Incredible PBX iptables File

[ppmax]

Hello--

Can someone using the Incredible PBX install post their:
/etc/sysconfig/iptables

Im debugging mine and should have made a backup.

thx!
pp

 

[amygrant]

I don't have a hole in my firewall for outside access fyi

 Generated by iptables-save v1.2.11 on Tue Jul 18 22:20:07 2006
*nat
:PREROUTING ACCEPT [8:408]
:POSTROUTING ACCEPT [2:129]
:OUTPUT ACCEPT [2:129]
COMMIT
# Completed on Tue Jul 18 22:20:07 2006
# Generated by iptables-save v1.2.11 on Tue Jul 18 22:20:07 2006
*mangle
:PREROUTING ACCEPT [287:33378]
:INPUT ACCEPT [287:33378]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [288:38355]
:POSTROUTING ACCEPT [288:38355]
COMMIT
# Completed on Tue Jul 18 22:20:07 2006
# Generated by iptables-save v1.2.11 on Tue Jul 18 22:20:07 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems  
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow connections to our WEB server
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to our Secure Web server
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Allow connections to our FTP server
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
# Allow connections to our Webmin server
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
# Allow connections to our Alternative Web server
#-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# Allow IAX connections from IPkall and PIAFUSA
-A INPUT -p udp -m udp -s 64.27.1.153 --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp -s 66.54.140.46 --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp -s 66.54.140.47 --dport 4569 -j ACCEPT
# Allow connections to our IAX server
-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
# Allow connections to our SIP server
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# Allow connections to our SIP-RTP server   
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
# Allow connections to our FOP server
-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
# Allow connections to xTide web server 
-A INPUT -p tcp -m tcp --dport 88 -j ACCEPT  
# Allow connections to NTP time server
-A INPUT -p udp -m udp --dport 123 -j ACCEPT  
# Allow connections to our Alternative Web server
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
# Allow connections to our Webmin server
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
COMMIT
# Completed on Tue Jul 18 22:20:07 2006

 

[blanchae]

Have you used Webmin's gui interface to iptables called the Linux Firewall? Makes things a little bit easier..

 

[ppmax]

Thanks for the iptables and the replies. Is that iptables file from an Incredible PBX install?

Have you used Webmin's gui interface to iptables called the Linux Firewall?

Webmin is great and I use it for a whole bunch of stuff, but in this case Im trying to figure out why my original iptables file is/was essentially empty. I have a relatively old install of PIAF and have never used iptables (I use a firewall/router with some port mappping instead) and recently decided to poke some holes open. This is what is in my iptables file:

# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010
*nat
:PREROUTING ACCEPT [29:3113]
:POSTROUTING ACCEPT [72:7617]
:OUTPUT ACCEPT [72:7617]
COMMIT
# Completed on Fri Jun 11 22:12:21 2010
# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010
*mangle
:PREROUTING ACCEPT [450:52426]
:INPUT ACCEPT [450:52426]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [419:80179]
:POSTROUTING ACCEPT [419:80179]
COMMIT
# Completed on Fri Jun 11 22:12:21 2010
# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010
*filter
:INPUT ACCEPT [74621:13286100]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66199:13654135]
:fail2ban-APACHE - [0:0]
:fail2ban-ASTERISK - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VSFTPD - [0:0]
-A INPUT -j fail2ban-ASTERISK 
-A INPUT -p tcp -j fail2ban-APACHE 
-A fail2ban-APACHE -j RETURN 
-A fail2ban-ASTERISK -j RETURN 
-A fail2ban-SSH -j RETURN 
-A fail2ban-VSFTPD -j RETURN 
COMMIT
# Completed on Fri Jun 11 22:12:21 2010

You'll see that iptables-save was run recently...but as far as I can tell I never modified anything. Maybe the older version of PIAF Im running never had any default rules? Anyone know if this is so? I know I ran a yum-update a while ago...

thx again
pp

 

[wardmundy]

ppmax: Your iptables file was generated by someone or some app outside of the Incredible PBX and PBX in a Flash distros. One of the issues with using outside tools (even WebMin) is you don't actually know what's being generated behind the scenes... unless you actually go look. Unless you really know what you're doing, leave iptables alone, or you may jeopardize the security of your system.

 

[ppmax]

Thanks Ward--

Im trying to track down what modified my iptables. Because my PIAF server has always been behind a router/firewall I've never used this service (though I may have enabled/disabled them way back when for some reason).

