Hi,
For security reasons I want to open for SSH access a port number different to the default 22. For example the 30003. I did it copying the settings of the port 22 rules but changing the port number to 30003 but I can not get trough. Any clue?
Many thanks in advance!!

hello there
if you want to change your default ssh port it's quit an easy thing to do.
login to your elastix linux ssh
go to /etc/ssh/sshd_config
change
Port 22 this to what ever you want
save the config file
now restart the sshd service
/etc/init.d/sshd restart
that's it
also i recommend you to restrict access from the outside world
type
setup>firewall configuration>Enabled
now go to /etc/sysconfig/iptables
add this script

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:LOG_DROP - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -s youripaddress -p tcp -m tcp --dport yoursshport (default 22) -j ACCEPT

-A RH-Firewall-1-INPUT -j LOG_DROP

-A LOG_DROP -j LOG --log-prefix DROP:
-A LOG_DROP -j DROP

comment the

#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

this script will drop all unnecessary packets and will only accept ssh connection from you ip address! and yes don't forget to open sip udp5060 and rtp udp10000:20000 ports

now restart the iptables service
/etc/init.d/iptables restart
chkconfig iptables on

hope this was helpful for you

Hi Yurmetal, I will test it.
Many thanks for your help and quick answer!!

Have a nice day,

Hi Yurmetal, The problem is that the Elastix firewall overwrites whatever you write manually on the iptables file each time that you start the firewall. I tried to add trough the Elastix Firewall a new rule to open a port but it did not worked.

I will try now using Webmin to set up the firewall or study the iptables file (cumbersome process) to add the rules manually. Unfortunately I could not find yet a nice tutorial regarding the format of the iptables file
Thanks again for your help!

Pinkus,

You are correct, any IP tables you set is overwritten by the Elastix IP Tables implementation. Elastix stores all your rules in a database, and during startup (after all the linux startup scripts), it reads the rules from the database, and sets up IP tables.

So it is an either or situation, either Elastix Firewall or the standard IP tables implementation.

If you want to use the Elastix Firewall the following is needed....Note at this point I am assuming that you have changed SSHD from the default port 22 and placed it on say 30003, which is what this is based on...

X.X.X.X being the address you are coming from


1) Define a new Port...call it say SSHAlt, Protocol TCP and assign a port value of 30003 (no need to fill in other side)...add a comment as it is a new port definition

2) Define a new rule....
Traffic : INPUT
Interface : ANY
Source Address : X.X.X.X/32 (note /32 will restrict it to one address - your remote address)
Destinaton Address : 0.0.0.0/24

Protocol : TCP
Source Port : ANY
Destination : SSHAlt

Target : ACCEPT

This is functionally the same as the IPTables rule

iptables -A INPUT -p tcp -s X.X.X.X --dport 30003 -j ACCEPT


Now the main thing to remember is that this rule needs to be moved up the table. The table works on a top down approach, and what ever the rule that matches first, it will apply.

If you notice the last three rules on the Elastix Firewall are in and out rules matching all traffic. So naturally in processing, if it reaches these rules (as there were no previous matches), it is going to deny the traffic (firewall it), which is basically the rule with IP tables, Deny all, unless explicitly set to accept.

So once you have that rule set, it automatically (and as a good security measure, it places it last on the table (functionally it is disabled until you move it into place). Use the Blue Arrows to move it into an appropriate place. If your firewall is simple, you can move it anywhere above the three blanket rules.

That should be activated...

If you want to make sure you can perform an

iptables -L

and besides the rest of the rules, I find the following rule

ACCEPT tcp -- 203.160.8.43 anywhere tcp dpt:30003

Which is the rule I entered via Elastix Firewall.....(I used 203.160.8.43 an IP address)

Hope this helps....

Regards

Bob

Hi Bob,
It worked like you suggested. The rules that I wrote for the SSH access where Ok but I needed to push them up from the bottom of the table to the 4th position counting from the bottom.
Many thanks for your help and quick answer and wish you merry Christmas and a happy new year!

Pinkus,

Great to hear its working for you.

(The following is a general comment and not one directed at anything you have said) The Elastix Firewall is nowhere near as flexible as IPtables itself, but personally I think it is a great GUI, and honestly, if you want a full firewall, then you use a proper firewall, either commercial or Open Source. But this firewall is great for users that have router/firewall with limited firewall features e.g. can't limit traffic by External IP address, so it suits 95% of the users.

Its also good for firewalling the Elastix system internally.

Regards

Bob

Hi Bob, based on your experience with Elastix do it make sense to use another firewall than the Elastix GUI for Iptables? I have tried ConfigServer Security & Firewall (configserver.com/cp/csf.html) but it did not behave well with Elastix. On the plus side it adds a nice scanning daemon.
Any recommendation?

Many thanks,

Sorry I should have clarified....

I was referring to a separate firewall e.g. operating on the perimeter (where the internet meets your Network).

I use PFSense which is very mature and robust. If you want to run something on the Elastix Box, then the recommendations are IPtables (manually configured) or the Elastix Firewall GUI.

I see the firewall option running on the Elastix box as a second level of security, and should not be your primary. But as I mentioned, especially Elastix users using routers with basic NAT firewalling with no IP address restrictions, then the Elastix firewall is really a good move.

Worth a read.....
www.slideshare.net/elastixorg/elastix-se...reventing-monitoring
Its not a definitive guide, and it is one view, not the only, but it will give you an idea of the concepts....


Regards

Bob

If you want a good firewall that has a GUI and don't need to worry about order of rules,use CSF firewall with webmin GUI addon.

It is fast to setup ,has a lot of features.
To lock Elastix down with CSF remove inbound TCP and UDP ports when setting up,add ip's you wish to allow or dyndns name if you have dynamic ip's and only that ip will have access to the ports.
Everything else is dropped