Help tweaking asterisk rules

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Help tweaking asterisk rules
@ 2011-01-21  2:05 Max DiOrio
  2012-03-04  4:39 ` Kerin Millar
  0 siblings, 1 reply; 4+ messages in thread
From: Max DiOrio @ 2011-01-21  2:05 UTC (permalink / raw)
  To: netfilter

Hi Everyone...

I have a new PBXIAF setup that I'm trying to get secure.  I used
firewall builder to get what I think is a decent configuration, but I'm
having a tad bit of trouble with one set of rules.

The firewall is exposed directly to the internet and the same box hosts
our asterisk server that runs TFTP and DHCP.

I'm restricting the firewall inbound to specific IP addresses, namely my
SIP Trunk provider and my offices.

All traffic from the firewall (Asterisk) and any connection on the
protected side of the firewall should be allowed in both directions.

The firewall builder rules I created worked to allow traffic in/out from
the WAN to the FW, and frmo the FW to the WAN, however everything on the
LAN side was blocked both to the firewall and the WAN.  I had to change
RULE_6 to Allow instead of Drop.  I was hoping someone can help me clean
this up to accomplish what I want.

I was also hoping someone can provide some guidance on leaving the RTP
ports UDP 10000:20000 open to all IP's on the WAN.  What type of
security issue will this raise?  Should I install Fail2Ban in this
setup?  The only issue I have with Fail2Ban was that it blocked my
access from the LAN within 15 seconds of it coming online.

Thanks for all your help on this.

Max
# Generated by iptables-save v1.3.5 on Thu Jan 20 00:00:16 2011
*filter
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:RULE_6 - [0:0]
:RULE_1 - [0:0]
:Cid3823X8440.0 - [0:0]
:RULE_8 - [0:0]
:FORWARD DROP [0:0]
:In_RULE_0 - [0:0]
:Cid3823X8440.1 - [0:0]
:RULE_2 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.10.2 -i eth0 -j In_RULE_0
-A INPUT -s 64.xx.xx.105 -i eth0 -j In_RULE_0
-A INPUT -s 10.10.10.0/255.255.255.0 -i eth0 -j In_RULE_0
-A INPUT -m state -s 10.10.10.2 --state NEW -j RULE_1
-A INPUT -m state -s 64.xx.xx.105 --state NEW -j RULE_1
-A INPUT -m state -s 64.xx.xx.219 --state NEW -j RULE_2
-A INPUT -m state -s 67.xxx.xx.39 --state NEW -j RULE_2
-A INPUT -m state -s 72.xx.xx.82 --state NEW -j RULE_2
-A INPUT -m state -s 72.xx.xx.83 --state NEW -j RULE_2
-A INPUT -m state -s 72.xx.xx.84 --state NEW -j RULE_2
-A INPUT -m state -s 72.xx.xx.85 --state NEW -j RULE_2
-A INPUT -m state -s 204.xx.xxx.47 --state NEW -j RULE_2
-A INPUT -m state -s 208.xx.xxx.47 --state NEW -j RULE_2
-A INPUT -m state -s 208.xxx.xxx.161 --state NEW -j RULE_2
-A INPUT -m state -s 208.xxx.xxx.162 --state NEW -j RULE_2
-A INPUT -m state -s 208.xxx.xxx.163 --state NEW -j RULE_2
-A INPUT -m state -s 208.xxx.xx.10 --state NEW -j RULE_2
-A INPUT -m state -i lo --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -s 10.10.10.0/255.255.255.0 --dport 22
--state NEW -j ACCEPT
-A INPUT -p udp -m udp -m state -s 10.10.10.0/255.255.255.0 --dport 69
--state NEW -j ACCEPT
-A INPUT -p udp -m udp -m multiport -m state --state NEW -j
Cid3823X8440.0 --dports 68,67
-A INPUT -p udp -m udp -m multiport -m state -d 255.255.255.255 --state
NEW -j Cid3823X8440.1 --dports 68,67
-A INPUT -j RULE_6
-A INPUT -m state -s 10.10.10.0/255.255.255.0 --state
NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m udp -i eth0 --sport 10000:20000 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.10.2 -i eth0 -j In_RULE_0
-A FORWARD -s 64.xx.xx.105 -i eth0 -j In_RULE_0
-A FORWARD -s 10.10.10.0/255.255.255.0 -i eth0 -j In_RULE_0
-A FORWARD -m state -s 10.10.10.0/255.255.255.0 --state NEW -j ACCEPT
-A FORWARD -j RULE_8
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW -j RULE_1
-A OUTPUT -m state -o lo --state NEW -j ACCEPT
-A OUTPUT -d 10.10.10.2 -j RULE_6
-A OUTPUT -d 64.xx.xx.105 -j RULE_6
-A OUTPUT -m state -s 10.10.10.0/255.255.255.0 --state
NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j RULE_8
-A Cid3823X8440.0 -s 0.0.0.0 -j ACCEPT
-A Cid3823X8440.0 -s 10.10.10.0/255.255.255.0 -j ACCEPT
-A Cid3823X8440.1 -s 0.0.0.0 -j ACCEPT
-A Cid3823X8440.1 -s 10.10.10.0/255.255.255.0 -j ACCEPT
-A In_RULE_0 -j LOG  --log-prefix "RULE 0 -- DENY " --log-level 6 
-A In_RULE_0 -j DROP
-A RULE_1 -j LOG  --log-prefix "RULE 1 -- ACCEPT " --log-level 6 
-A RULE_1 -j ACCEPT
-A RULE_2 -j LOG  --log-prefix "RULE 2 -- ACCEPT " --log-level 6 
-A RULE_2 -j ACCEPT
-A RULE_6 -j LOG  --log-prefix "RULE 6 -- DENY " --log-level 6 
-A RULE_6 -j ACCEPT
-A RULE_8 -j LOG  --log-prefix "RULE 8 -- DENY " --log-level 6 
-A RULE_8 -j DROP
-A INPUT -j RULE_8
COMMIT
# Completed on Thu Jan 20 00:00:16 2011
# Generated by iptables-save v1.3.5 on Thu Jan 20 00:00:16 2011
*mangle
:PREROUTING ACCEPT [4084:871026]
:INPUT ACCEPT [3282:364086]
:FORWARD ACCEPT [802:506940]
:OUTPUT ACCEPT [3182:440072]
:POSTROUTING ACCEPT [3978:946060]
COMMIT
# Completed on Thu Jan 20 00:00:16 2011
# Generated by iptables-save v1.3.5 on Thu Jan 20 00:00:16 2011
*nat
:PREROUTING ACCEPT [27:1668]
:POSTROUTING ACCEPT [148:9568]
:OUTPUT ACCEPT [148:9568]
-A POSTROUTING -s 10.10.10.0/255.255.255.0 -o eth0 -j SNAT --to-source
64.xx.xx.105 
COMMIT
# Completed on Thu Jan 20 00:00:16 2011