The reason Im mucking with them is to lock down connections on port 5060 which I need to port forward to PIAF at my firewall/router so that I can get incoming calls from Vitelity.

If I have to leave 5060 open, I want to restrict to connections from 64.2.142.29 which is Vitelity's outbound (inbound for me) SIP server traffic.

FWIW: where's the default script that generates the PIAF iptables config? A runonce?

pp

 

[ppmax]

FYI Ward: going through the iptables posted by amygrant, you'll see a few mistakes in the comments...where the comments become out of sync with the commands. Do you and Tom maintain this code? Where is the source?

Here are a few lines to show what I mean:

# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow connections to our [COLOR="Red"]SSH[/COLOR] server
-A INPUT -p tcp -m tcp --dport [COLOR="Red"]80[/COLOR] -j ACCEPT
# Allow connections to our [COLOR="Red"]WEB[/COLOR] server
-A INPUT -p tcp -m tcp --dport [COLOR="red"]443[/COLOR] -j ACCEPT
# Allow connections to our Secure Web server
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Allow connections to our FTP server
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
# Allow connections to our Webmin server

Note the comment and code showing service and port are mixed up...there are a dozen or so mismatches between code and comments in this iptables file.

 

[ppmax]

For anyone that's interested, here's my iptables file. This is a cleaned up version of what was posted above by amygrant. I commented out stuff I dont use/need...I also added subnet access for samba, and the java VNC server.

# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010
*nat
:PREROUTING ACCEPT [8:408]
:POSTROUTING ACCEPT [2:129]
:OUTPUT ACCEPT [2:129]
COMMIT
# Completed on Fri Jun 11 22:12:21 2010
# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010
*mangle
:PREROUTING ACCEPT [287:33378]
:INPUT ACCEPT [287:33378]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [288:38355]
:POSTROUTING ACCEPT [288:38355]
COMMIT
# Completed on Fri Jun 11 22:12:21 2010
# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems  
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT

# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT

# Allow connections to our FTP server
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow connections to our WEB server
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow connections to NTP time server
-A INPUT -p udp -m udp --dport 123 -j ACCEPT  
# Allow connections to our Secure Web server
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to our Webmin server
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT

# Allow connections to our Alternative Web server
# -A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT

# Allow connections to our IAX server
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# Allow IAX connections from IPkall and PIAFUSA
# -A INPUT -p udp -m udp -s 64.27.1.153 --dport 4569 -j ACCEPT
# -A INPUT -p udp -m udp -s 66.54.140.46 --dport 4569 -j ACCEPT
# -A INPUT -p udp -m udp -s 66.54.140.47 --dport 4569 -j ACCEPT

# Allow connections to our SIP server
# -A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s outbound.vitelity.net --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 5000:5082 -j ACCEPT

# Allow connections to our SIP-RTP server   
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

# Allow connections to our FOP server
# -A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
# -A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT

# Allow connections to xTide web server 
# -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT  

# Allow connections to our Alternative Web server
# -A INPUT -p udp -m udp --dport 69 -j ACCEPT
# Allow connections to our Webmin server
# -A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT

# Allow connections to our VNC server
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 5801 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 5901 -j ACCEPT

# Allow connections to our Samba server
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 137 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/255.255.255.0 --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/255.255.255.0 --dport 445 -j ACCEPT

COMMIT
# Generated by iptables-save v1.3.5 on Fri Jun 11 22:12:21 2010

 

[blanchae]

Corrected comments default PiaF 1.6 iptables

Here is my default install iptables for PiaF 1.6 with the comments corrected:

# Completed on Tue Jul 18 22:20:07 2006
# Generated by iptables-save v1.2.11 on Tue Jul 18 22:20:07 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept responses to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow connections to our Web server
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow connections to our Secure WEB server
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to our ftp server
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Allow connections to our Webmin server
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
# Allow connections to our Alternative Webmin server
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
# Allow connections to our IAX server
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# Allow connections to our SIP/RTP server
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# Allow connections to our SIP server
-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
# Allow connections to our FOP2 server
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
# Allow connections to our Asterisk Management Interface
-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
# Allow connections to NTP time server
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
# Allow connections to our t*f*t*p server
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
# Allow connections to our alternative SSH server
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT

Here's what it looks like viewing Webmin - Networking - Linux Firewall: