Iptables for Cpanel (Linux)

I rarely Use Cpanel server anymore, but we do have a few on the NOC, and they constantly the target of hackers .. so ..

With the Help of Vladimir (Unicorn) .. here is a nice Iptables ruleset for Cpanel based servers.


iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -p tcp ! --syn --sport 20 --destination-port 1024:65535 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 37 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 43 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --sport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 113 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 161 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 873 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2082 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2083 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2087 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 2089 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2095 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2096 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 3306 -j ACCEPT
iptables -t filter -A INPUT -p tcp -j REJECT
iptables -t filter -A INPUT -p udp -j REJECT
iptables -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -t filter -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -t filter -A INPUT -p icmp -j REJECT
iptables -t mangle -A INPUT -p tcp --dport ftp -j TOS --set-tos 0x10
iptables -t mangle -A INPUT -p tcp --dport ftp-data -j TOS --set-tos 0x08
iptables -t mangle -A OUTPUT -p tcp --sport ftp -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p tcp --sport ftp-data -j TOS --set-tos 0x08
iptables -t mangle -A INPUT -p tcp --sport ssh -j TOS --set-tos 0x08
iptables -t mangle -A INPUT -p tcp --dport ssh -j TOS --set-tos 0x08
iptables -t mangle -A OUTPUT -p tcp --sport ssh -j TOS --set-tos 0x08
iptables -t mangle -A OUTPUT -p tcp --dport ssh -j TOS --set-tos 0x08
iptables -t mangle -A INPUT -p tcp --dport http -j TOS --set-tos 0x10
iptables -t mangle -A INPUT -p tcp --dport https -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p tcp --sport http -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p tcp --sport https -j TOS --set-tos 0x10

Null

NullMind

Portuguese born, american accent, living in UK.

Leave a Reply

Your email address will not be published. Required fields are marked *