CONFIDENTIALITY NOTICE:

The information contained in this message may be privileged and confidential.  If you are NOT the intended recipient, please notify the sender immediately with a copy to admin@universityent.com and destroy this message.  Please be aware that email communication can be intercepted in transmission or misdirected.  Your use of email to communicate protected health information to us indicates that you acknowledge and accept the possible risks associated with such communication.  Please consider communicating any sensitive information by telephone, fax or mail.  If you do not wish to have your information sent by email, please contact the sender immediately. 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Help tweaking asterisk rules
  2011-01-21  2:05 Help tweaking asterisk rules Max DiOrio
@ 2012-03-04  4:39 ` Kerin Millar
  2012-03-04  7:10   ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Kerin Millar @ 2012-03-04  4:39 UTC (permalink / raw)
  To: netfilter

On 21/01/2011 02:05, Max DiOrio wrote:
> I was also hoping someone can provide some guidance on leaving the RTP
> ports UDP 10000:20000 open to all IP's on the WAN.  What type of
> security issue will this raise?  Should I install Fail2Ban in this
> setup?  The only issue I have with Fail2Ban was that it blocked my
> access from the LAN within 15 seconds of it coming online.

They needn't be open at all. Instead, load the the ip_conntrack_sip 
module and ensure that your iptables policy is stateful.

http://www.iptel.org/sipalg/

Using fail2ban carelessly might pave the way for remotely exploitable 
DoS attacks. Though it has its uses, I wouldn't generally recommend it.

http://www.ossec.net/main/attacking-log-analysis-tools

Cheers,

--Kerin


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Help tweaking asterisk rules
  2012-03-04  4:39 ` Kerin Millar
@ 2012-03-04  7:10   ` Jan Engelhardt
  2012-03-04  7:25     ` Kerin Millar
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2012-03-04  7:10 UTC (permalink / raw)
  To: Kerin Millar; +Cc: netfilter

On Sunday 2012-03-04 05:39, Kerin Millar wrote:

> On 21/01/2011 02:05, Max DiOrio wrote:
>> I was also hoping someone can provide some guidance on leaving the RTP
>> ports UDP 10000:20000 open to all IP's on the WAN.  What type of
>> security issue will this raise?  Should I install Fail2Ban in this
>> setup?  The only issue I have with Fail2Ban was that it blocked my
>> access from the LAN within 15 seconds of it coming online.
>
> They needn't be open at all. Instead, load the the ip_conntrack_sip module and
> ensure that your iptables policy is stateful.
>
> http://www.iptel.org/sipalg/

This is all outdated material. It's nf_conntrack_sip and has been long 
merged into the kernel already.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Help tweaking asterisk rules
  2012-03-04  7:10   ` Jan Engelhardt
@ 2012-03-04  7:25     ` Kerin Millar
  0 siblings, 0 replies; 4+ messages in thread
From: Kerin Millar @ 2012-03-04  7:25 UTC (permalink / raw)
  To: netfilter

On 04/03/2012 07:10, Jan Engelhardt wrote:
 > On Sunday 2012-03-04 05:39, Kerin Millar wrote:
 >
 >> On 21/01/2011 02:05, Max DiOrio wrote:
 >>> I was also hoping someone can provide some guidance on leaving the RTP
 >>> ports UDP 10000:20000 open to all IP's on the WAN.  What type of
 >>> security issue will this raise?  Should I install Fail2Ban in this
 >>> setup?  The only issue I have with Fail2Ban was that it blocked my
 >>> access from the LAN within 15 seconds of it coming online.
 >>
 >> They needn't be open at all. Instead, load the the ip_conntrack_sip 
module and
 >> ensure that your iptables policy is stateful.
 >>
 >> http://www.iptel.org/sipalg/
 >
 > This is all outdated material. It's nf_conntrack_sip and has been long
 > merged into the kernel already.

I am aware that it exists in the mainline kernel. Thank you for pointing 
out that I got the name wrong. I managed asterisk in my prior job and 
did actually use nf_conntrack_sip so I should have recalled the 
distinction. Nevertheless, I think that the page still serves as a 
useful intro to those unfamiliar with the sip connection tracking 
module. At least, it did for me when I was facing the same issue as how 
to gracefully handle SIP.

Cheers,

--Kerin


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2012-03-04  7:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-21  2:05 Help tweaking asterisk rules Max DiOrio
2012-03-04  4:39 ` Kerin Millar
2012-03-04  7:10   ` Jan Engelhardt
2012-03-04  7:25     ` Kerin Millar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox