[Spce-user] iptables issue

Julian Seifert js at dacor.de
Tue Apr 19 06:21:36 EDT 2016


you shouldn't need to apply any firewalling for internal communication.
Apply your firewall rules to your WANside interfaces. (see -i in iptable rules)
Allow everything out & allow established connections to get replies.
Fail2ban is a good idea.

You can implement fail2ban for sip-registrations (But I think there's already
something like that builtin. but maybe that's pro version only, if so there is a sipwise
blog entry regarding the implementation of fail2ban with regards to sip I think)
(this is the article I was thinking of:
https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/ )

If your server was hacked you should analyse how that happened.
There might be flaws in the services you are about to open in your firewall
or maybe your passwords are of poor choice etc.

There is plenty of documentation regarding firewalling for linux-systems.
A starting point can be: https://help.ubuntu.com/community/IptablesHowTo
But any other current documentation works as good as this one.

kind regards,

Von: Spce-user [spce-user-bounces at lists.sipwise.com]" im Auftrag von "Jonathan Yue [jonathan.yue at turboitsolutions.com]
Gesendet: Dienstag, 19. April 2016 06:26
An: Raúl Alexis Betancor Santana; spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] iptables issue

be checking iptables log, i figured this out, adding "iptables -A INPUT -s -d -j ACCEPT" fixes the sip issue.

regarding the slow output of "iptables -L", adding "iptables -A INPUT -p udp --sport 53 -j ACCEPT" fixes it. apparently iptables tries to resolve the fqdn of the ip addresses in the table, so DNS should be allowed.

------ Original Message ------
From: "Raúl Alexis Betancor Santana" <rabs at dimension-virtual.com<mailto:rabs at dimension-virtual.com>>
To: spce-user at lists.sipwise.com<mailto:spce-user at lists.sipwise.com>
Sent: 2016-04-18 2:28:57 PM
Subject: Re: [Spce-user] iptables issue

The proper way to setup the firewalling it's to know what you are doing.

First, doing a -J DROP it's a non-sense ... better to change the policy of the INPUT chain.

iptables -P INPUT DROP

Second ... you MUST know what services are working on the system, so you let them go in and out and flow to the interfaces needed

SIP over TCP
RTPEngine ports

By default, the services are setup to only reply local, so there is no need to been digging with the iptables to protect the system ... no more than a few rules when you want to HARD-DROP scammers.

De: "Jonathan Yue" <jonathan.yue at turboitsolutions.com<mailto:jonathan.yue at turboitsolutions.com>>
Para: spce-user at lists.sipwise.com<mailto:spce-user at lists.sipwise.com>
Enviados: Lunes, 18 de Abril 2016 22:31:59
Asunto: [Spce-user] iptables issue
Hi, all,

I customized iptables by allowing some ip addresses in INPUT chain, and put "iptables -A INPUT -j DROP" at the bottom. Aftert that, the execution of "iptables -L" is extremely slow; more importantly phones can't register. packet captures ( i can still ssh to server) show that spce doesn't respond to sip registration. I read handbook, which mentions RTPENGINE, however it's there, untouched.
 sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --       anywhere
ACCEPT     all  --       anywhere
............ ( a few line omitted )
rtpengine  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain rtpengine (1 references)
target     prot opt source               destination
RTPENGINE  udp  --  anywhere             anywhere             RTPENGINE id:0

After command "iptables -D INPUT -j DROP", issue is gone right away. I wonder what's the proper way to configure iptables on spce?



Spce-user mailing list
Spce-user at lists.sipwise.com<mailto:Spce-user at lists.sipwise.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160419/ad493a28/attachment-0001.html>

More information about the Spce-user mailing list