218.251.0.0/16       0.0.0.0/0
    2705 ACCEPT     all  --  219.0.0.0/15         0.0.0.0/0
    2706 ACCEPT     all  --  219.2.0.0/16         0.0.0.0/0
    2707 ACCEPT     all  --  219.3.0.0/18         0.0.0.0/0
    2708 ACCEPT     all  --  219.3.64.0/19        0.0.0.0/0
    2709 ACCEPT     all  --  219.3.96.0/24        0.0.0.0/0
    2710 ACCEPT     all  --  219.3.98.0/23        0.0.0.0/0
    2711 ACCEPT     all  --  219.3.100.0/22       0.0.0.0/0
    2712 ACCEPT     all  --  219.3.104.0/21       0.0.0.0/0
    2713 ACCEPT     all  --  219.3.112.0/20       0.0.0.0/0
    2714 ACCEPT     all  --  219.3.128.0/17       0.0.0.0/0
    2715 ACCEPT     all  --  219.4.0.0/14         0.0.0.0/0
    2716 ACCEPT     all  --  219.8.0.0/13         0.0.0.0/0
    2717 ACCEPT     all  --  219.16.0.0/12        0.0.0.0/0
    2718 ACCEPT     all  --  219.32.0.0/11        0.0.0.0/0
    2719 ACCEPT     all  --  219.66.0.0/15        0.0.0.0/0
    2720 ACCEPT     all  --  219.73.128.0/17      0.0.0.0/0
    2721 ACCEPT     all  --  219.75.128.0/17      0.0.0.0/0
    2722 ACCEPT     all  --  219.94.128.0/17      0.0.0.0/0
    2723 ACCEPT     all  --  219.96.0.0/11        0.0.0.0/0
    2724 ACCEPT     all  --  219.160.0.0/11       0.0.0.0/0
    2725 ACCEPT     all  --  219.192.0.0/12       0.0.0.0/0
    2726 ACCEPT     all  --  219.208.0.0/13       0.0.0.0/0
    2727 ACCEPT     all  --  220.0.0.0/10         0.0.0.0/0
    2728 ACCEPT     all  --  220.96.0.0/14        0.0.0.0/0
    2729 ACCEPT     all  --  220.100.0.0/16       0.0.0.0/0
    2730 ACCEPT     all  --  220.102.0.0/16       0.0.0.0/0
    2731 ACCEPT     all  --  220.104.0.0/13       0.0.0.0/0
    2732 ACCEPT     all  --  220.144.0.0/14       0.0.0.0/0
    2733 ACCEPT     all  --  220.148.0.0/16       0.0.0.0/0
    2734 ACCEPT     all  --  220.150.0.0/15       0.0.0.0/0
    2735 ACCEPT     all  --  220.152.0.0/18       0.0.0.0/0
    2736 ACCEPT     all  --  220.152.64.0/19      0.0.0.0/0
    2737 ACCEPT     all  --  220.152.96.0/20      0.0.0.0/0
    2738 ACCEPT     all  --  220.152.120.0/21     0.0.0.0/0
    2739 ACCEPT     all  --  220.153.0.0/16       0.0.0.0/0
    2740 ACCEPT     all  --  220.156.0.0/17       0.0.0.0/0
    2741 ACCEPT     all  --  220.156.128.0/19     0.0.0.0/0
    2742 ACCEPT     all  --  220.156.192.0/18     0.0.0.0/0
    2743 ACCEPT     all  --  220.157.0.0/18       0.0.0.0/0
    2744 ACCEPT     all  --  220.157.128.0/17     0.0.0.0/0
    2745 ACCEPT     all  --  220.158.0.0/15       0.0.0.0/0
    2746 ACCEPT     all  --  220.208.0.0/12       0.0.0.0/0
    2747 ACCEPT     all  --  220.247.0.0/17       0.0.0.0/0
    2748 ACCEPT     all  --  220.247.184.0/21     0.0.0.0/0
    2749 ACCEPT     all  --  220.254.0.0/16       0.0.0.0/0
    2750 ACCEPT     all  --  221.12.192.0/18      0.0.0.0/0
    2751 ACCEPT     all  --  221.16.0.0/12        0.0.0.0/0
    2752 ACCEPT     all  --  221.32.0.0/11        0.0.0.0/0
    2753 ACCEPT     all  --  221.64.0.0/11        0.0.0.0/0
    2754 ACCEPT     all  --  221.96.0.0/12        0.0.0.0/0
    2755 ACCEPT     all  --  221.112.0.0/13       0.0.0.0/0
    2756 ACCEPT     all  --  221.120.168.0/21     0.0.0.0/0
    2757 ACCEPT     all  --  221.121.160.0/20     0.0.0.0/0
    2758 ACCEPT     all  --  221.121.176.0/21     0.0.0.0/0
    2759 ACCEPT     all  --  221.121.192.0/18     0.0.0.0/0
    2760 ACCEPT     all  --  221.132.96.0/20      0.0.0.0/0
    2761 ACCEPT     all  --  221.132.120.0/21     0.0.0.0/0
    2762 ACCEPT     all  --  221.132.128.0/18     0.0.0.0/0
    2763 ACCEPT     all  --  221.133.64.0/18      0.0.0.0/0
