ip tables disables my web interface !

Mike M

Joined
Mar 17, 2011
Messages
6
Likes
0
Points
0
#1
Hi all
I am a complete newby when it comes to VOIP - so bear with me if I have missed something obvious.
We are a small business with 2 offices and want to move to VOIP.
We have installed Elastix in the main office, and are using trunks supplied by our VSP.
All has gone fine.
The Elastix box is behind a firewall using NAT.
We can make and receive calls from inside the main office and from the remote office.
We want to use iptables on the elastix box to limit accepted incoming packets to Elastix to the following source addresses:
- the main office LAN - 192.168.0.0/24
- the VSP xx.x.xx.x
- our remote office yy.y.yy.y

I've installed Webmin on the elastix box to manage IPtables. I've set rules to limit incoming packets to the above addresses. All other rules (eg forwarded packets, output etc) are set to accept.

When I activate IP tables:
- phones on the LAN can make and receive calls via the VSP trunks - as expected
- phones in the remote office can register and make and receive calls via the elastix box - as epected
- but when I try and access the elastix web interface from inside the main office LAN - it doesn't work. (I can get the system tab only, and it shows 0 extensions and 0 trunks - no other tabs respond.)

The same PC that I use to access the Elastix web interface has no problem registering a soft phone on elastix, and I can use that to make calls.

As soon as I de-activate IPTables, the web interface starts working again.

Anyone have any ideas why the elastix web interface is being stopped from working ?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
welcom Mike M:

Strange, please post the output of

iptables -L (reasonably obfuscating any external IP's)

and the IP address of your server on the LAN

do you web access the box by ip or name?

can you still get to webmin on the port I hope you changed it to run on?

dicko
 

Mike M

Joined
Mar 17, 2011
Messages
6
Likes
0
Points
0
#3
Hi Dicko
Thanks very much for the reply.

[root@elastix2 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- sip.[our isp domain].com anywhere
ACCEPT all -- pppxx-yyy-yyy-125.static.[our isp domain].com anywhere
ACCEPT all -- pppxx-xxx-xxx-103.static.[our isp domain].com anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

First line obviously is the LAN.
Second line i added this morning - got to stage where i'm trying anything
Third line is resolved name of our VSP sip server
Fourth line is resolved name of branch office
Fifth line is resolved name of my home (i want and extension there)

Elastix has its dns set to our (windows) domain dns - 192.168.0.11
IP address of Elastix is 192.168.0.16
Web access to Elastix is always by ip address
Webmin works fine (on same PC) after I activate iptables

and - I can register / use soft phone on the PC after ip tables is activated.
Same behavior occurs on another PC also on the LAN.

I'm stumped !
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
I don't see a real problem with the rules, however pragmatically, and because for you it is a problem, I suggest you might want to use something like CSF

http://www.configserver.com/cp/csf.html

to manage your iptables, it even comes with a webmin module, and the config file is easy to understand, quite explanatory and does the work for you, just "fill in the blanks"

IWFM, and good luck, I think if you go that route, you will find it both effective and educational.

dicko
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#5
I followed dicko's advice and now have CSF on 5 boxes. lastb shows nothing now.

You might try a service webmin restart at the prompt. At times when I am in demo mode my Web interface becomes unresponsive. When I enable the firewall the problem seems to go away.

Note, on two boxes I had trouble getting Webmin to take properly.
webmin-1.530-1.noarch.rpm loaded with wget http://www.configserver.com/free/csf.tgz
and csfwebmin.tgz was not in /etc/csf. In this scenario Webmin simply would not pull up in a browser

I had to uninstall Webmin and CSF and reboot in one scenario for it to work. But it did.

Look at the CSF post and follow dicko's instrucion on changing the port, chkconfig and service webmin stop for security. And change your SSH port and get "green" on your security test. Good luck. I am extremely happy with this package.
 

Mike M

Joined
Mar 17, 2011
Messages
6
Likes
0
Points
0
#6
thanks all for helping with this.
I'll be checking out CSF today.

In the meantime - issue appears to be fixed. I went looking for the source of the problem in MySQL permissions, and changed the linux firewall to also allow traffic from 127.0.0.1 - and the problem immediately ceased.


Mike
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#7
Indeed, a firewall that denies itself is probably overly restrictive, you will rarely hear me say that again when it comes to firewalls, in csf just let it handle ONLY your external eth.
 

Mike M

Joined
Mar 17, 2011
Messages
6
Likes
0
Points
0
#8
my first thought was "how bizarre".
then i decided it should give me a level of comfort, which it would if i hadn't wasted so much time ..
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,565
Latest member
omarmenichetti
Top