IpTables

Basics

iptables saves/loads its rules from /etc/sysconfig/iptables, and loads its configuration from /etc/sysconfig/iptables-config

Below is an example configuration that can be copied and pasted in shell as root for a common services machine that has not been hardened. You will need to edit the ports appropriately:

 iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 20:22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 9999 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -i eth0 -j ACCEPT
iptables -A INPUT -s 67.19.0.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 12.96.160.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 70.84.160.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -i eth0 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Post OS Hardening Plesk Config

The following is for a Plesk Box after OS Hardening

iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 33988 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 9999 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -i eth0 -j ACCEPT
iptables -A INPUT -s 67.19.0.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 12.96.160.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 70.84.160.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -i eth0 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Post OS Hardening Cpanel Config

The following is for a Cpanel Box after OS hardening.

iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 33988 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 2082:2083 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 2086:2087 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 2095:2096 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth0 --dport 9999 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -i eth0 -j ACCEPT
iptables -A INPUT -s 67.19.0.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 12.96.160.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 70.84.160.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -i eth0 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

cPanel ports:

These can be added to the config file or you can add them via command line by adding iptables to the front of each line.
Be sure to save the config if you add these to a previous configuration.

-A INPUT -i eth0 -p tcp -m tcp --dport 2082 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2086 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2087 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2095 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2096 -j ACCEPT

IP Conntrack

Then, we will need to load some connection helper support with kernel modules. If this is not enabled, the user is going to have major slowness problems logging into his FTP server using passive FTP (which is the de facto standard for most FTP clients) Simply add this line to load the module with iptables init scripts to:

/etc/sysconfig/iptables-config

 IPTABLES_MODULES="ip_conntrack_ftp"

If the ip_conntrack_ftp module is loaded correctly, you'll see something similar this when starting:

 root@host [~]# /etc/init.d/iptables start
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_ftp [ OK ]

If you do not see the above, add the ip_conntrack modules line to /etc/init.d/iptables