    2764 ACCEPT     all  --  221.133.220.224/27   0.0.0.0/0
    2765 ACCEPT     all  --  221.170.0.0/15       0.0.0.0/0
    2766 ACCEPT     all  --  221.184.0.0/13       0.0.0.0/0
    2767 ACCEPT     all  --  221.240.0.0/12       0.0.0.0/0
    2768 ACCEPT     all  --  222.0.0.0/12         0.0.0.0/0
    2769 ACCEPT     all  --  222.144.0.0/13       0.0.0.0/0
    2770 ACCEPT     all  --  222.158.0.0/15       0.0.0.0/0
    2771 ACCEPT     all  --  222.224.0.0/14       0.0.0.0/0
    2772 ACCEPT     all  --  222.228.0.0/16       0.0.0.0/0
    2773 ACCEPT     all  --  222.229.0.0/18       0.0.0.0/0
    2774 ACCEPT     all  --  222.229.64.0/20      0.0.0.0/0
    2775 ACCEPT     all  --  222.229.96.0/19      0.0.0.0/0
    2776 ACCEPT     all  --  222.229.128.0/17     0.0.0.0/0
    2777 ACCEPT     all  --  222.230.0.0/16       0.0.0.0/0
    2778 ACCEPT     all  --  222.231.64.0/18      0.0.0.0/0
    2779 ACCEPT     all  --  222.231.128.0/17     0.0.0.0/0
    2780 ACCEPT     all  --  223.25.128.0/18      0.0.0.0/0
    2781 ACCEPT     all  --  223.27.68.0/22       0.0.0.0/0
    2782 ACCEPT     all  --  223.27.72.0/21       0.0.0.0/0
    2783 ACCEPT     all  --  223.27.116.0/22      0.0.0.0/0
    2784 ACCEPT     all  --  223.27.124.0/22      0.0.0.0/0
    2785 ACCEPT     all  --  223.27.180.0/22      0.0.0.0/0
    2786 ACCEPT     all  --  223.29.0.0/17        0.0.0.0/0
    2787 ACCEPT     all  --  223.29.176.0/20      0.0.0.0/0
    2788 ACCEPT     all  --  223.29.244.0/22      0.0.0.0/0
    2789 ACCEPT     all  --  223.132.0.0/14       0.0.0.0/0
    2790 ACCEPT     all  --  223.165.20.0/22      0.0.0.0/0
    2791 ACCEPT     all  --  223.165.32.0/19      0.0.0.0/0
    2792 ACCEPT     all  --  223.165.80.0/20      0.0.0.0/0
    2793 ACCEPT     all  --  223.216.0.0/14       0.0.0.0/0
    2794 ACCEPT     all  --  223.223.0.0/17       0.0.0.0/0
    2795 ACCEPT     all  --  223.223.160.0/21     0.0.0.0/0
    2796 ACCEPT     all  --  223.223.208.0/21     0.0.0.0/0
    2797 ACCEPT     all  --  223.223.224.0/19     0.0.0.0/0
    2798 ACCEPT     all  --  174.138.163.214      0.0.0.0/0
    2799 ACCEPT     all  --  49.133.0.0/16        0.0.0.0/0
    2800 ACCEPT     all  --  49.134.0.0/16        0.0.0.0/0
    2801 ACCEPT     all  --  184.95.35.186        0.0.0.0/0
    2802 ACCEPT     all  --  66.71.240.242        0.0.0.0/0
    2803 ACCEPT     all  --  49.134.0.0/16        0.0.0.0/0
    2804 ACCEPT     all  --  98.142.209.74        0.0.0.0/0
    2805 ACCEPT     all  --  49.134.0.0/16        0.0.0.0/0
    2806 ACCEPT     all  --  174.138.163.214      0.0.0.0/0
    2807 ACCEPT     all  --  209.188.20.2         0.0.0.0/0
    2808 ACCEPT     all  --  122.224.6.89         0.0.0.0/0
    2809 ACCEPT     all  --  75.127.67.98         0.0.0.0/0
    2810 ACCEPT     all  --  75.127.67.101        0.0.0.0/0
    2811 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    2812 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    2813 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    2814 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:26
    2815 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
    2816 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:25
    2    ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:587
    3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22
    4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:26
    7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
    8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
     
