Asterisk security

General and Support topics relating to ViciDialNow and GoAutoDial ISO installers

Moderators: enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, s0lid

Asterisk security

Postby kimpak » Thu Apr 11, 2019 7:45 pm

Hello,

After blocking there IPs, and other, my cli are flooded by this warning, so i can't debug or see log in cli normally because this warning come every milliseconds.

2019-04-12 03:40:14] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x39b9590 (len 560) to 102.165.52.231:65045 returned -1: Operation not permitted
[2019-04-12 03:40:14] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x3989d90 (len 610) to 212.83.140.139:26463 returned -1: Operation not permitted
[2019-04-12 03:40:14] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x3989d90 (len 610) to 212.83.140.139:26442 returned -1: Operation not permitted
[2019-04-12 03:40:14] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x39b9590 (len 560) to 102.165.52.231:65045 returned -1: Operation not permitted
[2019-04-12 03:40:14] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x3989d90 (len 610) to 212.83.140.139:26472 returned -1: Operation not permitted
[2019-04-12 03:40:15] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x3989d90 (len 610) to 212.83.140.139:26701 returned -1: Operation not permitted
[2019-04-12 03:40:15] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x3904610 (len 563) to 102.165.52.231:54135 returned -1: Operation not permitted
[2019-04-12 03:40:15] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x39b9590 (len 560) to 102.165.52.231:65045 returned -1: Operation not permitted
[2019-04-12 03:40:16] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x3989d90 (len 606) to 212.83.140.139:26656 returned -1: Operation not permitted
[2019-04-12 03:40:16] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x390f470 (len 610) to 212.83.140.139:26455 returned -1: Operation not permitted
[2019-04-12 03:40:17] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x39b9590 (len 560) to 102.165.52.231:65045 returned -1: Operation not permitted
[2019-04-12 03:40:17] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x39b9b40 (len 610) to 212.83.140.139:26676 returned -1: Operation not permitted
[2019-04-12 03:40:18] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x390f470 (len 610) to 212.83.140.139:26463 returned -1: Operation not permitted
[2019-04-12 03:40:18] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x39b9b40 (len 610) to 212.83.140.139:26442 returned -1: Operation not permitted
[2019-04-12 03:40:19] WARNING[3306]: chan_sip.c:3714 __sip_xmit: sip_xmit of 0x390f470 (len 610) to 212.83.140.139:26472 returned -1: Operation not permitted

What to do about this ?

Thanks
kimpak
 
Posts: 5
Joined: Sun Apr 07, 2019 6:03 pm

Re: Asterisk security

Postby williamconley » Thu Apr 11, 2019 8:21 pm

1) Welcome to the Party! 8-)

2) As you are obviously new here, I have some suggestions to help us all help you:

When you post, please post your entire configuration including (but not limited to) your installation method (7.X.X?) and vicidial version with build (VERSION: 2.X-XXXx ... BUILD: #####-####).

This IS a requirement for posting along with reading the stickies (at the top of each forum) and the manager's manual (available on EFLO.net, both free and paid versions)

You should also post: Asterisk version, telephony hardware (model number is helpful here), cluster information if you have one, and whether any other software is installed in the box. If your installation method is "manual/from scratch" you must post your operating system with version (and the .iso version from which you installed your original operating system) plus a link to the installation instructions you used. If your installation is "Hosted" list the site name of the host.

If this is a "Cloud" or "Virtual" server, please note the technology involved along with the version of that techology (ie: VMware Server Version 2.0.2). If it is not, merely stating the Motherboard model # and CPU would be helpful.

Similar to This:

Vicibox X.X from .iso | Vicidial X.X.X-XXX Build XXXXXX-XXXX | Asterisk X.X.X | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Intel DG35EC | Core2Quad Q6600

3) Whitelist lockdown your server. That's not "block IPs" that's block ALL IPs and then Unblock only the carrier's IP addresses and anyone else who needs to access the system. Then reboot if some have already made connections (a proper firewall will leave anyone who has already connected without bothering to check them again ... so if you block someone after they have a connection you haven't really blocked them completely).

