[Asterisk-Users] re: asterisk and iptables
Kristian Kielhofner
kris at krisk.org
Wed Mar 15 16:31:38 MST 2006
steve wrote:
> looks like your nmap only scanned for tcp connections. Try the -u switch.
> netstat shows that udp 5060 is accepting connections.
> Your iptables ruleset gives me a headache to look at and is quite
> redundant. Wouldn't it be better to just disallow all packets at the
> beginning and
> then open the ports tht you want. I noticed you started to do this and
> then repeated it again later in the ruleset, i.e.
>
> /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
> /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
>
> /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
> /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
> /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
> /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
>
> /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
>
> also it would be much easier to allow your localhost to have access
> regardless at the beginning of the ruleset,
> thus having to avoid adding these rules.
>
> /sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
>
> or
>
> /sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
>
> or
>
> /sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP
>
> I'll have to give you an "A" for effort thought. In the world of
> netfilter less is more and to be honest it probably
> took me close to six months before I was able to really understand what
> was happening. Obviously you are one of those hardheads like I am and
> prefer the 'do-it-yourself' method. I've never been fond of GUI-based
> firewall programs so
> may I recomend that you give the firewall script generator called
> 'quicktables' a try. Its available at http://qtables.radom.org/ I've
> been using it for years and it should do just what you need.
>
> Regards,
> Steve Cayona
>
> p.s. whay are you wanting to mangle packets?
The best iptables rulesets go like this:
1) Accept traffic on your "trusted" interfaces (one could argue there is
no such thing)
2) Accept traffic that matches an existing state
3) Accept traffic per your requirements
4) Deny EVERYTHING
The astfw script is a good example:
http://www.krisk.org/files/astlinux-i586/usr/sbin/astfw
--
Kristian Kielhofner
More information about the asterisk-users
mailing list