vicidial.org

[mac123]

Hi sir,

i have two nic's 1 is for public other is for local... i want to prevent my vicidial accessing from public below is my iptables but its not wrking


iptables -A INPUT -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -s yyy.yyy.yyy.yyy -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A INPUT -j ACCEPT

x is for voip provider
y is for public ip

thank you


ViciBox Redux v.5.0.2-130821|Asterisk 1.8.23.0|vicidial VERSION: 2.8-415a|single server| no updates has been made

[retloc]

I block everything then allow certain IPs

#CLEAR ALL IPTABLE RULES
iptables -F
iptables -X

# DROP ALL INCOMING TRAFFIC
iptables -P INPUT DROP

# DROP ALL FORWARDING TRAFFIC
iptables -P FORWARD DROP

# ALLOW OUTBOUND TRAFFIC
iptables -P OUTPUT ACCEPT

# ALLOW SYSTEM TRAFFIC
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ALLOW CERTIAN INBOUND TRAFFIC
iptables -A INPUT -s xxx.xxx.xxx.0/24 -j ACCEPT
iptables -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT

[mac123]

my server wont allow "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" instead it use conntrack --csstate

[retloc]

that should be fine

[mac123]

thanks man but my problem now is you need to flush the iptables first everytime I re-booted the server, I think this is the issue with susefirewall2, tried to put it in boot.local but its not working is there any way and where to put it in order to run the script everytime i rebooted the server thanks man....

[retloc]

Yup. I have to do the same thing.

CREATE A FILE IN '/etc/init.d/' CALLED 'rclocal'

PASTE AND SAVE THE FOLLOWING INTO THE NEW FILE

-------------------------------------------------



#!/bin/sh
### BEGIN INIT INFO
# Provides: rc.local
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: whatever
### END INIT INFO


#CLEAR ALL IPTABLE RULES
iptables -F
iptables -X

# DROP ALL INCOMING TRAFFIC
iptables -P INPUT DROP

# DROP ALL FORWARDING TRAFFIC
iptables -P FORWARD DROP

# ALLOW OUTBOUND TRAFFIC
iptables -P OUTPUT ACCEPT

# ALLOW SYSTEM TRAFFIC
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ALLOW CERTIAN INBOUND TRAFFIC
iptables -A INPUT -s xxx.xxx.xxx.0/24 -j ACCEPT
iptables -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT


-------------------------------------------------------


SSH INTO SERVER AND RUN THE FOLLOWING COMMANDS


cd /etc/init.d

chmod 755 /etc/init.d/rclocal

chkconfig --add rclocal


----------------------------------------
reboot system to save

[mac123]

thanks man but still the same.

here's how i do

vi /etc/init.d/rclocal
then paste this code

#!/bin/sh
### BEGIN INIT INFO
# Provides: rc.local
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: whatever
### END INIT INFO


#CLEAR ALL IPTABLE RULES
iptables -F
iptables -X

# DROP ALL INCOMING TRAFFIC
iptables -P INPUT DROP

# DROP ALL FORWARDING TRAFFIC
iptables -P FORWARD DROP

# ALLOW OUTBOUND TRAFFIC
iptables -P OUTPUT ACCEPT

# ALLOW SYSTEM TRAFFIC
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# ALLOW CERTIAN INBOUND TRAFFIC
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -s <voip ip> -j ACCEPT

cd /etc/init.d

chmod 755 /etc/init.d/rclocal

chkconfig --add rclocal

and follow your steps still cant load the script

[retloc]

remove the last 3 lines and run them. That should add the script to the chkconfig at boot.


cd /etc/init.d

chmod 755 /etc/init.d/rclocal

chkconfig --add rclocal

[mac123]

sorry I over quote the scrip.. yes my rclocal doesnt include the last 3 lines... id run the script below

cd /etc/init.d

chmod 755 /etc/init.d/rclocal

chkconfig --add rclocal

and id got this message

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

rclocal 0:off 1:off 2:off 3:on 4:off 5:on 6:off

and still the same problem after i reboot i can still access my public ip

[mac123]

Thank for helping man done by doing this Steps

edit the file below

/etc/sysconfig/SuSEfirewall2

find and Change

#FW_CUSTOMRULES=""
to this
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

then edit the file below

/etc/sysconfig/scripts/SuSEfirewall2-custom

then find

fw_custom_before_port_handling() {
# these rules will be loaded after the anti-spoofing and icmp handling
# and after the input has been redirected to the input_XXX and
# forward_XXX chains and some basic chain-specific anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.

iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
Iptables -A INPUT -s <voip ip> -j ACCEPT
true
}

then

reboot done