Solved

iptables syntax usage

Posted on 2011-03-14
13
861 Views
Last Modified: 2013-11-16
I did have a question on this but it didn't end up getting answered :-(

I'm attempting to secure an asterisk VoIP box on our LAN. I would like to have it sat on a DMZ, and as a result it needs to be well-secured using iptables.

I have changed the SSH port to 999 (For this question's sake, anyway... ;-)

- SIP/ 5060 needs to be open, but ONLY to a specific IP address of my SIP host (E.g 12.34.56.78)
- HTTP needs to be open to anyone (On the usual port 80)

I did attempt this before but unfortunately ended up locking myself out of the machine every time I enabled iptables, and got angry so abandoned the idea. Now the box is due to go live soon and I'd appreciate some assistance!!

Thanks in advance.
0
Comment
Question by:UncleVirus
  • 8
  • 4
13 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 35126598
It would be nice to see what you have tried, but nevertheless - one general iptables rules look like:

iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 999 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 12.34.56.78 -p tcp --dport 5060 - j ACCEPT
iptables -A INPUT -j DROP

If you have multiple network interfaces you can add that in the rules (-i eth0). I like to have default policy ACCEPT for INPUT and add the last rule to DROP every packet. If you make a mistake typing the rules in the file you won't get locked out.
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35126634
eth0 is the only interface in use in this machine.

I will give that a go and let you know. Thank you muchly for your quick response Blaz!
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 35135584
I'd suggest you to use shorewall (packaged on every linux distribution) to ease your firewall management.
It's just some text tool with easier syntax, let say.
It uses iptables, of course.

You can write rules like:
ACCEPT net $FW tcp 80

Open in new window

to enable tcp/80 from the internet to your FireWall.
You just have a few files to create (some models are available, from 1/2/3-network card configuration, and more) just to let the tool know which ethX is your internet card, which one is your lan, dmz, wifi and so on...

You should give it a try
If you want a detailled conf example, just ask

With this tool, you shouldn't lock a system, provided your ssh rule is OK :)

'regards
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35178570
Blaz: What would be the best way to apply iptables rules? Are they implemented by means of a .conf file and then included?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 35178603
It somewhat depends on the distribution used. RedHat/Fedora/CentOS have configuration file /etc/sysconfig/iptables for example. Some other distributions have no file - rules can always be added to /etc/rc.local or similar file that starts on power up.

The startup script can have command line rules line by line or you can use iptables-save and iptables-restore commands (and store the rules in a separate file)
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35178685
Just for future reference, I've successfully written a full iptables script. Before I close the question ,here's my example:
# Defaults
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT


# Establish existing connections
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

# Allow anyone to login to the box via local SSH no matter *what*
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.5 -p tcp --dport 6654 -j ACCEPT

# Allow SIP Provider to communicate on port 5060 (SIP trunk)
iptables -A INPUT -s voip.provider.IPADDRESS -d 192.168.0.5 -p tcp --dport 5060 - j ACCEPT
# SIP Provider RTSP Rule - Ports: 30000:65000
iptables -A INPUT -s voip.provider.IPADDRESS -d 192.168.0.5 -p tcp --dport:30000:65000 -j ACCEPT

# Allow SSH externally on different port
iptables -A INPUT -p tcp --dport 999 -j ACCEPT


# Finally, the iptables DROP rule to DROP any other traffic that does not fit this scenario
iptables -A INPUT -j DROP

Open in new window

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:UncleVirus
ID: 35178720
Strange, but I used 'iptables-save' - rebooted ,and it didn't store the files.. so I've got a trixbox-iptables.sh script file that launches on reboot. Problem solved and the machine is now showing 0 open ports to the internets :-)
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35179170
Another weird problem.. After applying all the firewall rules, trixbox (the GUI front-end for asterisk) takes an AGE to load.. and when it does, some of the options are greyed out. Any idea why?

See attached screenshot:
trixbox.jpg
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 500 total points
ID: 35179685
First you should add a new rule (at the beginning) - accept all local loopback traffic
iptables -A INPUT -i lo -j ACCEPT

If you want to access the SSH server from remote you should open port 22 as well (for everybody?)
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35179733
I run my SSH port on a different one other than the default (I used 999 in this example). ICMP is also blocked at my router, so NMAP looks nice and boring :-)

I'll add your rule and reload. Thanks Blaz.
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35179740
You sir, are an absolute blooming legend! :-D
0
 
LVL 16

Expert Comment

by:Blaz
ID: 35340338
If I understand correctly you have this working now. If so you should close this question. Thanks.
0
 
LVL 1

Author Closing Comment

by:UncleVirus
ID: 35340352
spot-on. That last comment sorted it out properly (Allow local loopback traffic)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article is essential to make secure Yahoo Mail connection without facing any issue. It is providing simple steps to configure your Yahoo Mailbox to Hard drive using Microsoft Outlook.
In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now