ServerBuddies Support Blog

How to Inspect and Activate Default Rules

View the currently-enforced iptables rules by running the command:

The command is analogous for the ip6tables program.

If the firewall does not appear to be active (i.e., no rules appear), activate it and ensure that it starts at boot by issuing the following commands (and analogously for ip6tables):

SpamAssassin Rules Updates

This feature defines how you would like to update SpamAssassin rules.

Automatic — Automatically update SpamAssassin rules whenever /usr/local/cpanel/scripts/upcp runs.

Manual Updates Only — Requires you to manually run /usr/local/cpanel/scripts/upcp to update SpamAssassin rules.

NEVER Update — SpamAssassin rules do not update when /usr/local/cpanel/scripts/upcp runs.

Predefined Firewall Rules Specifications in Plesk Panel

The following table lists the system services to which you can restrict access using the Firewall’s predefined rules.

There are some trojans that scan networks for services on ports from 31337 to 31340.

Since there are no legitimate services that communicate via these non-standard ports, blocking it can effectively diminish the chances that potentially infected nodes on your network independently communicate with their remote master servers.

You can also block outside connections that attempt to spoof private IP address ranges to infiltrate your LAN. For example, if your LAN uses the 192.168.1.0/24 range, a rule can set the Internet facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range. Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP address to the external-facing device (eth0) is rejected automatically.

The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.

FORWARD and NAT Rules for nodes behind the firewall/gateway.

iptables provides routing and forwarding policies. The FORWARD policy allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), the following rules can be set:

This rule gives systems behind the firewall/gateway access to the internal network. The gateway routes packets from one LAN node to its intended destination node, passing all packets through its eth1 device.

To enable IP forwarding, run the following command:

You can permanently set forwarding by editing the /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Execute the following command to enable the change to the sysctl.conf file:

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device (in this case, eth0):

The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0).

POSTROUTING allows packets to be altered as they are leaving the firewall’s external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.

If you wanted to forward incoming HTTP requests to your dedicated Apache HTTP Server server system at 192.168.0.10, run the following command:

This rule specifies that the NAT table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address of 192.168.0.10

This rule allows forwarding of incoming HTTP requests from the firewall to its intended destination of the Apache HTTP Server server behind the firewall.