vicidial.org

[KeithHBW]

I have been reading up on iptables to secure our servers. However, I cant seem to find a walkthrough on what I would have to do to start from nothing.

First, is iptables enabled by default, regardless of installation method? I have a database server I had to build from the scratch install. If not, how would I make iptables start on boot up?

Second, I want to build a config file that starts before the NIC is configured. I read I need to put a file in /etc/init.d that opens a file. What would be the process for this?

Third, and lastly, I want to block all ip address for incoming and forwarding (I dont think I need to block outbound) and only allow communication with other known servers (ie dialer1, dialer2...etc). I will be editing this file externally via a website to add future white-listed computers.

Thanks in advanced for any help. I think I got the crontab stuff fixed from my last question (havent been able to test yet =/)
Keith

[williamconley]

you don't need to start from "nothing". start from standard Vicibox and then (via "yast firewall") turn OFF all the allowed services and open ports. then you have a "nobody allowed in" system and can add allowed ips under "custom" (tcp and udp for all agent ip locations, tcp only for admin screens, udp only for "just phones"). You do still have to turn off ping, though. It's in a config file but may also be configured somewhere in yast. Never looked for it (we just hit the config file directly).

I've posted a walk-through a couple times in the past on here. If you can't find it I can post it again. If, on the other hand, you are NOT using Vicibox ... I can post the iptables-save data which can be used as iptables-restore data on your system (but you'll have to modify it by hand to make it work unless you use something like Webmin to create the same system). I will say that the OpenSuSE invokation of iptables is quite clean and thought out. It allows for the server to "reach out" and anyone reponding gets through automatically. It also allows for "once authenticated, allow at full speed", which is nice.

We also usually add in the ability to have a "text file" for easy adding of new good ips with a script using any language that can put text in a file from the command line, so it's possible to store good ips in a table, for instance, and spill them into that "good" file each time a change is made.

[KeithHBW]

Thanks for your post william, I will look into your previous postings.

I did have to start from "scratch" in that i couldnt use the standard vicibox install because some of my server components were too new, so I had to use opensuse 12.1.

I would like to do the text file method. Basically I would just like to block all incoming traffic except for from designated IPs. I would like to do it this way incase we need to add IPs later. So basically, what I am researching is this: How do I make IP tables load this text file on startup. And what would that text file look like? For example:
# Drop all chains
iptables -F
# Set the default target to DROP of all chains involved here.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Always accept things going over the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Setup whitelist
iptables -A INPUT -j whitelist
iptables -A whitelist -s 192.168.0.0/24 -j ACCEPT

Any info would be greatly appreciated. Thanks william

[williamconley]

Full version for text installation. This will mimic the "fully-thought-out" OpenSuSE installation, but must be manually edited for addition of new whitelist IPs.

There are two classes of whitelist: "Allow all traffic" up near the top (simple accept from that IP) and "Allow TCP and/or UDP" near the bottom (total of four lines with logging and TCP/UDP allowed separately). Allow all traffic is meant for administration/management personnel via SSH (ie: the OFFICE where your manager will access the system from). TCP/UDP is meant for Web Browser/SIP Phone access (ie: Agents).

These categories stem from the control mechanism is OpenSuse (how easy it is to add someone to one or the other ... and how difficult it is to remove them as well!). Also of note is that Phones do not need TCP access and Web Browsers do not need UDP access. So a location that will only be accessing the real time screen does not need UDP access and a network with phones routed through it needs no TCP access.

There are obviously many more methods of determining who has access to which ports and when.

This method, however, also takes into account "reach out" requests and "already allowed before, so stop checking" connections. Kinda handy. Seems to work well even on very large systems.

Use this with "iptables-restore" or replace your existing iptables commit file with this one after editing the IP addresses accordingly.

Code: Select all

# Generated by iptables-save v1.4.8 on Tue Jul  3 17:20:37 2012
*raw
:PREROUTING ACCEPT [8046733:1548595422]
:OUTPUT ACCEPT [7610092:1472710042]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Tue Jul  3 17:20:37 2012
# Generated by iptables-save v1.4.8 on Tue Jul  3 17:20:37 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -s 108.108.108.109/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 4 -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j DROP
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j DROP
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Jul  3 17:20:37 2012


IF you are doing this remotely, you may want to change port 22 to ACCEPT until you've verified that you still have access on the other ports after enabling this firewall. That way you'll still have ssh access even if you have no other access so you can "fix it".
Notice there is also the option of dual network cards (eth0 and eth1 may be managed separately ...) to allow "full access, uninterrupted" on a local eth connection by changing the connection in question to "-j ACCEPT" just like "lo" already is.

[KeithHBW]

Thanks William, that is slightly harder to read/understand than I thought (ala my example =P). My question would be, what/where is my existing iptables commit file?

[williamconley]

Depends on your OS.

try this:

Code: Select all

cd /etc
grep PREROUTING * -R -n

That's why I like OpenSuSE (a la "Vicibox" ...), because it has a built-in mechanism for iptables that is flexible and secure when setting up a whitelist scenario. Thanks Kumba.

[KeithHBW]

I am using OpenSuSE 12.1

vpnc/vpnc-script:27:# * Linux: iptables -t mangle -I PREROUTING <conditions> -j ROUTE --oif $TUNDEV

Am I looking for a filename that that file is referencing? Or am I putting your code inside this file?

