Save this to a file and run it, This will empty your iptables and set a solid set of secure rules that are compatible with cPanel servers running DNS clustering. If you run DNS locally be sure to allow 53 on TCP AND UDP!
/sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -m state --state INVALID -j DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -m state --state INVALID -j DROP /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT ##Acceptable IP /sbin/iptables -A INPUT -s x.x.x.xx -j ACCEPT #YOUR TRUSTED IP's ##General Web/File Services /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT #HTTP /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT #FTP /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT #SSH /sbin/iptables -A INPUT -p tcp --dport 5666 -j ACCEPT #NRPE ##Email Services /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT #POP3 /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT #IMAP /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT #SMTPs /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT #IMAPs /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT #POP3s ##cPanel Services /sbin/iptables -A INPUT -p tcp --dport 2083 -j ACCEPT #cPanel /sbin/iptables -A INPUT -p tcp --dport 2087 -j ACCEPT #WHM /sbin/iptables -A INPUT -p tcp --dport 2096 -j ACCEPT #Webmail ##Allow Ping /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT ##Final Blocks /sbin/iptables -A INPUT -j DROP /sbin/iptables -A OUTPUT -j ACCEPT /sbin/iptables -A FORWARD -j DROP
Guide on removing iptable rules
If you loose access to your server while using this, well that sucks. Setup a cron job to stop the iptables service every 5 minutes just in case.