steve wrote:
looks like your nmap only scanned for tcp connections. Try the -u switch.
netstat shows that udp 5060 is accepting connections.
Your iptables ruleset gives me a headache to look at and is quite
redundant. Wouldn't it be better to just disallow all packets at the
beginning and
then open the ports tht you want. I noticed you started to do this and
then repeated it again later in the ruleset, i.e.
/sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
/sbin/iptables -A INPUT -p udp --dport 137 -j DROP
/sbin/iptables -A INPUT -p udp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
/sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
also it would be much easier to allow your localhost to have access
regardless at the beginning of the ruleset,
thus having to avoid adding these rules.
/sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
or
/sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
or
/sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 106 -j DROP
I'll have to give you an "A" for effort thought. In the world of
netfilter less is more and to be honest it probably
took me close to six months before I was able to really understand what
was happening. Obviously you are one of those hardheads like I am and
prefer the 'do-it-yourself' method. I've never been fond of GUI-based
firewall programs so
may I recomend that you give the firewall script generator called
'quicktables' a try. Its available at http://qtables.radom.org/ I've
been using it for years and it should do just what you need.
Regards,
Steve Cayona
p.s. whay are you wanting to mangle packets?
The best iptables rulesets go like this:
1) Accept traffic on your "trusted" interfaces (one could argue there is
no such thing)
2) Accept traffic that matches an existing state
3) Accept traffic per your requirements
4) Deny EVERYTHING
The astfw script is a good example:
http://www.krisk.org/files/astlinux-i586/usr/sbin/astfw
--
Kristian Kielhofner
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users