ip tables disables my web interface !

Discussion in 'General' started by Mike M, Mar 17, 2011.

  1. Mike M

    Joined:
    Mar 17, 2011
    Messages:
    6
    Likes Received:
    0
    Hi all
    I am a complete newby when it comes to VOIP - so bear with me if I have missed something obvious.
    We are a small business with 2 offices and want to move to VOIP.
    We have installed Elastix in the main office, and are using trunks supplied by our VSP.
    All has gone fine.
    The Elastix box is behind a firewall using NAT.
    We can make and receive calls from inside the main office and from the remote office.
    We want to use iptables on the elastix box to limit accepted incoming packets to Elastix to the following source addresses:
    - the main office LAN - 192.168.0.0/24
    - the VSP xx.x.xx.x
    - our remote office yy.y.yy.y

    I've installed Webmin on the elastix box to manage IPtables. I've set rules to limit incoming packets to the above addresses. All other rules (eg forwarded packets, output etc) are set to accept.

    When I activate IP tables:
    - phones on the LAN can make and receive calls via the VSP trunks - as expected
    - phones in the remote office can register and make and receive calls via the elastix box - as epected
    - but when I try and access the elastix web interface from inside the main office LAN - it doesn't work. (I can get the system tab only, and it shows 0 extensions and 0 trunks - no other tabs respond.)

    The same PC that I use to access the Elastix web interface has no problem registering a soft phone on elastix, and I can use that to make calls.

    As soon as I de-activate IPTables, the web interface starts working again.

    Anyone have any ideas why the elastix web interface is being stopped from working ?
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    welcom Mike M:

    Strange, please post the output of

    iptables -L (reasonably obfuscating any external IP's)

    and the IP address of your server on the LAN

    do you web access the box by ip or name?

    can you still get to webmin on the port I hope you changed it to run on?

    dicko
     
  3. Mike M

    Joined:
    Mar 17, 2011
    Messages:
    6
    Likes Received:
    0
    Hi Dicko
    Thanks very much for the reply.

    [root@elastix2 ~]# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- 192.168.0.0/24 anywhere
    ACCEPT all -- anywhere anywhere state ESTABLISHED
    ACCEPT all -- sip.[our isp domain].com anywhere
    ACCEPT all -- pppxx-yyy-yyy-125.static.[our isp domain].com anywhere
    ACCEPT all -- pppxx-xxx-xxx-103.static.[our isp domain].com anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    First line obviously is the LAN.
    Second line i added this morning - got to stage where i'm trying anything
    Third line is resolved name of our VSP sip server
    Fourth line is resolved name of branch office
    Fifth line is resolved name of my home (i want and extension there)

    Elastix has its dns set to our (windows) domain dns - 192.168.0.11
    IP address of Elastix is 192.168.0.16
    Web access to Elastix is always by ip address
    Webmin works fine (on same PC) after I activate iptables

    and - I can register / use soft phone on the PC after ip tables is activated.
    Same behavior occurs on another PC also on the LAN.

    I'm stumped !
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I don't see a real problem with the rules, however pragmatically, and because for you it is a problem, I suggest you might want to use something like CSF

    http://www.configserver.com/cp/csf.html

    to manage your iptables, it even comes with a webmin module, and the config file is easy to understand, quite explanatory and does the work for you, just "fill in the blanks"

    IWFM, and good luck, I think if you go that route, you will find it both effective and educational.

    dicko
     
  5. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    I followed dicko's advice and now have CSF on 5 boxes. lastb shows nothing now.

    You might try a service webmin restart at the prompt. At times when I am in demo mode my Web interface becomes unresponsive. When I enable the firewall the problem seems to go away.

    Note, on two boxes I had trouble getting Webmin to take properly.
    webmin-1.530-1.noarch.rpm loaded with wget http://www.configserver.com/free/csf.tgz
    and csfwebmin.tgz was not in /etc/csf. In this scenario Webmin simply would not pull up in a browser

    I had to uninstall Webmin and CSF and reboot in one scenario for it to work. But it did.

    Look at the CSF post and follow dicko's instrucion on changing the port, chkconfig and service webmin stop for security. And change your SSH port and get "green" on your security test. Good luck. I am extremely happy with this package.
     
  6. Mike M

    Joined:
    Mar 17, 2011
    Messages:
    6
    Likes Received:
    0
    thanks all for helping with this.
    I'll be checking out CSF today.

    In the meantime - issue appears to be fixed. I went looking for the source of the problem in MySQL permissions, and changed the linux firewall to also allow traffic from 127.0.0.1 - and the problem immediately ceased.


    Mike
     
  7. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Indeed, a firewall that denies itself is probably overly restrictive, you will rarely hear me say that again when it comes to firewalls, in csf just let it handle ONLY your external eth.
     
  8. Mike M

    Joined:
    Mar 17, 2011
    Messages:
    6
    Likes Received:
    0
    my first thought was "how bizarre".
    then i decided it should give me a level of comfort, which it would if i hadn't wasted so much time ..
     

Share This Page