Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On Sat, May 14, 2011 at 05:40:52PM -0700, Steve Edwards wrote: > On Sun, 15 May 2011, Hans Witvliet wrote: > >> It's a bit more complicated >> >> after the last rules, it is handy to put: >> $iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC " >> iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT " >> iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD " >> So can can see in the syslog what you are missing ;-) > > Adding a couple of lines to root's crontab like: > > # Min hourDOM month DOW command > # -- > # */5 * * * * /etc/init.d/iptables stop > > make it easy to enable an 'iptables failsafe' (by un-commenting the last > line) while you're fiddling about. Alternatively: echo /etc/init.d/iptables stop | at now + 5 minutes -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On 17/05/11 1:36 PM, Steve Edwards wrote: On 15/05/11 12:40 PM, Steve Edwards wrote: Adding a couple of lines to root's crontab like: # Min hour DOM month DOW command # -- # */5 * * * * /etc/init.d/iptables stop make it easy to enable an 'iptables failsafe' (by un-commenting the last line) while you're fiddling about. On Tue, 17 May 2011, Matt Riddell wrote: What a great idea! I've never thought of doing that! I wish I could take credit for it :) I had a similar 'gee, how obvious' epiphany after having locked myself out of way too many hosts. Yeah exactly - hence my excitement at the idea :-) -- Cheers, Matt Riddell ___ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/exchange.php (Full ITSP Solution) http://www.venturevoip.com/cc.php (Call Centre Solutions) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On 15/05/11 12:40 PM, Steve Edwards wrote: Adding a couple of lines to root's crontab like: # Min hour DOM month DOW command # -- # */5 * * * * /etc/init.d/iptables stop make it easy to enable an 'iptables failsafe' (by un-commenting the last line) while you're fiddling about. On Tue, 17 May 2011, Matt Riddell wrote: What a great idea! I've never thought of doing that! I wish I could take credit for it :) I had a similar 'gee, how obvious' epiphany after having locked myself out of way too many hosts. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On 15/05/11 12:40 PM, Steve Edwards wrote: Adding a couple of lines to root's crontab like: # Min hour DOM month DOW command # -- # */5 * * * * /etc/init.d/iptables stop make it easy to enable an 'iptables failsafe' (by un-commenting the last line) while you're fiddling about. What a great idea! I've never thought of doing that! -- Cheers, Matt Riddell ___ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/exchange.php (Full ITSP Solution) http://www.venturevoip.com/cc.php (Call Centre Solutions) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On Sat, May 14, 2011 at 7:51 PM, Bruce B wrote: > Hi everyone, > > I want to issue the command: > > iptables -F > > and then rebuild everything from the beginning with a very limited scope > and then without locking myself block all other traffic. Can you suggest > what I should put in the shell that would get me this: > > Allow traffic from subnet 172.16.0.0/24 (my VPN tunnels) - All > traffic including those of Asterisk and HTTP - I trust this network > Allow traffic from subnet 192.168.1.0/24(other side of VPN network) - > All traffic including those of Asterisk and HTTP - I trust this network > Allow traffic from single IP of DID provider - 5060 TCP/UDP and > 1-10200 UDP > Allow VPN access on port 1194 UDP --- I have that figured out to be > (*iptables > -A INPUT -p udp -m udp --dport 1194 -j ACCEPT*) works for this. > > *BLOCK all other traffic <- Important most of all* > > Please note that from the subnets I want to allow every single port > possible and all traffic. I specially have problems with getting a whole > subnet be able to access everything. > > Thanks > > This question is probably better for a security or general Linux forum as it has very little to do with Asterisk. You have the the port numbers correct. You could try "man iptables" This link should also answer all of your questions, I like the second link with fail2ban. Please be sure to be a good community member and come back to post your results when you are done! Thanks, Steve Totaro -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
Thanks Jeremy. But unfortunately no time to go over all this in detail. Maybe in future. Also because as I repeatedly said I have OpenVPN setup so I trust the VPN network there is no need for all this complication. Simply allowing all traffic out and only allowing VPN traffic in from tun0 would do for me. Thanks On Sat, May 14, 2011 at 9:46 PM, Jeremy Kister wrote: > On 5/14/2011 9:45 PM, Jeremy Kister wrote: > >> http://jeremy.kister.net/code/asterisk/iptables.init >> > > oops, that's: > http://jeremy.kister.net/code/iptables/iptables.init > > > -- > > Jeremy Kister > http://jeremy.kister.net./ > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
Shorewall is a useful way of setting up iptables http://www.shorewall.net/ Cheers Duncan On 15/05/2011, at 1:46 PM, Jeremy Kister wrote: > On 5/14/2011 9:45 PM, Jeremy Kister wrote: >> http://jeremy.kister.net/code/asterisk/iptables.init > > oops, that's: > http://jeremy.kister.net/code/iptables/iptables.init > > -- > > Jeremy Kister > http://jeremy.kister.net./ > > -- > _ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On 5/14/2011 9:45 PM, Jeremy Kister wrote: http://jeremy.kister.net/code/asterisk/iptables.init oops, that's: http://jeremy.kister.net/code/iptables/iptables.init -- Jeremy Kister http://jeremy.kister.net./ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On 5/14/2011 7:51 PM, Bruce B wrote: and then rebuild everything from the beginning with a very limited scope and then without locking myself block all other traffic. Can you suggest what I should put in the shell that would get me this: you may want to start with: http://jeremy.kister.net/code/asterisk/iptables.init modify RTPRANGE and the trusterd array at the top, add in your DID providers to the siprtp array at the top, that should get you near there. -- Jeremy Kister http://jeremy.kister.net./ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