4) Dynamic Good Guys is a free whitelisting configuration. It also has instructions for full whitelist before installing (DGG itself is merely a web page that can make it easy to whitelist new IPs).

5) Later Vicibox (8.1.2 for instance) has a new firewall management system which can be whitelisted as well, read the instructions.

6) If you want to block individual IPs or ranges: You have to block them at the beginning of the INPUT chain to be certain they are blocked and can not get a packet through to Asterisk unless you are using the new built-in firewall or DGG. Any other location than the top of the INPUT chain requires reading the path all the way to your block point to be sure you aren't accidentally allowing some traffic from that IP (like specific open ports or port ranges or protocols or conditions).

Happy Hunting! 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
SugarCRM integration - Customization and Add-ons - We Bring It All Together.
http://www.PoundTeam.com # 352-269-0000 # +44 (203) 769-2294 # +506 4001-8914
williamconley
 
Posts: 18305
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Asterisk security

Postby kimpak » Thu Apr 11, 2019 10:06 pm

Sorry this is my configuration
My configuration :
Goautdial :
3.3-1406088000
Vicidial :
VERSION: 2.9-441a
BUILD: 140612-1628
Asterisk:
1.8.23.0-1_centos5.go
Dell 850, Core2duo
kimpak
 
Posts: 5
Joined: Sun Apr 07, 2019 6:03 pm

Re: Asterisk security

Postby kimpak » Thu Apr 11, 2019 10:10 pm

this is my iptables, i think i already add INPUT drop a the beginning :
# Generated by iptables-save v1.3.5 on Fri Apr 12 05:39:30 2019
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24845:10318165]
:RH-Firewall-1-INPUT - [0:0]
:fail2ban-ASTERISK - [0:0]
:fail2ban-SSH - [0:0]
-A INPUT -j fail2ban-ASTERISK
-A INPUT -s 212.83.140.139 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 212.83.140.139 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.142 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.142 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 102.165.52.231 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 102.165.52.231 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 195.154.194.32 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 195.154.194.32 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 89.187.178.140 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 89.187.178.140 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 185.53.88.158 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.53.88.158 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 139.99.119.241 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 139.99.119.241 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 139.99.199.241 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 139.99.199.241 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -j fail2ban-ASTERISK
-A INPUT -s 185.53.88.155 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.53.88.155 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.225 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.225 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 5.11.46.238 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 5.11.46.238 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 46.166.151.152 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 46.166.151.152 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.210 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.210 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -j fail2ban-ASTERISK
-A INPUT -s 46.166.151.152 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 46.166.151.152 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 194.63.140.172 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 194.63.140.172 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 185.40.4.23 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.40.4.23 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 212.60.5.5 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 212.60.5.5 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 188.161.67.73 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 188.161.67.73 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 83.244.49.245 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 83.244.49.245 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.92 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.92 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.56 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.56 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.72 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.72 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 82.205.0.111 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 82.205.0.111 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 185.53.88.2 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.53.88.2 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.115 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.115 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 37.8.80.178 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 37.8.80.178 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 46.166.151.152 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 46.166.151.152 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 185.40.4.23 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.40.4.23 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 83.244.49.245 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 83.244.49.245 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.92 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.92 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 82.205.0.111 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 82.205.0.111 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 185.53.88.2 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.53.88.2 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.115 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.115 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 163.172.224.41 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 163.172.224.41 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 194.63.140.172 -p tcp -m tcp --sport 10:60000 -j DROP
