Lonnie & Gene, Below is the output you both requested. Since having the problem, I have modified the rules to replace the hostnames with static IP addresses and added my internal LAN to the adaptive ban whitelist. Also, although the Soekris box has multiple interfaces, I am only using the external interface since I am forced to use my current ISP's router, i.e., I no longer have networks connected to the internal interfaces of astlinux.
pbx ~ # iptables -nL |grep ACCEPT ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED tcp dpts:1024:65535 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED udp dpts:1024:65535 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED tcp dpts:1024:65535 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED udp dpts:1024:65535 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpts:10000:10100 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:4569 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:5060 ACCEPT udp -- 66.241.96.96 0.0.0.0/0 udp dpts:10000:10100 ACCEPT udp -- 66.241.96.96 0.0.0.0/0 udp dpt:5060 ACCEPT udp -- xxx.xxx.xxx.xxx 0.0.0.0/0 udp dpt:4569 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 pbx ~ # pbx ~ # arno-iptables-firewall restart Arno's Iptables Firewall Script v2.0.0a ------------------------------------------------------------------------------- Stopping (user) plugins... SIP-VOIP plugin v0.3BETA SSH Brute-Force Protection plugin v1.1a Traffic-Shaper plugin v1.2.06-astlinux Adaptive Ban plugin v1.01 BETA Adaptive Ban - Stopping... Stopped. Checking/probing Iptables modules: Loaded kernel module ip_tables. Loaded kernel module nf_conntrack. Loaded kernel module nf_conntrack_ftp. Loaded kernel module xt_conntrack. Loaded kernel module xt_limit. Loaded kernel module xt_state. Loaded kernel module xt_multiport. Loaded kernel module iptable_filter. Loaded kernel module iptable_mangle. Loaded kernel module ipt_REJECT. Loaded kernel module ipt_LOG. Loaded kernel module xt_TCPMSS. Loaded kernel module nf_nat_ftp. Loaded kernel module iptable_nat. Loaded kernel module ipt_MASQUERADE. Module check done... Configuring general kernel parameters: Setting the max. amount of simultaneous connections to 16384 net.nf_conntrack_max = 16384 net.netfilter.nf_conntrack_acct = 1 Configuring kernel parameters: Disabling send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth3.send_redirects = 0 net.ipv4.conf.br0.send_redirects = 0 Enabling protection against source routed packets net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.eth3.accept_source_route = 0 net.ipv4.conf.br0.accept_source_route = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 Enabling packet forwarding net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.eth0.forwarding = 1 net.ipv4.conf.eth3.forwarding = 1 net.ipv4.conf.br0.forwarding = 1 Setting some kernel performance options net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_fack = 1 net.ipv4.tcp_low_latency = 0 Enabling reduction of the DoS'ing ability net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_rfc1337 = 1 net.ipv4.ip_local_port_range = 32768 61000 Enabling anti-spoof with rp_filter net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth3.rp_filter = 1 net.ipv4.conf.br0.rp_filter = 1 net.ipv4.icmp_echo_ignore_all = 0 Enabling SYN-flood protection via SYN-cookies net.ipv4.tcp_syncookies = 1 Disabling the logging of martians net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.eth0.log_martians = 0 net.ipv4.conf.eth3.log_martians = 0 net.ipv4.conf.br0.log_martians = 0 Disabling the acception of ICMP-redirect messages net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth3.accept_redirects = 0 net.ipv4.conf.br0.accept_redirects = 0 Setting default TTL=64 net.ipv4.ip_default_ttl = 64 Disabling ECN (Explicit Congestion Notification) net.ipv4.tcp_ecn = 0 Enabling kernel support for dynamic IPs net.ipv4.ip_dynaddr = 1 Enabling PMTU discovery net.ipv4.ip_no_pmtu_disc = 0 Flushing route table net.ipv4.route.flush = 1 Kernel setup done... Reinitializing firewall chains Setting all default policies to DROP while "setting up firewall rules" IPv4 mode selected, no IPv6 available Using loglevel "info" for syslogd Setting up firewall rules: ------------------------------------------------------------------------------- Enabling setting the maximum packet size via MSS Logging of stealth scans (nmap probes etc.) enabled Logging of packets with bad TCP-flags enabled Logging of INVALID TCP packets disabled Logging of INVALID UDP packets disabled Logging of INVALID ICMP packets disabled Logging of fragmented packets enabled Logging of access from reserved addresses disabled Setting up antispoof for INTERNAL net(s): 192.168.168.0/24 Setting up antispoof for DMZ net(s): 192.168.169.0/24 Reading custom rules from /etc/arno-iptables-firewall/custom-rules Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins... SIP-VOIP plugin v0.3BETA Loaded kernel module ip_nat. Using SIP UDP for 0/0 (INET) to port(s): 5060 Loaded kernel module ip_conntrack_sip. Loaded kernel module ip_nat_sip. SSH Brute-Force Protection plugin v1.1a Loaded kernel module ipt_recent. Protecting TCP port(s): 22 Traffic-Shaper plugin v1.2.06-astlinux Loaded kernel module ip_nat. Shaping as 30000/5000 kb/s using 'htb' for interface: eth0 Adaptive Ban plugin v1.01 BETA Adaptive Ban - Whitelisting INTERNAL net(s): 192.168.168.0/24 Adaptive Ban - Whitelisting host(s): 192.168.1.0/24 File=/var/log/messages Time=10 Count=6 Types=sshd asterisk Loaded 4 plugin(s)... Setting up external(INET) INPUT policy Logging of ICMP flooding enabled Enabling support