vicidial.org

VERSION: 2.6-380a
BUILD: 121029-0109

I am new to Vicibox I just installed the OS on two machines one with MySQL, Apache and archive and the other just a telephony server.I used the preloaded 64-bit OS.I plan on building a second telephony server but, I want to secure the first two before I move on. I would like to only allow certain ip addresses into our machines. I entered the following commands "iptables -A INPUT -s 192.168.0.4 -j ACCEPT", "iptables -A INPUT -s 192.168.0.5 -j ACCEPT", "iptables -A INPUT -s 10.10.20.0/255.255.255.0 -j ACCEPT" and "iptables -P INPUT DROP". I don't have too much experience working with iptables. I know I am doing something wrong I just don't know what it is.

yast firewall

allowed services: remove all of them

allowed services ADVANCED: remove all of them

custom rules: add your "allowed ips" here as both TCP and UDP (two for each IP address).

Note: you can also add IP Ranges (so for instance if your local network is 192.168.0.X you could use 192.168.0.0/24 instead of just an IP and it would allow the entire subnet).

Also a good idea to use two network cards: One internal network and one external network. Then:
yast firewall => Interfaces
Assign the Internet one to "external" and the local one to "internal" and Avoid checking "Protect firewall from internal zone". This will speed up local operations on the local internet which is then assumed to have only safe traffic on it.

Please post your installer with version (usually the name of the iso from which you installed will provide this, and it is also generally in the welcome splash for ssh).

Any iptables entries at the command line will be forgotten upon reboot.

We also recommend you turn off ping and anything else that appears with a port scan of your system.

I installed the ViciBox.x86_64-4.0.1.iso. After i installed the OS I ran commands "zypper refresh" and "zypper up". I removed all the services, advanced services, turned off ping and added our ip addresses under the custom rules. Im not sure how to block or hide the ports. If i did the previous would I have to worry about a port scan? My last question is to utilize both dialers for dial balancing I would have to make a phone 108a and 108b with the same login as 108x and same password. Then if dialer1 is not able to put up with the load dialer2 can help? Is my understanding correct?

when you removed the services and entries from advanced services, you were blocking the ports. those entries represented ports being opened ... so removing them means they are no longer open.

if you are not sure about a port scan ... scan your system! wireshark or any other generic port scanner (but don't use online services, as there is always the possibility that you've handed a hacker your IP address and permission to port scan your system ...).

now for load balancing and your phone aliases ... you'll need to read the manual for phone alias creation and use and ask again. Better yet, test it and see. Tends to improve retention.