Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

iptables syntax usage

Posted on 2011-03-14
13
865 Views
Last Modified: 2013-11-16
I did have a question on this but it didn't end up getting answered :-(

I'm attempting to secure an asterisk VoIP box on our LAN. I would like to have it sat on a DMZ, and as a result it needs to be well-secured using iptables.

I have changed the SSH port to 999 (For this question's sake, anyway... ;-)

- SIP/ 5060 needs to be open, but ONLY to a specific IP address of my SIP host (E.g 12.34.56.78)
- HTTP needs to be open to anyone (On the usual port 80)

I did attempt this before but unfortunately ended up locking myself out of the machine every time I enabled iptables, and got angry so abandoned the idea. Now the box is due to go live soon and I'd appreciate some assistance!!

Thanks in advance.
0
Comment
Question by:UncleVirus
  • 8
  • 4
13 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 35126598
It would be nice to see what you have tried, but nevertheless - one general iptables rules look like:

iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 999 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 12.34.56.78 -p tcp --dport 5060 - j ACCEPT
iptables -A INPUT -j DROP

If you have multiple network interfaces you can add that in the rules (-i eth0). I like to have default policy ACCEPT for INPUT and add the last rule to DROP every packet. If you make a mistake typing the rules in the file you won't get locked out.
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35126634
eth0 is the only interface in use in this machine.

I will give that a go and let you know. Thank you muchly for your quick response Blaz!
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 35135584
I'd suggest you to use shorewall (packaged on every linux distribution) to ease your firewall management.
It's just some text tool with easier syntax, let say.
It uses iptables, of course.

You can write rules like:
ACCEPT net $FW tcp 80

Open in new window

to enable tcp/80 from the internet to your FireWall.
You just have a few files to create (some models are available, from 1/2/3-network card configuration, and more) just to let the tool know which ethX is your internet card, which one is your lan, dmz, wifi and so on...

You should give it a try
If you want a detailled conf example, just ask

With this tool, you shouldn't lock a system, provided your ssh rule is OK :)

'regards
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:UncleVirus
ID: 35178570
Blaz: What would be the best way to apply iptables rules? Are they implemented by means of a .conf file and then included?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 35178603
It somewhat depends on the distribution used. RedHat/Fedora/CentOS have configuration file /etc/sysconfig/iptables for example. Some other distributions have no file - rules can always be added to /etc/rc.local or similar file that starts on power up.

The startup script can have command line rules line by line or you can use iptables-save and iptables-restore commands (and store the rules in a separate file)
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35178685
Just for future reference, I've successfully written a full iptables script. Before I close the question ,here's my example:
# Defaults
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT


# Establish existing connections
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

# Allow anyone to login to the box via local SSH no matter *what*
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.5 -p tcp --dport 6654 -j ACCEPT

# Allow SIP Provider to communicate on port 5060 (SIP trunk)
iptables -A INPUT -s voip.provider.IPADDRESS -d 192.168.0.5 -p tcp --dport 5060 - j ACCEPT
# SIP Provider RTSP Rule - Ports: 30000:65000
iptables -A INPUT -s voip.provider.IPADDRESS -d 192.168.0.5 -p tcp --dport:30000:65000 -j ACCEPT

# Allow SSH externally on different port
iptables -A INPUT -p tcp --dport 999 -j ACCEPT


# Finally, the iptables DROP rule to DROP any other traffic that does not fit this scenario
iptables -A INPUT -j DROP

Open in new window

0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35178720
Strange, but I used 'iptables-save' - rebooted ,and it didn't store the files.. so I've got a trixbox-iptables.sh script file that launches on reboot. Problem solved and the machine is now showing 0 open ports to the internets :-)
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35179170
Another weird problem.. After applying all the firewall rules, trixbox (the GUI front-end for asterisk) takes an AGE to load.. and when it does, some of the options are greyed out. Any idea why?

See attached screenshot:
trixbox.jpg
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 500 total points
ID: 35179685
First you should add a new rule (at the beginning) - accept all local loopback traffic
iptables -A INPUT -i lo -j ACCEPT

If you want to access the SSH server from remote you should open port 22 as well (for everybody?)
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35179733
I run my SSH port on a different one other than the default (I used 999 in this example). ICMP is also blocked at my router, so NMAP looks nice and boring :-)

I'll add your rule and reload. Thanks Blaz.
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35179740
You sir, are an absolute blooming legend! :-D
0
 
LVL 16

Expert Comment

by:Blaz
ID: 35340338
If I understand correctly you have this working now. If so you should close this question. Thanks.
0
 
LVL 1

Author Closing Comment

by:UncleVirus
ID: 35340352
spot-on. That last comment sorted it out properly (Allow local loopback traffic)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
Read this checklist to learn more about the 15 things you should never include in an email signature.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question