Hi Everyone... I have a new PBXIAF setup that I'm trying to get secure. I used firewall builder to get what I think is a decent configuration, but I'm having a tad bit of trouble with one set of rules. The firewall is exposed directly to the internet and the same box hosts our asterisk server that runs TFTP and DHCP. I'm restricting the firewall inbound to specific IP addresses, namely my SIP Trunk provider and my offices. All traffic from the firewall (Asterisk) and any connection on the protected side of the firewall should be allowed in both directions. The firewall builder rules I created worked to allow traffic in/out from the WAN to the FW, and frmo the FW to the WAN, however everything on the LAN side was blocked both to the firewall and the WAN. I had to change RULE_6 to Allow instead of Drop. I was hoping someone can help me clean this up to accomplish what I want. I was also hoping someone can provide some guidance on leaving the RTP ports UDP 10000:20000 open to all IP's on the WAN. What type of security issue will this raise? Should I install Fail2Ban in this setup? The only issue I have with Fail2Ban was that it blocked my access from the LAN within 15 seconds of it coming online. Thanks for all your help on this. Max # Generated by iptables-save v1.3.5 on Thu Jan 20 00:00:16 2011 *filter :INPUT DROP [0:0] :OUTPUT DROP [0:0] :RULE_6 - [0:0] :RULE_1 - [0:0] :Cid3823X8440.0 - [0:0] :RULE_8 - [0:0] :FORWARD DROP [0:0] :In_RULE_0 - [0:0] :Cid3823X8440.1 - [0:0] :RULE_2 - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.10.10.2 -i eth0 -j In_RULE_0 -A INPUT -s 64.xx.xx.105 -i eth0 -j In_RULE_0 -A INPUT -s 10.10.10.0/255.255.255.0 -i eth0 -j In_RULE_0 -A INPUT -m state -s 10.10.10.2 --state NEW -j RULE_1 -A INPUT -m state -s 64.xx.xx.105 --state NEW -j RULE_1 -A INPUT -m state -s 64.xx.xx.219 --state NEW -j RULE_2 -A INPUT -m state -s 67.xxx.xx.39 --state NEW -j RULE_2 -A INPUT -m state -s 72.xx.xx.82 --state NEW -j RULE_2 -A INPUT -m state -s 72.xx.xx.83 --state NEW -j RULE_2 -A INPUT -m state -s 72.xx.xx.84 --state NEW -j RULE_2 -A INPUT -m state -s 72.xx.xx.85 --state NEW -j RULE_2 -A INPUT -m state -s 204.xx.xxx.47 --state NEW -j RULE_2 -A INPUT -m state -s 208.xx.xxx.47 --state NEW -j RULE_2 -A INPUT -m state -s 208.xxx.xxx.161 --state NEW -j RULE_2 -A INPUT -m state -s 208.xxx.xxx.162 --state NEW -j RULE_2 -A INPUT -m state -s 208.xxx.xxx.163 --state NEW -j RULE_2 -A INPUT -m state -s 208.xxx.xx.10 --state NEW -j RULE_2 -A INPUT -m state -i lo --state NEW -j ACCEPT -A INPUT -p tcp -m tcp -m state -s 10.10.10.0/255.255.255.0 --dport 22 --state NEW -j ACCEPT -A INPUT -p udp -m udp -m state -s 10.10.10.0/255.255.255.0 --dport 69 --state NEW -j ACCEPT -A INPUT -p udp -m udp -m multiport -m state --state NEW -j Cid3823X8440.0 --dports 68,67 -A INPUT -p udp -m udp -m multiport -m state -d 255.255.255.255 --state NEW -j Cid3823X8440.1 --dports 68,67 -A INPUT -j RULE_6 -A INPUT -m state -s 10.10.10.0/255.255.255.0 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A INPUT -p udp -m udp -i eth0 --sport 10000:20000 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.10.10.2 -i eth0 -j In_RULE_0 -A FORWARD -s 64.xx.xx.105 -i eth0 -j In_RULE_0 -A FORWARD -s 10.10.10.0/255.255.255.0 -i eth0 -j In_RULE_0 -A FORWARD -m state -s 10.10.10.0/255.255.255.0 --state NEW -j ACCEPT -A FORWARD -j RULE_8 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW -j RULE_1 -A OUTPUT -m state -o lo --state NEW -j ACCEPT -A OUTPUT -d 10.10.10.2 -j RULE_6 -A OUTPUT -d 64.xx.xx.105 -j RULE_6 -A OUTPUT -m state -s 10.10.10.0/255.255.255.0 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -j RULE_8 -A Cid3823X8440.0 -s 0.0.0.0 -j ACCEPT -A Cid3823X8440.0 -s 10.10.10.0/255.255.255.0 -j ACCEPT -A Cid3823X8440.1 -s 0.0.0.0 -j ACCEPT -A Cid3823X8440.1 -s 10.10.10.0/255.255.255.0 -j ACCEPT -A In_RULE_0 -j LOG --log-prefix "RULE 0 -- DENY " --log-level 6 -A In_RULE_0 -j DROP -A RULE_1 -j LOG --log-prefix "RULE 1 -- ACCEPT " --log-level 6 -A RULE_1 -j ACCEPT -A RULE_2 -j LOG --log-prefix "RULE 2 -- ACCEPT " --log-level 6 -A RULE_2 -j ACCEPT -A RULE_6 -j LOG --log-prefix "RULE 6 -- DENY " --log-level 6 -A RULE_6 -j ACCEPT -A RULE_8 -j LOG --log-prefix "RULE 8 -- DENY " --log-level 6 -A RULE_8 -j DROP -A INPUT -j RULE_8 COMMIT # Completed on Thu Jan 20 00:00:16 2011 # Generated by iptables-save v1.3.5 on Thu Jan 20 00:00:16 2011 *mangle :PREROUTING ACCEPT [4084:871026] :INPUT ACCEPT [3282:364086] :FORWARD ACCEPT [802:506940] :OUTPUT ACCEPT [3182:440072] :POSTROUTING ACCEPT [3978:946060] COMMIT # Completed on Thu Jan 20 00:00:16 2011 # Generated by iptables-save v1.3.5 on Thu Jan 20 00:00:16 2011 *nat :PREROUTING ACCEPT [27:1668] :POSTROUTING ACCEPT [148:9568] :OUTPUT ACCEPT [148:9568] -A POSTROUTING -s 10.10.10.0/255.255.255.0 -o eth0 -j SNAT --to-source 64.xx.xx.105 COMMIT # Completed on Thu Jan 20 00:00:16 2011 CONFIDENTIALITY NOTICE: The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to admin@xxxxxxxxxxxxxxxxx and destroy this message. Please be aware that email communication can be intercepted in transmission or misdirected. Your use of email to communicate protected health information to us indicates that you acknowledge and accept the possible risks associated with such communication. Please consider communicating any sensitive information by telephone, fax or mail. If you do not wish to have your information sent by email, please contact the sender immediately. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
