[Spce-user] iptables issue

Jonathan Yue jonathan.yue at turboitsolutions.com
Mon Apr 18 20:08:16 EDT 2016 

thanks for you input, Raúl. changing the default policy to DROP is good 
catch. It's hard to gather pieces here and there, actually there're not 
so many documents about spce, the handbook is brief. it'd be nice if 
there're detailed instructions under iptables section of the handbook, 
such as what exactly policies are advised to be implemented, no more, no 
less, for spce to be used in production.

my lab spce, which uses public ip, was hacked 2 days ago, so I'm picking 
up the task that should be done at the very beginning, a lot about 
iptables & spce to learn. I originally was considering to install 
fail2ban, but someone says fail2ban is not enough, it's better to 
explicitly allow necessary accesses.

------ Original Message ------
From: "Raúl Alexis Betancor Santana" <rabs at dimension-virtual.com>
To: spce-user at lists.sipwise.com
Sent: 2016-04-18 2:28:57 PM
Subject: Re: [Spce-user] iptables issue

>The proper way to setup the firewalling it's to know what you are 
>doing.
>
>First, doing a -J DROP it's a non-sense ... better to change the policy 
>of the INPUT chain.
>
>iptables -P INPUT DROP
>
>Second ... you MUST know what services are working on the system, so 
>you let them go in and out and flow to the interfaces needed
>
>DNS
>SIP
>SIPs
>SIP over TCP
>XMPP
>RTPEngine ports
>Web
>WebServices
>MySQL
>...
>
>By default, the services are setup to only reply local, so there is no 
>need to been digging with the iptables to protect the system ... no 
>more than a few rules when you want to HARD-DROP scammers.
>
>
>--------------------------------------------------------------------------------
>>De: "Jonathan Yue" <jonathan.yue at turboitsolutions.com>
>>Para: spce-user at lists.sipwise.com
>>Enviados: Lunes, 18 de Abril 2016 22:31:59
>>Asunto: [Spce-user] iptables issue
>>Hi, all,
>>
>>I customized iptables by allowing some ip addresses in INPUT chain, 
>>and put "iptables -A INPUT -j DROP" at the bottom. Aftert that, the 
>>execution of "iptables -L" is extremely slow; more importantly phones 
>>can't register. packet captures ( i can still ssh to server) show that 
>>spce doesn't respond to sip registration. I read handbook, which 
>>mentions RTPENGINE, however it's there, untouched.
>>  sudo iptables -L
>>Chain INPUT (policy ACCEPT)
>>target     prot opt source               destination
>>ACCEPT     all  --  77.72.169.0/24       anywhere
>>ACCEPT     all  --  46.19.208.0/22       anywhere
>>............ ( a few line omitted )
>>rtpengine  all  --  anywhere             anywhere
>>DROP       all  --  anywhere             anywhere
>>LOG        all  --  anywhere             anywhere             LOG 
>>level warning
>>
>>Chain FORWARD (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain OUTPUT (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain rtpengine (1 references)
>>target     prot opt source               destination
>>RTPENGINE  udp  --  anywhere             anywhere             
>>RTPENGINE id:0
>>
>>After command "iptables -D INPUT -j DROP", issue is gone right away. I 
>>wonder what's the proper way to configure iptables on spce?
>>
>>thanks,
>>
>>J.
>>
>>_______________________________________________
>>Spce-user mailing list
>>Spce-user at lists.sipwise.com
>>https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160419/2a608bef/attachment-0001.html>

More information about the Spce-user mailing list