  13. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you attach it as a txt file then? The issue here is that DROP rules preceding ACCEPT rules can block the ACCEPT rule from working, so it's difficult without the full ruleset to see what it might have.
     
  14. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I do not see the full list of my SSH screen (if you understand what I mean.) i would be glad to attach a txt file - but it will be the same contents as above.

    Is there any way to save the results of
    Code:
    iptables -n -L --line-number
    to a text file?
     
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Yes, with this command:

    Code:
    iptables -n -L --line-number > /home/username/public_html/iptables.txt
    This would save the file in a cPanel account with the username username in the public_html folder by the name of iptables.txt
     
  16. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
  17. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It appears you have all the allowed incoming and outgoing for those ports. The only service that is failing it exim? What is the exact message in /var/log/chksrvd.log file about the failure when it tries to restart it?

    It's a bit strange to me that all other services are now reporting fine but for exim.
     
  18. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Yes, Exim seems to be the only service that has this problem and emails are actually not working when IPtables are enabled.

    /var/log/chksrvd.log is about 18Mb and I am nto sure what to look for. I will just paste some of the most recent entries:

    Code:
    Service Check Started
    Loading services .....cpanellogd....cpsrvd....exim....imap....mysql....named....queueprocd....spamd....sshd....syslogd..Done
    [2011-04-13 08:03:33 +0800] Service check ....syslogd [[check command:+][tcp connect:N/A]]...sshd [[check command:+][tcp connect:N/A]]...spamd [[check command:+][tcp connect:N/A]]...queueprocd [[check command:+][tcp connect:N/A]]...named [[check command:+][tcp connect:N/A]]...mysql [[check command:+][tcp connect:N/A]]...melange [[check command:N/A][tcp connect:N/A]]...imap [[check command:+][tcp connect:+]]...exim [[check command:+][tcp connect:+]]...entropychat [[check command:N/A][tcp connect:N/A]]...cpsrvd [[check command:N/A][tcp connect:+]]...cpanellogd [[check command:+][tcp connect:N/A]]...Done
    Service Check Finished
    When trying to restart EXIM with iptables enabled WHM would give this error

    Code:
    Waiting for exim to restart...............finished.
    exim (/usr/sbin/exim -bd -q60m) running as mailnull with PID 12069
    exim has failed, please contact the sysadmin.
     
  19. kbob

    kbob Member

    Joined:
    May 30, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    @umka83 Would you mind changing the following option in the exim config file :

    Find the following line :
    Change this to :

    Restart exim to make the changes active.

    Hope this can fix you up !

    If not try commenting out this option in the configuration file with #
     
    #19 kbob, Jun 10, 2011
    Last edited: Jun 10, 2011
  20. umka83

    umka83 Member

    Joined:
    Feb 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello, Kbob,

    Thank you for you suggestion. I have tried but it did not help. Exim still works fine with Iptables disabled and not working with Iptables enabled. Myabe this is a problem with iptables not Exim settings...?
     
Loading...

Share This Page