Hi

With nestat I received a lot of ports open like this
COmcast gave me a router SMC, so I have a public IP "OPEN" to everithing, because the router has 1 to 1 NAT and don't has a firewall, I did the script for iptables , but I am not sure.

[root@voip ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:imtc-map
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dptsip:5070
ACCEPT tcp -- anywhere anywhere tcp dptsip:5070
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
ACCEPT udp -- anywhere anywhere udp dpt:5036

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


[root@voip ~]# netstat

unix 3 [ ] STREAM CONNECTED 9301
unix 3 [ ] STREAM CONNECTED 9300
unix 3 [ ] STREAM CONNECTED 9298
unix 3 [ ] STREAM CONNECTED 9297
unix 3 [ ] STREAM CONNECTED 9294
unix 3 [ ] STREAM CONNECTED 9293
unix 3 [ ] STREAM CONNECTED 9291
unix 3 [ ] STREAM CONNECTED 9290
unix 2 [ ] DGRAM 9281
unix 2 [ ] DGRAM 9194
unix 2 [ ] DGRAM 9047 /var/lib/imap/socket/idle
unix 2 [ ] DGRAM 1477 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 7335 @/org/freedesktop/hal/udev_event
unix 37 [ ] DGRAM 6884 /dev/log
unix 2 [ ] DGRAM 13106
unix 2 [ ] DGRAM 10207
unix 3 [ ] STREAM CONNECTED 10031 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 10030
nix 3 [ ] STREAM CONNECTED 8394 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 8393
unix 3 [ ] STREAM CONNECTED 8371 @/var/run/hald/dbus-ILupIfNIQW
unix 3 [ ] STREAM CONNECTED 8367
unix 3 [ ] STREAM CONNECTED 8196 @/var/run/hald/dbus-ILupIfNIQW
unix 3 [ ] STREAM CONNECTED 8191
unix 3 [ ] STREAM CONNECTED 8172 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 8169
unix 3 [ ] STREAM CONNECTED 8151 @/var/run/hald/dbus-ILupIfNIQW
unix 3 [ ] STREAM CONNECTED 8150
unix 3 [ ] STREAM CONNECTED 7330 @/var/run/hald/dbus-ixF39EmUSb
unix 3 [ ] STREAM CONNECTED 7329

Don't you think your rule:

ACCEPT all -- anywhere anywhere

might be a little too permissive?

I have previously mentioned on this thread A guy named Arno:

rocky.eld.leidenuniv.nl/joomla/index.php...;id=45&Itemid=63

Try starting there, it's an effective script to start with and serves s as a good tutorial, I hope you will learn a lot there.

you might also find

man netstat

followed perhaps by:
netstat -tanu

to be more understandable in it's output

# Allow SIP connections
/sbin/iptables -A INPUT -p udp -i eth0 --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 10000:20000 -j ACCE


I want to setup IPTables for selective access to the SIP & SSh port.

I tried this:


But this did not work.
Rather SIP access was blocked for x.x.x.x; not sure why.
I have double check my source IP by visiting whatismyip.com.

As soon as I "-D" the above commands, and run the 3 lines on top, I could connect well.

What is wrong with my above IPtable rules ?

Pls advice.

Thx
Vai

#Vai
Just a quick note -- do you have all of your OUTGOING enabled (that rule is input only).

Also, keep in mind that you probably won't be able to lock-down your RTP traffic (ports 10,000 to 20,000) unless you're using some sort of proxy - here's the reason why...

Imagine you get a call that goes On-Network in NYC. You get another call that goes On-Network in Miami. Each of these will be from different IP addresses.

With this in mind, you have to remember that you have a large range of SIP & RTP traffic. For example:
- EACH of your office phones (one IP for each, unless NAT'ed)
- VoIP Carriers (SIP authentication)
- *Many* VoIP Gateways (like the NYC/Miami example above)

In simplest terms, I'd leave RTP *open* (10000-20000) and make sure you have a *full* inventory of all 5060 communications, and create all of those.

@RKM :
Thx for your inputs. Really vital.

So my iptables should be:


Do I need to open 5060 TCP ?

Any clue why the -s x.x.x.x is not working as expected.
I have double checked the iptable rules and it seems to be correct.

Thx again
Vai

Hi guys.
Do you know this?

www.configserver.com/cp/csf.html

I've been trying it for 2 days and it works fine
It has a nice webmin module for management too.

@Vai-
Yes, you've got the RTP side down (by opening it up without limiting it to IP). And yes, you should enable BOTH TCP & UDP on 5060.

Based on your example, it doesn't look like you're creating the multiple entries for the 5060 (SIP) rule. Also, I can't remember what the "m" parameter is, but you don't need it.

The point I was making about creating records for your phones, IP carriers, etc -- you'd need multiple 5060 entries for each.

For example, imagine your VOIP provider's IP address is 10.10.10.15 and you have another VOIP provider (or backup VOIP server from the first provider) at 10.10.10.16 ... And you have phones at 10.10.10.50, 51, 52, 53 (etc).

In that case, you'd create a set of records like this:



See what I mean? One for each connection that might require SIP, and also remember that many SIP sessions are setup on alternate ports (eg you might be connecting at 5061 for some reason, on your phones, etc) which can also throw another wrench into the mix.

@Ramoncio-
That CSF suite looks really promising!

The only thing I couldn't really wrap my mind around... It's primarily running all of its *firewall* features as iptables scripts, right? I mean, it's not running some added firewall daemon for the SPI and IDS features (stateful packet inspection, intrusion detection)?

If you had to summarize what this actually is doing/including, would you say this is a fair explanation:
* IP Tables scripts (pre-written) with more advanced things like SPI
* Log checker
* Web administration tool

Or is there more to the package that I'm missing?

Thanks again for sharing this link, it really looks amazing!

I have installed csf into a test machine and seems to work great.
AFAIK is uses iptables and some perl scripts to get results and check logs.
If is free, but not GPL, so it can't be included into the Elastix iso, but it can be installed after very easily, in 1 minute.

Thank you for the info.

It definitely looks like something that will be worthwhile. I'm going to give it a try next time I'm doing upgrades.

If you are really interested in offering it as part of Elastix, I know that most of the non-GPL guys will still allow you to incorporate it simply by asking them for permission.

Thx RKM, yes I have multiple source IP addresses.

I have setup a single rule for allow from everywhere UDP 10000:20000
AND
two SIP rule per provider's IP: 5060:5062 TCP & 5060:5062 UDP

I had read somewhere that its a good idea to open up 5060:5062.
Since packets are restricted from limited sources, there is minimal security risk anyways.



But I am now stumped by a unique problem....

My desktop PCs are on 192.168.1.X LAN series.

Desktop's gateway IP is 192.168.1.1
192.168.1.1 is simple CentOS server with 1 nic & following 2 lines in rc.local
--------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
--------

But I see that the packets reaching my Trixbox show source IP as 192.168.1.x (desktop's LAN IP) NOT the WAN IP post masq.

This is exactly the reason why my Firewall rules did not work all this while.

This rule did not work:
/sbin/iptables -A INPUT -i eth0 -p udp -s 122.18.101.5 --dport 5060 -j ACCEPT
But this rule worked
/sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.1.0/24 --dport 5060 -j ACCEPT


This got me thinking as to why the packets are reaching trixbox server with 192 series IP.

I think the MASQ is not happening correctly.
Any ideas ??

Thx again