-A INPUT -s 212.60.5.5 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 212.60.5.5 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 194.63.140.172 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 194.63.140.172 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 188.161.67.73 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 188.161.67.73 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.56 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.56 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 77.247.109.72 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 77.247.109.72 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 185.153.88.131 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 185.153.88.131 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 37.8.80.178 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 37.8.80.178 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -s 37.8.80.178 -p tcp -m tcp --sport 10000:20000 -j DROP
-A INPUT -s 37.8.80.178 -p tcp -m tcp --sport 5060 -j DROP
-A INPUT -j fail2ban-ASTERISK
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j fail2ban-ASTERISK
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 195.154.242.52 -j DROP
-A INPUT -s 37.8.80.178 -j DROP
-A INPUT -s 37.8.80.178 -j DROP
-A INPUT -s 37.8.80.178 -j DROP
-A INPUT -s 77.247.109.93 -j DROP
-A INPUT -s 37.8.80.178 -j DROP
-A INPUT -s 185.153.88.131 -j DROP
-A INPUT -s 77.247.109.72 -j DROP
-A INPUT -s 77.247.109.56 -j DROP
-A INPUT -s 188.161.67.73 -j DROP
-A INPUT -s 194.63.140.172 -j DROP
-A INPUT -s 212.60.5.5 -j DROP
-A INPUT -s 163.172.224.41 -j DROP
-A INPUT -s 77.247.109.115 -j DROP
-A INPUT -s 185.53.88.2 -j DROP
-A INPUT -s 82.205.0.111 -j DROP
-A INPUT -s 77.247.109.92 -j DROP
-A INPUT -s 83.244.49.245 -j DROP
-A INPUT -s 185.40.4.23 -j DROP
-A INPUT -s 46.166.151.152 -j DROP
-A INPUT -s 37.8.80.178 -j DROP
-A INPUT -s 77.247.109.115 -j DROP
-A INPUT -s 185.53.88.2 -j DROP
-A INPUT -s 82.205.0.111 -j DROP
-A INPUT -s 77.247.109.72 -j DROP
-A INPUT -s 77.247.109.56 -j DROP
-A INPUT -s 77.247.109.92 -j DROP
-A INPUT -s 83.244.49.245 -j DROP
-A INPUT -s 188.161.67.73 -j DROP
-A INPUT -s 212.60.5.5 -j DROP
-A INPUT -s 185.40.4.23 -j DROP
-A INPUT -s 194.63.140.172 -j DROP
-A INPUT -s 46.166.151.152 -j DROP
-A INPUT -s 77.247.109.210 -j DROP
-A INPUT -s 46.166.151.152 -j DROP
-A INPUT -s 5.11.46.238 -j DROP
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 5036 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 2727 -j ACCEPT
-A INPUT -s 77.247.109.225 -j DROP
-A INPUT -p udp -m udp --dport 5036 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 2727 -j ACCEPT
-A INPUT -s 185.53.88.155 -j DROP
-A INPUT -s 139.99.199.241 -j DROP
-A INPUT -s 139.99.119.241 -j DROP
-A INPUT -s 185.53.88.158 -j DROP
-A INPUT -s 89.187.178.140 -j DROP
-A INPUT -s 195.154.194.32 -j DROP
-A INPUT -s 102.165.52.231 -j DROP
-A INPUT -s 77.247.109.142 -j DROP
-A INPUT -s 212.83.140.139 -j DROP
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -d 195.154.242.52 -j DROP
-A OUTPUT -d 37.8.80.178 -j DROP
-A OUTPUT -d 37.8.80.178 -j DROP
-A OUTPUT -d 37.8.80.178 -j DROP
-A OUTPUT -d 77.247.109.93 -j DROP
-A OUTPUT -d 37.8.80.178 -j DROP
-A OUTPUT -d 185.153.88.131 -j DROP
-A OUTPUT -d 77.247.109.72 -j DROP
-A OUTPUT -d 77.247.109.56 -j DROP
-A OUTPUT -d 188.161.67.73 -j DROP
-A OUTPUT -d 194.63.140.172 -j DROP
-A OUTPUT -d 212.60.5.5 -j DROP
-A OUTPUT -d 163.172.224.41 -j DROP
-A OUTPUT -d 77.247.109.115 -j DROP
-A OUTPUT -d 185.53.88.2 -j DROP
-A OUTPUT -d 82.205.0.111 -j DROP
-A OUTPUT -d 77.247.109.92 -j DROP
-A OUTPUT -d 83.244.49.245 -j DROP
-A OUTPUT -d 185.40.4.23 -j DROP
-A OUTPUT -d 46.166.151.152 -j DROP
-A OUTPUT -d 37.8.80.178 -j DROP
-A OUTPUT -d 77.247.109.115 -j DROP
-A OUTPUT -d 185.53.88.2 -j DROP
-A OUTPUT -d 82.205.0.111 -j DROP
-A OUTPUT -d 77.247.109.72 -j DROP
-A OUTPUT -d 77.247.109.56 -j DROP
-A OUTPUT -d 77.247.109.92 -j DROP
-A OUTPUT -d 83.244.49.245 -j DROP
-A OUTPUT -d 188.161.67.73 -j DROP
-A OUTPUT -d 212.60.5.5 -j DROP
-A OUTPUT -d 185.40.4.23 -j DROP
-A OUTPUT -d 194.63.140.172 -j DROP
-A OUTPUT -d 46.166.151.152 -j DROP
-A OUTPUT -d 77.247.109.210 -j DROP
-A OUTPUT -d 46.166.151.152 -j DROP
-A OUTPUT -d 5.11.46.238 -j DROP
-A OUTPUT -d 77.247.109.225 -j DROP
-A OUTPUT -p udp -m udp --sport 4569 -j ACCEPT
-A OUTPUT -d 185.53.88.155 -j DROP
-A OUTPUT -d 139.99.199.241 -j DROP
-A OUTPUT -d 139.99.119.241 -j DROP
-A OUTPUT -d 185.53.88.158 -j DROP
-A OUTPUT -d 89.187.178.140 -j DROP
-A OUTPUT -d 195.154.194.32 -j DROP
-A OUTPUT -d 102.165.52.231 -j DROP
-A OUTPUT -d 77.247.109.142 -j DROP
-A OUTPUT -d 212.83.140.139 -j DROP
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:65000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Fri Apr 12 05:39:30 2019
kimpak
 
