Can someone share their Firewall script

Discussion in 'General' started by vaibhavs, Oct 12, 2009.

  1. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I'm glad it works for you,

    Please use anything that works, it is a network thing not an Elastix thing.
     
  2. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    Unless I'm mistaken, Shorewall is just a interface to creating IPTables.

    In other words, I don't really think it can do anything IPTables can't do.. And IMHO IPTables is easy-as-pie, so I'm sticking with that alone.

    I think I've got the issue with booting figured out, but waiting to be 100% sure before I post back for others.
     
  3. siptellnet

    Joined:
    Dec 18, 2009
    Messages:
    47
    Likes Received:
    0
    Hello
    Can you help me, how install or see the IPTABLES to firewall administration

    Thanks
    :(
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    iptables is already installed


    service iptables status

    will show it's status and any rules in place if it is running


    There is no "firewall administration" other than iptables itself unless you add one to suit. Google is your friend there to find something that matches your needs and experience.
     
  5. siptellnet

    Joined:
    Dec 18, 2009
    Messages:
    47
    Likes Received:
    0
    Thank

    #service iptables status

    Firewall is stopped

    I try iptables -h , no found command to start or enable ....

    Months ago I saw an interface for elastix,
    Any idea??
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    service iptables start

    will start it

    which iptables should tell you where it is


    I have no Idea where you saw "an interface for Elastix"

    Sorry
     
  7. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    @siptelnet - Really it couldn't be any easier than simply creating the rules for an IPTables script file; an Elastix interface wouldn't be much more than a text editor (like they offer for configuration files now) so your learning curve would be the same.

    Here are some really great links that will teach you everything you need to know about creating IPTables scripts. Before you read them, get an idea of what you want to do, specifically.

    Usually that involves a couple thing.

    * Disallow all incoming traffic (by default)
    * Allow all outgoing traffic
    * Allow certain ports of incoming traffic depending on what you use on Elastix (5060, 10000-10500, 80, 9090, etc)
    * Allow a range of IP addresses (the location you're at, to be able to manage the unit)
    * Make sure that either SSH is disabled to the outside world, or that at a minimum, you've changed the SSH port (as this is the most vulnerable exposure).

    Here are the best links I've found on the topic:
    http://www.linuxhomenetworking.com/...HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
    http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-iptables-options.html
    http://wiki.archlinux.org/index.php/Simple_stateful_firewall_HOWTO
    http://networking.ringofsaturn.com/Unix/iptables.php
    http://wiki.centos.org/HowTos/Network/IPTables
    http://www.elastix.org/component/op...d,37827/limit,10/limitstart,10/lang,en/#44793

    HTH, -RKM
     
  8. siptellnet

    Joined:
    Dec 18, 2009
    Messages:
    47
    Likes Received:
    0
  9. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    @siptellnet - I'm not sure what you're saying

    If you have the ability to SSH into your box to do the rpm install of webmin, it would be even easier just to edit the iptables yourself. You've even specified the syntax of iptables in your post.

    I'm just trying to figure out what the question is, so that I can help out.
     
  10. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Although Webmin has nothing to do with Elastix, It can be useful for a newbie.
    It does however suffer from it's own insecurity.

    Earlier on in this very same thread I posted:

    http://www.elastix.org/component/option ... ,en/#39408


    an excerpt from it is

    .
    .
    For the CLI challenged there is a firewall module in Webmin that will help you build your iptable rules, but please change 10000/TCP to something else in /etc/webmin/miniserv.conf and do a chkconfig webmin off before using webmin, (start the service manually when you need it).
    .
    .

    Those simple steps will greatly reduce your risk. The biggest risk often is unfortunately the operator, If they don't fully undestand iptables and firewalls the use of a gui can lead to a false sense of security, It is after all just a pretty way of building your tables and will behave just as well or badly as the design behind it.
     
  11. siptellnet

    Joined:
    Dec 18, 2009
    Messages:
    47
    Likes Received:
    0
    Hi

    With nestat I received a lot of ports open like this
    COmcast gave me a router SMC, so I have a public IP "OPEN" to everithing, because the router has 1 to 1 NAT and don't has a firewall, I did the script for iptables , but I am not sure.

