[Spce-user] iptables issue

Jonathan Yue jonathan.yue at turboitsolutions.com
Tue Apr 19 00:26:37 EDT 2016


be checking iptables log, i figured this out, adding "iptables -A INPUT 
-s 127.0.0.1 -d 127.0.0.1 -j ACCEPT" fixes the sip issue.

regarding the slow output of "iptables -L", adding "iptables -A INPUT -p 
udp --sport 53 -j ACCEPT" fixes it. apparently iptables tries to resolve 
the fqdn of the ip addresses in the table, so DNS should be allowed.

------ Original Message ------
From: "Raúl Alexis Betancor Santana" <rabs at dimension-virtual.com>
To: spce-user at lists.sipwise.com
Sent: 2016-04-18 2:28:57 PM
Subject: Re: [Spce-user] iptables issue

>The proper way to setup the firewalling it's to know what you are 
>doing.
>
>First, doing a -J DROP it's a non-sense ... better to change the policy 
>of the INPUT chain.
>
>iptables -P INPUT DROP
>
>Second ... you MUST know what services are working on the system, so 
>you let them go in and out and flow to the interfaces needed
>
>DNS
>SIP
>SIPs
>SIP over TCP
>XMPP
>RTPEngine ports
>Web
>WebServices
>MySQL
>...
>
>By default, the services are setup to only reply local, so there is no 
>need to been digging with the iptables to protect the system ... no 
>more than a few rules when you want to HARD-DROP scammers.
>
>
>--------------------------------------------------------------------------------
>>De: "Jonathan Yue" <jonathan.yue at turboitsolutions.com>
>>Para: spce-user at lists.sipwise.com
>>Enviados: Lunes, 18 de Abril 2016 22:31:59
>>Asunto: [Spce-user] iptables issue
>>Hi, all,
>>
>>I customized iptables by allowing some ip addresses in INPUT chain, 
>>and put "iptables -A INPUT -j DROP" at the bottom. Aftert that, the 
>>execution of "iptables -L" is extremely slow; more importantly phones 
>>can't register. packet captures ( i can still ssh to server) show that 
>>spce doesn't respond to sip registration. I read handbook, which 
>>mentions RTPENGINE, however it's there, untouched.
>>  sudo iptables -L
>>Chain INPUT (policy ACCEPT)
>>target     prot opt source               destination
>>ACCEPT     all  --  77.72.169.0/24       anywhere
>>ACCEPT     all  --  46.19.208.0/22       anywhere
>>............ ( a few line omitted )
>>rtpengine  all  --  anywhere             anywhere
>>DROP       all  --  anywhere             anywhere
>>LOG        all  --  anywhere             anywhere             LOG 
>>level warning
>>
>>Chain FORWARD (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain OUTPUT (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain rtpengine (1 references)
>>target     prot opt source               destination
>>RTPENGINE  udp  --  anywhere             anywhere             
>>RTPENGINE id:0
>>
>>After command "iptables -D INPUT -j DROP", issue is gone right away. I 
>>wonder what's the proper way to configure iptables on spce?
>>
>>thanks,
>>
>>J.
>>
>>_______________________________________________
>>Spce-user mailing list
>>Spce-user at lists.sipwise.com
>>https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160419/63efdff1/attachment-0001.html>


More information about the Spce-user mailing list