Thanks Hans. So basically run the following commands: iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT service iptables save iptables -F Is that all right so far? I am not sure on these: iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC " iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT " iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD " And yes, of course I will need DHCP and all other necessary services to run the server. I am wondering why iptables is so complex. Is there a standard template that I can use to replace /etc/sysconfig/iptables with it and let it accept all traffic from one subnet on my tun0 which is my VPN and block all other traffic? Thanks again On Sat, May 14, 2011 at 8:14 PM, Hans Witvliet wrote: > On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote: > > Hi everyone, > > > > > > I want to issue the command: > > > > > > iptables -F > > > > > > and then rebuild everything from the beginning with a very limited > > scope and then without locking myself block all other traffic. Can you > > suggest what I should put in the shell that would get me this: > > > > > > Allow traffic from subnet 172.16.0.0/24 (my VPN tunnels) - All > > traffic including those of Asterisk and HTTP - I trust this network > > Allow traffic from subnet 192.168.1.0/24(other side of VPN > > network) - All traffic including those of Asterisk and HTTP - I trust > > this network > > Allow traffic from single IP of DID provider - 5060 TCP/UDP and > > 1-10200 UDP > > Allow VPN access on port 1194 UDP --- I have that figured out to be > > (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for > > this. > > > > > > BLOCK all other traffic <- Important most of all > > > > > > Please note that from the subnets I want to allow every single port > > possible and all traffic. I specially have problems with getting a > > whole subnet be able to access everything. > > > > > > Thanks > > It's a bit more complicated > > Firstly you have to set the default rules FIRST > $IPT -P INPUT DROP > $IPT -P OUTPUT ACCEPT > $IPT -P FORWARD ACCEPT > And then do the flusing, not the otherway round > After that you can add rules to accept trafic > > after the last rules, it is handy to put: > $iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC " > iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT " > iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD " > So can can see in the syslog what you are missing ;-) > > > > I'll guess, you would also like to accepts ntp,dhcp, domain-dns from > your isp-provider. > > Perhaps also http, https, pop, pops, imap, imaps. > And probably some more, depending on your need > So'll see them soon enough in your logfiles > > hw > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On Sun, 15 May 2011, Hans Witvliet wrote: It's a bit more complicated after the last rules, it is handy to put: $iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC " iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT " iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD " So can can see in the syslog what you are missing ;-) Adding a couple of lines to root's crontab like: # Min hourDOM month DOW command # -- # */5 * * * * /etc/init.d/iptables stop make it easy to enable an 'iptables failsafe' (by un-commenting the last line) while you're fiddling about. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] iptables for Asterisk - Any good guides out there?
On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote: > Hi everyone, > > > I want to issue the command: > > > iptables -F > > > and then rebuild everything from the beginning with a very limited > scope and then without locking myself block all other traffic. Can you > suggest what I should put in the shell that would get me this: > > > Allow traffic from subnet 172.16.0.0/24 (my VPN tunnels) - All > traffic including those of Asterisk and HTTP - I trust this network > Allow traffic from subnet 192.168.1.0/24(other side of VPN > network) - All traffic including those of Asterisk and HTTP - I trust > this network > Allow traffic from single IP of DID provider - 5060 TCP/UDP and > 1-10200 UDP > Allow VPN access on port 1194 UDP --- I have that figured out to be > (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for > this. > > > BLOCK all other traffic <- Important most of all > > > Please note that from the subnets I want to allow every single port > possible and all traffic. I specially have problems with getting a > whole subnet be able to access everything. > > > Thanks It's a bit more complicated Firstly you have to set the default rules FIRST $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT And then do the flusing, not the otherway round After that you can add rules to accept trafic after the last rules, it is handy to put: $iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC " iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT " iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD " So can can see in the syslog what you are missing ;-) I'll guess, you would also like to accepts ntp,dhcp, domain-dns from your isp-provider. Perhaps also http, https, pop, pops, imap, imaps. And probably some more, depending on your need So'll see them soon enough in your logfiles hw -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] iptables for Asterisk - Any good guides out there?
Hi everyone, I want to issue the command: iptables -F and then rebuild everything from the beginning with a very limited scope and then without locking myself block all other traffic. Can you suggest what I should put in the shell that would get me this: Allow traffic from subnet 172.16.0.0/24 (my VPN tunnels) - All traffic including those of Asterisk and HTTP - I trust this network Allow traffic from subnet 192.168.1.0/24(other side of VPN network) - All traffic including those of Asterisk and HTTP - I trust this network Allow traffic from single IP of DID provider - 5060 TCP/UDP and 1-10200 UDP Allow VPN access on port 1194 UDP --- I have that figured out to be (*iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT*) works for this. *BLOCK all other traffic <- Important most of all* Please note that from the subnets I want to allow every single port possible and all traffic. I specially have problems with getting a whole subnet be able to access everything. Thanks -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users