    [root@voip ~]# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere tcp dpt:imtc-map
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- 192.168.1.0/24 anywhere
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT udp -- anywhere anywhere udp dpts:sip:5070
    ACCEPT tcp -- anywhere anywhere tcp dpts:sip:5070
    ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
    ACCEPT udp -- anywhere anywhere udp dpt:5036

    Chain FORWARD (policy DROP)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination


    [root@voip ~]# netstat

    unix 3 [ ] STREAM CONNECTED 9301
    unix 3 [ ] STREAM CONNECTED 9300
    unix 3 [ ] STREAM CONNECTED 9298
    unix 3 [ ] STREAM CONNECTED 9297
    unix 3 [ ] STREAM CONNECTED 9294
    unix 3 [ ] STREAM CONNECTED 9293
    unix 3 [ ] STREAM CONNECTED 9291
    unix 3 [ ] STREAM CONNECTED 9290
    unix 2 [ ] DGRAM 9281
    unix 2 [ ] DGRAM 9194
    unix 2 [ ] DGRAM 9047 /var/lib/imap/socket/idle
    unix 2 [ ] DGRAM 1477 @/org/kernel/udev/udevd
    unix 2 [ ] DGRAM 7335 @/org/freedesktop/hal/udev_event
    unix 37 [ ] DGRAM 6884 /dev/log
    unix 2 [ ] DGRAM 13106
    unix 2 [ ] DGRAM 10207
    unix 3 [ ] STREAM CONNECTED 10031 /var/lib/mysql/mysql.sock
    unix 3 [ ] STREAM CONNECTED 10030
    nix 3 [ ] STREAM CONNECTED 8394 /var/run/dbus/system_bus_socket
    unix 3 [ ] STREAM CONNECTED 8393
    unix 3 [ ] STREAM CONNECTED 8371 @/var/run/hald/dbus-ILupIfNIQW
    unix 3 [ ] STREAM CONNECTED 8367
    unix 3 [ ] STREAM CONNECTED 8196 @/var/run/hald/dbus-ILupIfNIQW
    unix 3 [ ] STREAM CONNECTED 8191
    unix 3 [ ] STREAM CONNECTED 8172 /var/run/acpid.socket
    unix 3 [ ] STREAM CONNECTED 8169
    unix 3 [ ] STREAM CONNECTED 8151 @/var/run/hald/dbus-ILupIfNIQW
    unix 3 [ ] STREAM CONNECTED 8150
    unix 3 [ ] STREAM CONNECTED 7330 @/var/run/hald/dbus-ixF39EmUSb
    unix 3 [ ] STREAM CONNECTED 7329
     
  12. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Don't you think your rule:

    ACCEPT all -- anywhere anywhere

    might be a little too permissive?

    I have previously mentioned on this thread A guy named Arno:

    http://rocky.eld.leidenuniv.nl/joomla/i ... &Itemid=63

    Try starting there, it's an effective script to start with and serves s as a good tutorial, I hope you will learn a lot there.

    you might also find

    man netstat

    followed perhaps by:
    netstat -tanu

    to be more understandable in it's output
     
  13. vaibhavs

    Joined:
    Oct 2, 2009
    Messages:
    95
    Likes Received:
    0
    I want to setup IPTables for selective access to the SIP & SSh port.

    I tried this:
    Code:
    /sbin/iptables -A INPUT -p udp -m udp -i eth0 -s x.x.x.x --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m tcp -i eth0 -s x.x.x.x --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p udp -m udp -i eth0 -s x.x.x.x --dport 10000:20000 -j ACCEPT
    
    But this did not work.
    Rather SIP access was blocked for x.x.x.x; not sure why.
    I have double check my source IP by visiting whatismyip.com.

    As soon as I "-D" the above commands, and run the 3 lines on top, I could connect well.

    What is wrong with my above IPtable rules ?

    Pls advice.

    Thx
    Vai
     
  14. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    #Vai
    Just a quick note -- do you have all of your OUTGOING enabled (that rule is input only).

    Also, keep in mind that you probably won't be able to lock-down your RTP traffic (ports 10,000 to 20,000) unless you're using some sort of proxy - here's the reason why...

    Imagine you get a call that goes On-Network in NYC. You get another call that goes On-Network in Miami. Each of these will be from different IP addresses.

    With this in mind, you have to remember that you have a large range of SIP & RTP traffic. For example:
    - EACH of your office phones (one IP for each, unless NAT'ed)
    - VoIP Carriers (SIP authentication)
    - *Many* VoIP Gateways (like the NYC/Miami example above)

    In simplest terms, I'd leave RTP *open* (10000-20000) and make sure you have a *full* inventory of all 5060 communications, and create all of those.
     
