TIPS fail2ban and iptable

[centoasa]

Fresh new installation of green version into virtualbox
All installation was well. All works fine!
Fail2ban and iptable works fine
After installed Incrediblepbx follow this step: http://nerdvittles.com/?p=9214 fail2ban and iptable stop works
Every time I reboot virtualbox, iptable error show me (see image)
Any suggestion is appreciate.

 

[howardsl2]

Edit /etc/sysconfig/iptables:

Correct the error on line 42, and fix the FQDN typo(s) on lines 50, 51, etc. Reboot.

By the way, your fail2ban is also offline.

 

[centoasa]

sorry, this is my iptables file:

# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*nat
:PREROUTING ACCEPT [7:608]
:POSTROUTING ACCEPT [36:2319]
:OUTPUT ACCEPT [36:2319]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*mangle
:PREROUTING ACCEPT [1103:1400664]
:INPUT ACCEPT [1102:1400632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [656:59330]
:POSTROUTING ACCEPT [656:59330]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
*filter
:INPUT DROP [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-BadBots - [0:0]
:fail2ban-VSFTPD - [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ASTERISK - [0:0]
:FORWARD ACCEPT [0:0]
:fail2ban-APACHE - [0:0]
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-VSFTPD
-A INPUT -p tcp -m multiport -j fail2ban-BadBots --dports 80,443
-A INPUT -p tcp -j fail2ban-APACHE
-A INPUT -j fail2ban-ASTERISK
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 83 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 9001 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp -s --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp -s --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 4445 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 5038 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
# Google Voice requires the next two port openings
-A INPUT -p udp -m udp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
# End of Trusted Provider Section
-A INPUT -p udp -m udp -s --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp -s --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp -s --dport 5353 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
# -A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A fail2ban-APACHE -j RETURN
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-BadBots -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VSFTPD -j RETURN
COMMIT
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014

where/how can I add/edit?

 

[howardsl2]

Replace every "-m tcp -s" with "-m tcp", and replace every "-m udp -s" with "-m udp". There are 13 of them in total. Reboot.

Please note that this will allow connections from all IPs to the ports in question. If you have a single IP to whitelist, you can instead put that IP after "-s".

 

[centoasa]

Nobody from external can connect to my pbx; I use pbx for internal calls and have only IP trunk to use on my pbx
What IP I must include as whitelist? internal lan ip address, or external (my IP provider)?
How can I able fail2ban?

 

[howardsl2]

Nobody from external can connect to my pbx; I use pbx for internal calls and have only IP trunk to use on my pbx
What IP I must include as whitelist? internal lan ip address, or external (my IP provider)?
How can I able fail2ban?

Some of the internal LAN addresses such as 10.0.0.0/8 and 192.168.0.0/16 are already included in your IPTables rules.

Generally speaking, if your IP trunk provider requires registration and you have configured the corresponding trunks correctly, then the IPTables ESTABLISHED/RELATED rules (which you already have) should be sufficient.

Regarding Fail2ban please check /var/log/fail2ban.log for errors, and try "service fail2ban restart" and look for errors. Then search this forum for hints. You may also refer to the example jail.local file from the Asterisk security article in my signature.