QUESTION What Iptables rules are must ?

turalo

Member
Joined
Oct 10, 2013
Messages
75
Reaction score
1
Location
The Netherlands
Hi guys, after a long configuration, testing, and preparing of my new VM server based on ESXi 5.5
i have started my new piaf images. now I'm planning to close all ports that are not needed external acces.

So the question is which of this can I drop ?I have used google, but couldnot find a definite answer.

Accept If protocol is ICMP and ICMP type is 0
Accept If protocol is ICMP and ICMP type is 3
Accept If protocol is ICMP and ICMP type is 4
Accept If protocol is ICMP and ICMP type is 11
Accept If protocol is ICMP and ICMP type is 12

I know what ICMP in general is, my point is to block info leakage, for example by default setup, when we use a voip scanner, then I can get this info :

[email protected]:~# svmap xx.xx.xx.xx
| SIP Device | User Agent | Fingerprint |
------------------------------
-----------------------------
| xx.xx.xx.xx:5060 | FPBX-2.9.0(1.4.21.2) | disabled |

or
[email protected]:~# svmap xx.xx.xx.xx.
| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------------
| xx.xx.xx.xx:5060 | FPBX-2.11.0(11.12.0) | disabled |

So with this, a criminal can easyly see that the target is a voip server. I want to make sure that they can never get info about the server.


righ now I have done this :

Jump to chain fail2ban-BadBots If protocol is TCP and destination ports are 80,443
Jump to chain fail2ban-VSFTPD If protocol is TCP and destination port is 21
Jump to chain fail2ban-APACHE If protocol is TCP
Jump to chain fail2ban-ASTERISK Always
Jump to chain fail2ban-SSH If protocol is TCP and destination port is 22
Accept If input interface is lo
Accept If protocol is TCP and TCP flags ACK (of ACK) are set
Accept If state of connection is ESTABLISHED
Accept If state of connection is RELATED
Accept If protocol is UDP and destination port is 1024:65535 and source port is 53
Accept If protocol is ICMP and ICMP type is 0
Accept If protocol is ICMP and ICMP type is 3
Accept If protocol is ICMP and ICMP type is 4
Accept If protocol is ICMP and ICMP type is 11
Accept If protocol is ICMP and ICMP type is 12
Drop If protocol is TCP and destination port is 22
Accept If protocol is TCP and destination port is 113
Drop If protocol is TCP and destination port is 80
Drop If protocol is TCP and destination port is 443
Drop If protocol is TCP and destination port is 21
Accept If protocol is TCP and destination port is 9001 (will be dropped when I finish)
Accept If protocol is TCP and destination port is 9080 (will be dropped when I finish)
Drop If protocol is UDP and destination port is 4569
Accept If protocol is UDP and destination port is 5000:5082
Accept If protocol is UDP and destination port is 10000:20000
Drop If protocol is TCP and destination port is 4445
Drop If protocol is TCP and destination port is 5038
Drop If protocol is UDP and destination port is 123
Drop If protocol is UDP and destination port is 69
Accept If protocol is TCP and destination port is 9022
Accept If protocol is UDP and destination port is 5353
Accept If protocol is TCP and input interface is eth0 and destination port is 1723
Accept Always


Basicly what I want to do ( doing now) is block all ports from outside, all but voip.
then for any acces I will use vpn ( i installed and configured pptpd)

this way, the server will only be available for voip traffic, and strong password policy is aplied so there will be a little to no chance of hack.
all other things I will do localy on the server, will connect by vpn , get local 192. IP and then just manage things I need.

help / advise much appreciated.

thanks in advance
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,459
Messages
138,088
Members
14,621
Latest member
Mac-Gayver