Host Access Control not working
2 | 22 | IP address redacted | tcp | ACCEPT | |
3 | 22 | IP address redacted | tcp | ACCEPT | |
4 | 22 | IP address redacted | tcp | ACCEPT | |
6 | 22 | IP address redacted | tcp | ACCEPT | |
7 | 22 | ALL | tcp | REJECT | |
9 | 2087 | IP address redacted | tcp | ACCEPT | |
10 | 2087 | IP address redacted | tcp | ACCEPT | |
11 | 2087 | IP address redacted | tcp | ACCEPT | |
12 | 2087 | IP address redacted | tcp | ACCEPT | |
13 | 2087 | ALL | tcp | REJECT |
-
Hey there! That certainly looks right, and follows the details outlined at Host Access Control | cPanel & WHM Documentation If you run this command on the system, does it properly return your rules? nft -a list chain inet filter cPanel-HostAccessControl
0 -
Thanks for the additional details. This is one of those things that should "just work" so could you open a ticket with our team so we can take a look at this directly on the machine? 0 -
Thanks for the additional details. This is one of those things that should "just work" so could you open a ticket with our team so we can take a look at this directly on the machine?
Thank you for confirming I wasn't doing something incorrectly :) I've raised a support case #94520897 for further investigation. Cheers0 -
Thanks for that - it looks like we were able to reset the Host Access Control tools by running "/usr/local/cpanel/scripts/configure_firewall_for_cpanel" - after doing that, we tested things as working properly in the ticket. 0 -
Thank you, I can confirm its now working :) 0 -
I'm glad to hear it! 0 -
Hi, Sorry to hijack the topic, but i have a similar issue where the rules goes empty after server is restarted, any idea why ?
0 -
Following are my specs fyi
OS: AlmaLinux v8.10.0 STANDARD standard ( Upgraded from CentOS 7 using elevate script )
WHM/cPanel Version: 120.0.14
CSF: 14.20
0 -
ANZEEQ - can you ensure that nftables is running when the server is started? You can use this command to check the status:
systemctl status nftables
We're do *not* want to see output similar to this, showing it is not enabled:
nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)0 -
Well to what i see its running but still not working as intended as any public Ip is able to view the page
[root@platinum ~]# systemctl status nftables
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (exited) since Wed 2024-07-31 13:17:57 +08; 6min ago
Docs: man:nft(8)
Process: 565934 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 565934 (code=exited, status=0/SUCCESS)
Jul 31 13:17:57 platinum.gh-solutions.biz systemd[1]: Starting Netfilter Tables...
Jul 31 13:17:57 platinum.gh-solutions.biz systemd[1]: Started Netfilter Tables.0 -
As shown this will go empty one server has been rebooted, any idea to make it sticky??
0 -
ANZEEQ Here is the notes I've taken from the issue. Hopefully they work for you too.
It's probably best to reset your host access controls, reboot and then start again as per the below.
Best of luck
Note regarding Host Access Control:
CloudLinux/AlmaLinux both cannot use firewalld service, but should instead use nftables to manage host access
To check the service status of FirewallD and nftables use the following:
systemctl status firewalld (should be disabled)
systemctl status nftables (should be enabled)
To disable firewalld run systemctl disable firewalld
To enable the nftables service systemctl enable nftables
The server will then need to be restarted to ensure the firewall is cleared of any incompatible rules.
The rules live in the file: /etc/sysconfig/nftables.conf
Rules can be seen by running: nft -a list chain inet filter cPanel-HostAccessControl
Run: cat /etc/sysconfig/nftables.conf | grep -A5 INPUT to ensure that jump cPanel-support-access exists so that nftables can look to the host access list above
To reset host access control and inetfilter run: /scripts/configure_firewall_for_cpanel
0 -
Hi guys,
I have tried everything as mentioned above, the rules just goes blank on every reboot, my findings are as below , masked for privacy:
As for this cmd: cat /etc/sysconfig/nftables.conf | grep -A5 INPUT , yes i could see the jump cPanel-support-access
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 271567 bytes 97416955 jump cPanel-HostAccessControl
counter packets 271454 bytes 97410487 jump cP-Firewall-1-INPUT
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump cPanel-HostAccessControl
counter packets 0 bytes 0 jump cP-Firewall-1-INPUT
}[root@platinum ~]# nft -a list chain inet filter cPanel-HostAccessControl
table inet filter {
chain cPanel-HostAccessControl { # handle 5
ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 2XXX counter packets 1 bytes 60 accept # handle 11
ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 2087 counter packets 24 bytes 1256 accept # handle 12
ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 7XXX counter packets 5 bytes 268 accept # handle 13
ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 1XXX counter packets 20 bytes 1048 accept # handle 14
ct state new tcp dport 2XXX counter packets 6 bytes 328 drop # handle 15
ct state new tcp dport 2087 counter packets 96 bytes 5728 drop # handle 16
ct state new tcp dport 7XXX counter packets 96 bytes 5728 drop # handle 17
ct state new tcp dport 1XXX counter packets 7 bytes 348 drop # handle 18
ct state new tcp dport 2XXX counter packets 11 bytes 660 drop # handle 19
}
}
[root@platinum ~]#[root@platinum ~]# systemctl status nftables.service
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2024-08-29 07:35:53 +08; 9min ago
Docs: man:nft(8)
Process: 9148 ExecStop=/sbin/nft flush ruleset (code=exited, status=0/SUCCESS)
Process: 9150 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 9150 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 100381)
Memory: 0B
CGroup: /system.slice/nftables.service
Aug 29 07:35:53 platinum.XXX-XXX.biz systemd[1]: Starting Netfilter Tables...
Aug 29 07:35:53 platinum.XXX-XXX.biz systemd[1]: Started Netfilter Tables.
[root@platinum ~]#The moment the server is rebooted, all are gone !!! Any idea what i am doing wrongly ???
0 -
Hi ANZEEQ
It sounds to me like firewalld is still starting, are you sure that the service is disabled as per this KB issue and my advise above?firewall-cmd --state
systemctl status firewalldTo disable the service so that it will not start the next time that you reboot the server issue the following command:
systemctl disable firewalld
0 -
Hi tom9909,
As shown below:
[root@platinum ~]# systemctl status firewalld
● firewalld.service
Loaded: masked (Reason: Unit firewalld.service is masked.)
Active: inactive (dead)
[root@platinum ~]# systemctl disabl firewalld
Unknown operation disabl.
[root@platinum ~]# systemctl disable firewalld
Unit /etc/systemd/system/firewalld.service is masked, ignoring.
[root@platinum ~]#I believe i have CSF running as well:
[root@platinum ~]# systemctl status csf
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2024-08-29 07:28:00 +08; 1h 3min ago
Main PID: 2202 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 100381)
Memory: 0B
CGroup: /system.slice/csf.serviceAnd...yes , i do have CSF running, could this be an issue ?
0 -
Hmm, no I have CSF running too and its working for me.
Honestly the documentation could be improved with simplified steps for this setup....
It may be time to open a support ticket so that they can investigate further as its gone a bit beyond me at this point :(0 -
It's definitely time for a ticket on this issue.
0 -
Hi cPRex,
Yeap i guess it is time, but was wondering if my cPanel lic allows me to raise a ticket as its license by my server provider , most probably would be raising the ticket soon when the next reboot / maintenance is scheduled.
0 -
If your license isn't purchased directly from us you would open that ticket with your provider, and then they would escalate to us if necessary.
0
Please sign in to leave a comment.
Comments
20 comments