Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
NickTheGreek

How to Configure Your Firewall for cPanel Services

Recommended Posts

Example configurations

The following examples explain how to add rules with CSF, APF, and the iptables application.

Important:

  • We do not recommend that you use these examples for your personal configurations. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM's services.
  • CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux (RHEL) 7 servers have additional requirements. For more information, read the CentOS 7, CloudLinux 7, and RHEL 7 firewall management section below.

CSF

ConfigServer provides the free WHM plugin CSF, which allows you to modify your iptables rules within WHM.

To install CSF, run the following commands as the root user:

1
2
3
4
5
cd /usr/src
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

To configure CSF, use WHM's ConfigServer & Firewall interface (Home >> Plugins >> ConfigServer & Firewall).

Note:

For more information about how to install and use CSF, visit the CSF website.

APF

APF acts as a front-end interface for the iptables application, and allows you to open or close ports without the use of the iptables syntax.

The following example includes two rules that you can add to the /etc/apf/conf.apf file in order to allow HTTP and HTTPS access to your system:

1
2
3
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports
EG_TCP_CPORTS="80″

Note:

For more information about APF, visit the APF site.

iptables

The iptables application offers more customization options for your packet filtering rules. This application requires that you understand the TCP/IP stack.

The following example includes iptables rules for HTTP traffic on port 80:

Note:

This example assumes that a DMZ exists on eth0 for the 192.168.1.1 port, and the 66.66.66.66 broadcast IP address.

1
2
$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets

Note:

For more information about the use of iptables, visit the iptables site, or run the man iptables command from the command line.

CentOS 7, CloudLinux 7, and RHEL 7 firewall management

Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon. 

Important:

We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.

Note:

For more information about the firewall utilities and the firewalld daemon, read Red Hat's Using Firewalls documentation.

The cpanel service

Important:

The /usr/local/cpanel/scripts/configure_firewall_for_cpanel script clears all existing entries from the iptablesapplication. If you use custom rules for your firewall, export those rules before you run the script and then re-add them afterward.

cPanel & WHM version 11.50 and later also includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server's ports.

To replace your existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:

  1. Run the yum install firewalld command to ensure that your system has firewalld installed.
  2. Run the systemctl start firewalld.service command to start the firewalld service.
  3. Run the systemctl enable firewalld command to start the firewalld service when the server starts.
  4. Run the iptables-save > backupfile command to save your existing firewall rules.
  5. Run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script.
  6. Run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.

 

https://documentation.cpanel.net/display/CKB/How+to+Configure+Your+Firewall+for+cPanel+Services

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×