[Spce-user] iptables issue
Julian Seifert
js at dacor.de
Tue Apr 19 06:21:36 EDT 2016
Hi,
you shouldn't need to apply any firewalling for internal communication.
Apply your firewall rules to your WANside interfaces. (see -i in iptable rules)
Allow everything out & allow established connections to get replies.
Fail2ban is a good idea.
You can implement fail2ban for sip-registrations (But I think there's already
something like that builtin. but maybe that's pro version only, if so there is a sipwise
blog entry regarding the implementation of fail2ban with regards to sip I think)
(this is the article I was thinking of:
https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/ )
If your server was hacked you should analyse how that happened.
There might be flaws in the services you are about to open in your firewall
or maybe your passwords are of poor choice etc.
There is plenty of documentation regarding firewalling for linux-systems.
A starting point can be: https://help.ubuntu.com/community/IptablesHowTo
But any other current documentation works as good as this one.
kind regards,
Julian
________________________________
Von: Spce-user [spce-user-bounces at lists.sipwise.com]" im Auftrag von "Jonathan Yue [jonathan.yue at turboitsolutions.com]
Gesendet: Dienstag, 19. April 2016 06:26
An: Raúl Alexis Betancor Santana; spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] iptables issue
be checking iptables log, i figured this out, adding "iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT" fixes the sip issue.
regarding the slow output of "iptables -L", adding "iptables -A INPUT -p udp --sport 53 -j ACCEPT" fixes it. apparently iptables tries to resolve the fqdn of the ip addresses in the table, so DNS should be allowed.
------ Original Message ------
From: "Raúl Alexis Betancor Santana" <rabs at dimension-virtual.com<mailto:rabs at dimension-virtual.com>>
To: spce-user at lists.sipwise.com<mailto:spce-user at lists.sipwise.com>
Sent: 2016-04-18 2:28:57 PM
Subject: Re: [Spce-user] iptables issue
The proper way to setup the firewalling it's to know what you are doing.
First, doing a -J DROP it's a non-sense ... better to change the policy of the INPUT chain.
iptables -P INPUT DROP
Second ... you MUST know what services are working on the system, so you let them go in and out and flow to the interfaces needed
DNS
SIP
SIPs
SIP over TCP
XMPP
RTPEngine ports
Web
WebServices
MySQL
...
By default, the services are setup to only reply local, so there is no need to been digging with the iptables to protect the system ... no more than a few rules when you want to HARD-DROP scammers.
________________________________
De: "Jonathan Yue" <jonathan.yue at turboitsolutions.com<mailto:jonathan.yue at turboitsolutions.com>>
Para: spce-user at lists.sipwise.com<mailto:spce-user at lists.sipwise.com>
Enviados: Lunes, 18 de Abril 2016 22:31:59
Asunto: [Spce-user] iptables issue
Hi, all,
I customized iptables by allowing some ip addresses in INPUT chain, and put "iptables -A INPUT -j DROP" at the bottom. Aftert that, the execution of "iptables -L" is extremely slow; more importantly phones can't register. packet captures ( i can still ssh to server) show that spce doesn't respond to sip registration. I read handbook, which mentions RTPENGINE, however it's there, untouched.
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 77.72.169.0/24 anywhere
ACCEPT all -- 46.19.208.0/22 anywhere
............ ( a few line omitted )
rtpengine all -- anywhere anywhere
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain rtpengine (1 references)
target prot opt source destination
RTPENGINE udp -- anywhere anywhere RTPENGINE id:0
After command "iptables -D INPUT -j DROP", issue is gone right away. I wonder what's the proper way to configure iptables on spce?
thanks,
J.
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com<mailto:Spce-user at lists.sipwise.com>
https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160419/ad493a28/attachment-0001.html>
More information about the Spce-user
mailing list