  15. vaibhavs

    Joined:
    Oct 2, 2009
    Messages:
    95
    Likes Received:
    0
    @RKM :
    Thx for your inputs. Really vital.

    So my iptables should be:
    Code:
    /sbin/iptables -A INPUT -p udp -m udp -i eth0 --dport 10000:20000 -j ACCEPT
    /sbin/iptables -A INPUT -p udp -m udp -i eth0 -s x.x.x.x --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m tcp -i eth0 -s x.x.x.x --dport 5060 -j ACCEPT
    
    Do I need to open 5060 TCP ?

    Any clue why the -s x.x.x.x is not working as expected.
    I have double checked the iptable rules and it seems to be correct.

    Thx again
    Vai
     
  16. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
  17. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    @Vai-
    Yes, you've got the RTP side down (by opening it up without limiting it to IP). And yes, you should enable BOTH TCP & UDP on 5060.

    Based on your example, it doesn't look like you're creating the multiple entries for the 5060 (SIP) rule. Also, I can't remember what the "m" parameter is, but you don't need it.

    The point I was making about creating records for your phones, IP carriers, etc -- you'd need multiple 5060 entries for each.

    For example, imagine your VOIP provider's IP address is 10.10.10.15 and you have another VOIP provider (or backup VOIP server from the first provider) at 10.10.10.16 ... And you have phones at 10.10.10.50, 51, 52, 53 (etc).

    In that case, you'd create a set of records like this:

    Code:
    /sbin/iptables -A INPUT  -i $IFext -p udp -s 10.10.10.1/24 --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT  -i $IFext -p udp -s 10.10.15.15   --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT  -i $IFext -p udp -s 10.10.16.16   --dport 5060 -j ACCEPT
    
    See what I mean? One for each connection that might require SIP, and also remember that many SIP sessions are setup on alternate ports (eg you might be connecting at 5061 for some reason, on your phones, etc) which can also throw another wrench into the mix.

    @Ramoncio-
    That CSF suite looks really promising!

    The only thing I couldn't really wrap my mind around... It's primarily running all of its *firewall* features as iptables scripts, right? I mean, it's not running some added firewall daemon for the SPI and IDS features (stateful packet inspection, intrusion detection)?

    If you had to summarize what this actually is doing/including, would you say this is a fair explanation:
    * IP Tables scripts (pre-written) with more advanced things like SPI
    * Log checker
    * Web administration tool

    Or is there more to the package that I'm missing?

    Thanks again for sharing this link, it really looks amazing!
     
  18. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    I have installed csf into a test machine and seems to work great.
    AFAIK is uses iptables and some perl scripts to get results and check logs.
    If is free, but not GPL, so it can't be included into the Elastix iso, but it can be installed after very easily, in 1 minute.
     
  19. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    Thank you for the info.

    It definitely looks like something that will be worthwhile. I'm going to give it a try next time I'm doing upgrades.

    If you are really interested in offering it as part of Elastix, I know that most of the non-GPL guys will still allow you to incorporate it simply by asking them for permission.
     
  20. vaibhavs

    Joined:
    Oct 2, 2009
    Messages:
    95
    Likes Received:
    0
    Thx RKM, yes I have multiple source IP addresses.

    I have setup a single rule for allow from everywhere UDP 10000:20000
    AND
    two SIP rule per provider's IP: 5060:5062 TCP & 5060:5062 UDP

    I had read somewhere that its a good idea to open up 5060:5062.
    Since packets are restricted from limited sources, there is minimal security risk anyways.



    But I am now stumped by a unique problem....

    My desktop PCs are on 192.168.1.X LAN series.

    Desktop's gateway IP is 192.168.1.1
    192.168.1.1 is simple CentOS server with 1 nic & following 2 lines in rc.local
    --------
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
    --------

    But I see that the packets reaching my Trixbox show source IP as 192.168.1.x (desktop's LAN IP) NOT the WAN IP post masq.

    This is exactly the reason why my Firewall rules did not work all this while.

    This rule did not work:
    /sbin/iptables -A INPUT -i eth0 -p udp -s 122.18.101.5 --dport 5060 -j ACCEPT
    But this rule worked
    /sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.1.0/24 --dport 5060 -j ACCEPT


    This got me thinking as to why the packets are reaching trixbox server with 192 series IP.

    I think the MASQ is not happening correctly.
    Any ideas ??

    Thx again
     

Share This Page