[Spce-user] iptables issue

Raúl Alexis Betancor Santana rabs at dimension-virtual.com
Mon Apr 18 17:28:57 EDT 2016


The proper way to setup the firewalling it's to know what you are doing. 

First, doing a -J DROP it's a non-sense ... better to change the policy of the INPUT chain. 

iptables -P INPUT DROP 

Second ... you MUST know what services are working on the system, so you let them go in and out and flow to the interfaces needed 

DNS 
SIP 
SIPs 
SIP over TCP 
XMPP 
RTPEngine ports 
Web 
WebServices 
MySQL 
... 

By default, the services are setup to only reply local, so there is no need to been digging with the iptables to protect the system ... no more than a few rules when you want to HARD-DROP scammers. 

> De: "Jonathan Yue" <jonathan.yue at turboitsolutions.com>
> Para: spce-user at lists.sipwise.com
> Enviados: Lunes, 18 de Abril 2016 22:31:59
> Asunto: [Spce-user] iptables issue

> Hi, all,
> I customized iptables by allowing some ip addresses in INPUT chain, and put
> "iptables -A INPUT -j DROP" at the bottom. Aftert that, the execution of
> "iptables -L" is extremely slow; more importantly phones can't register. packet
> captures ( i can still ssh to server) show that spce doesn't respond to sip
> registration. I read handbook, which mentions RTPENGINE, however it's there,
> untouched.
> sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 77.72.169.0/24 anywhere
> ACCEPT all -- 46.19.208.0/22 anywhere
> ............ ( a few line omitted )
> rtpengine all -- anywhere anywhere
> DROP all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level warning
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Chain rtpengine (1 references)
> target prot opt source destination
> RTPENGINE udp -- anywhere anywhere RTPENGINE id:0
> After command "iptables -D INPUT -j DROP", issue is gone right away. I wonder
> what's the proper way to configure iptables on spce?
> thanks,
> J.

> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20160418/dd8ad2bd/attachment.html>


More information about the Spce-user mailing list