Posts: 5
Joined: Sun Apr 07, 2019 6:03 pm

Re: Asterisk security

Postby williamconley » Thu Apr 11, 2019 10:20 pm

1) Input drop "at the beginning" doesn't do anything. It's a default action taken if the packet gets to the end of the chain without jumping.

2) You have several accepts based on things other than IP address. Like ports 80 and 22. Bad idea.

3) Please do not post that much detail. You could have listed two or three of each type instead of a 200line book.

4) The ENTIRE point of whitelisting is that ONLY the approved IPs would be listed. That completely removes the need to list any DROP IPs or ranges. Much shorter list. And it's actually secure.

5) Try something more like this:
Code: Select all
# Generated by iptables-save v1.4.8 on Thu Apr 11 23:15:11 2019
*raw
:PREROUTING ACCEPT [600991:223126214]
:OUTPUT ACCEPT [510332:57259203]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu Apr 11 23:15:11 2019
# Generated by iptables-save v1.4.8 on Thu Apr 11 23:15:11 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:80]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s 71.122.99.99/32 -j ACCEPT
-A INPUT -s 71.122.99.155/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Apr 11 23:15:11 2019


in this example, eth0 is a local subnet (unprotected) and eth1 is a public network (protected). There's also a GOOD option used by DGG, but you need to check for use of the "recent" module in iptables to understand it.

All your Trusted IP addresses go right at the top of the INPUT chain (two left as placeholders to demonstrate). This configuration allows the server to reach out (and get responses such as DNS) without being impeded, but nobody can reach IN unless their IP is authorized.

8-)
Vicidial Installation and Repair, plus Hosting and Colocation
SugarCRM integration - Customization and Add-ons - We Bring It All Together.
http://www.PoundTeam.com # 352-269-0000 # +44 (203) 769-2294 # +506 4001-8914
williamconley
 
Posts: 18305
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to ViciDialNow - GoAutoDial

Who is online

Users browsing this forum: zenithbsolutions and 9 guests