for DHCP-assigned-IP (DHCP client) Logging of explicitly blocked hosts disabled Logging of denied local output connections enabled Allowing 0/0 for TCP port(s): 22 Allowing 0/0 for TCP port(s): 443 Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 Allowing 192.168.1.0/24 for UDP port(s): 4569 Allowing 192.168.1.0/24 for UDP port(s): 5060 Allowing 66.241.96.96 for UDP port(s): 10000:10100 Allowing 66.241.96.96 for UDP port(s): 5060 Allowing xxx.xxx.xxx.xxx for UDP port(s): 4569 Packets will NOT be checked for private source addresses Allowing ANYHOST to send IPv4 ICMP-requests (ping) Logging of possible stealth scans enabled Logging of (other) packets to PRIVILEGED TCP ports enabled Logging of (other) packets to PRIVILEGED UDP ports enabled Logging of (other) packets to UNPRIVILEGED TCP ports enabled Logging of (other) packets to UNPRIVILEGED UDP ports enabled Logging of IPv4 IGMP packets disabled Enabling support for NAT local redirect Logging of dropped ICMP-request(ping) packets disabled Logging of dropped other ICMP packets enabled Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled Setting up external(INET) OUTPUT policy Applying external(INET) policy to interface: eth0 (EXTERNAL_NET=192.168.1.201/24) Setting up internal(LAN) INPUT policy Allowing ICMP-requests(ping) Allowing all (other) ports/protocols Applying internal(LAN) policy to interface: br0 Setting up DMZ INPUT policy Allowing ICMP-requests(ping) Applying DMZ policy to interface: eth3 Setting up DMZ FORWARD policy Logging of denied DMZ (forward) output connections enabled Logging of denied DMZ (forward) input connections enabled Setting up INET->DMZ policy Denying all other INET->DMZ packets Setting up DMZ->INET policy Allowing ICMP-requests(ping) Allowing all (other) TCP ports Allowing all (other) UDP ports Allowing all (other) protocols Setting up DMZ->LAN policy Applying DMZ FORWARD policy to interface: eth3 Setting up internal(LAN) FORWARD policy Logging of denied LAN->INET FORWARD connections enabled Setting up LAN->INET policy Allowing ICMP-requests(ping) Allowing all (other) TCP ports Allowing all (other) UDP ports Allowing all (other) protocols Applying internal(LAN) FORWARD policy to interface: br0 Enabling masquerading(NAT) via external interface(s): eth0 Adding (internal) host(s): 192.168.168.0/24 192.168.169.0/24 Security is ENFORCED for external interface(s) in the FORWARD chain Logging of dropped FORWARD packets disabled Mar 14 23:40:27 All firewall rules applied. pbx ~ # -----Original Message----- From: Tom Mazzotta Sent: Monday, March 14, 2011 10:26 PM To: AstLinux Users Mailing List Subject: Arno firewall problem I am running astlinux-0.7.7 (Asterisk 1.4.40) on a Soekris box behind my ISP's cable router on my LAN. I am forwarding all SIP & RTP packets from this router to the external interface of astlinux. All of my phones connect to astlinux through the external interface of the Soekris box as well. Using Arno, I setup rules to allow inbound SIP/RTP from my LAN clients and my SIP provider. In the rules for the SIP provider, I used the hostname of their server as opposed to an IP address. While my system was booting, I saw the following messages displayed on the console: ------------------------------ Allowing 0/0 for TCP port(s): 22 Allowing 0/0 for TCP port(s): 443 Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 Allowing 192.168.1.0/24 for UDP port(s): 4569 Allowing 192.168.1.0/24 for UDP port(s): 5060 Allowing inbound23.vitelity.net for UDP port(s): 10000:10100 /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 -p udp --dport 10000:10100 -j ACCEPT ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found Try `iptables -h' or 'iptables --help' for more information. Allowing inbound23.vitelity.net for UDP port(s): 5060 /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 -p udp --dport 5060 -j ACCEPT ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found Try `iptables -h' or 'iptables --help' for more information. [cut] Mar 14 19:57:22 WARNING: Not all firewall rules are applied. ------------------------------ There seems to be a problem using hostnames in the rules. Since then I have substituted the IP addresses in my rules to resolve the errors (although I would really prefer to use hostnames). However, it looks like Arno permitted SIP connections from ANY host, because the adaptive ban plugin logged the following messages to /var/log: pbx log # cat messages Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"604"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"605"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"606"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"607"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"608"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"609"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"610"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"611"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"612"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"613"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"614"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"615"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found ... Apparently, my box was under attack by a system at 173.192.216.91. So if hostnames are not supported in the Arno rules and those rules failed to execute, I would have thought that all SIP connections outside of my LAN would have been blocked, however, it seems that wasn't the case. Is this the expected behavior of the system or have I misconfigured something? -tm ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
