cP-Firewall-1-INPUT iptable chain

ca2236

• July 29, 2019 16:25

Hi, We are trying to find out rules are automatically getting opened in this iptables chain: cP-Firewall-1-INPUT Can someone shed some light on this chain and if it is related to cphulkd? I found a related thread. But I'm uncertain if this addresses our questions adequately. We remove rules, and they keep getting added back. Does Cpanel need SSH open to the world to function/update? Thanks

• 

  cPanelLauren

  • July 30, 2019 22:44

  This is actually part of a cPanel script at /scripts/cofigure_firewall_for_cpanel
  the chain when added opens standard ports cPanel needs to function - this is discussed here: How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation You can see the full chain here: [root@server ~]# iptables --list-rules cP-Firewall-1-INPUT -N cP-Firewall-1-INPUT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 579 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2079 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
  

  0
• 

  ca2236

  • August 01, 2019 14:08

  Thanks for the reply, I had ran across this. However, opening up all these ports to the world doesn't make good security practice. Is there any way to lock down at least some of these (like port 22) to only certain IP ranges without having your work overwrote due to an update etc.

  0
• 

  nixuser

  • August 01, 2019 18:16

  Do you have a firewall like csf or apf installed on your server?

  0
• 

  cPanelLauren

  • August 05, 2019 16:11

  You can still impose blocks using your firewall or host access control for ports/services you'd like to be restricted.

  0
• 

  ca2236

  • August 06, 2019 16:36

  We are running iptables, I am not certain about CSF/APF. I know cphulkd is there, but have to look into access control.

  0
• 

  ca2236

  • August 12, 2019 14:49

  I started looking into this, I still had a follow up question, is there still something that is auto opening ports? It seems if we block access in to port 25 in the firewall, it gets re-opened.

  0
• 

  cPanelLauren

  • August 13, 2019 15:01

  Hi @ca2236 I'd suggest opening a ticket at this point, especially if you're unsure whether or not you have CSF or APF. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!

  0
• 

  ca2236

  • August 13, 2019 22:25

  Thanks

  0
• 

  ca2236

  • August 13, 2019 23:02

  I opened a support ticket

  0
• 

  ca2236

  • August 14, 2019 15:59

  I got the answer I needed.

  0
• 

  cPanelLauren

  • August 14, 2019 17:03

  Hello @ca2236 What was the ticket ID or the issue that was causing the problem?

  0
• 

  ca2236

  • August 19, 2019 14:46

  There is a bug in cpanel (fixed in latest release) that was causing this.

  0
• 

  cPanelLauren

  • August 19, 2019 15:05

  I'd love to correlate that @ca2236 but I'm not able to do so without the ticket ID.

  0
• 

  wrt-int

  • October 23, 2019 16:13

  This is still happening in WHM 82.0.17, inserting a rule at the top of INPUT allowing wide ranging access and bypassing other firewall rules. Bad juju :( As a hacky fix, I am running the following via cron every 5 minutes because this rule miraculously re-appears on our cPanel servers randomly. /sbin/iptables -D INPUT -j cP-Firewall-1-INPUT 2> /dev/null && echo "cP-Firewall-1-INPUT Removed"

  0

Please sign in to leave a comment.