[williamconley]

if you are in opensuse, your system has yast. yast handles iptables quite well, but requires that you manually modify the configuration file to turn off Ping (which is a dead giveaway if you don't turn it off!).

use yast to manage your iptables. turn off ALL services. then add individual IPs via "yast firewall => custom rules". Add one entry for each agent/manager web as "TCP" and one entry for each phone as "UDP". Remember that the IP addresses you'll be adding are for the IP address as seen by the server. If there is a firewall between the server and the client, the outside IP of the firewall is the one to add (which will cover all agents/managers on the other side of the firewall)

[KeithHBW]

I am using yast as you mentioned. I have turned off all services, turned on the firewall and added the custom rules.

I would still rather do the text file option that loads a text file on startup. However, that is low priority atm as we have no remote agents anyway. So I will do more researching on that later.

Thanks for your patience and help william!

[williamconley]

Do be careful with the text file version, as this requires a human to correctly modify a file, then save and restart the firewall. Failure could be ... catastrophic.

The custom section allows yast to validate entered IPs and place them appropriately. A wrong IP will fail to allow that person in, but won't kill the firewall! LOL

There are several options for file editor version:

1) XT_Recent module allows the adding of individual ips to a text file (but must be activated through a custom configuration addition). This file is "dumped" at reboot and must be reloaded. Its advantage, however, is that there is NO need to restart the firewall when adding IPs using this method. It's a live file.

2) Custom configuration files can be activated and then edited. This is inherent in the yast implementation, we use it to "hard-code" administrative access. (And to turn off ping!)

3) The yast system stores the resulting file in /etc/sysconfig ... it can be edited, but I do not recommend it.

[KeithHBW]

Okay so here is my dilemma... I setup iptables, I was using the yast to do it but then I had to add so many ips. And then I found out that the yast method doesnt exactly mesh with manually adding to iptables via the terminal. So I went to do it full terminal (I setup a bash file). However, I am unable to hear the customer from the agent side. So I am thinking UDP is not being passed through? I can tell via asterisk cli that the call is being processed correctly. It shows the call as answered when it gets answered.

Here is what it looks like, I am unable to block ping though. I feel really close to having something I can work with.

#!/bin/bash

/sbin/SuSEfirewall2 off

iptables -N localserv
iptables -N sipprovider

iptables -A localserv -s 192.168.0.0/24 -j ACCEPT
iptables -A localserv -s 50.X.X.X -j ACCEPT
iptables -A localserv -s 50.X.X.X -j ACCEPT

iptables -A sipprovider -s 38.102.250.50 -j ACCEPT
iptables -A sipprovider -s 38.102.250.60 -j ACCEPT

iptables -A INPUT -j localserv
iptables -A INPUT -j sipprovider
iptables -A FORWARD -j localserv
iptables -A FORWARD -j sipprovider

iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

I am almost there. Im unsure as to why the audio from the customer is not making it to the agent. If I turn off the firewall then the audio makes it through.

[williamconley]

Reinventing the wheel is rarely a good idea. What about DNS requests? NTP? And I note that your chains do not end in "DROP", they just end.

"manually adding to iptables via the terminal" this is handled with the XT_Recent module. It allows adding individual IPs to text files via the command line. That text file can then be referenced as "GOOD" or "BAD" or for any other purpose (ie: if an ip is in this file, it can be accepted, dropped, or anything else the logic system in iptables can muster).

[KeithHBW]

I do not know how to check if it handles DNS/NTP requests. I am able to remote into it after allowing my ip in the iptables. My xlite is also able to register. The only issue is that agents cant hear the customer (UDP traffic? But as you can see Im allowing all traffic from SIP provider).

EDIT: When I was referring to customer I meant myself, in that I was calling my cell phone. I still cannot hear audio from my cell phone through my headset. I do not know what the problem is here. However, I was able to call other numbers and hear audio just fine. So, while troubling, workable for now.

I am using the following method:
yast -> firewall -> customer rules
Add ip address for tcp/udp
iptables-save > /root/tmpWhitelist.fw

Now I have a text file that I can replicate on the other servers. I will also be using a script that uses iptables-restore in /etc/init.d
With this method I think I can add customer IPs in real time as needed.

Still not sure if this is the best way to do it. But so far Ive been able to figure it out. Still not sure how to turn ping off =P

[williamconley]

! Ping is easy. LOL

nano +730 /etc/sysconfig/SuSEfirewall2

FW_ALLOW_PING_FW="no"

[KeithHBW]

Thanks. My issue now is that I cannot get it to run iptables-restore < filename on startup

I even tried putting that line into files I know are running at start up.
I tried creating a new file in /etc/init.d
#!/bin/bash
iptables-restore < filename

Didnt work. I tried a file called rc.local in /etc, was empty, didnt work.

[williamconley]

to run a script on startup

crontab -e

@reboot /usr/bin/XXX /root/XXXX.XX >/dev/null 2>&1

replace the X's with appropriate content.

Highly advisable to test with a "sleep" command to delay execution at least a few seconds to allow other functions to finish. Otherwise you could have a collision with other starting software.

Still say you're reinventing the wheel and will likely regret it. But to each his own.

[KeithHBW]

Well its like I said. This is probably not the best solution. In that I attempted to add an ip to the safelist after loading the file via iptables-restore and it didnt seem to work.

All I know is I dont want to manually add all these IPs via yast for each server. For the primary reason that I dont know how I would add safe IPs on the fly later. I guess I just dont understand the other possibilities enough to test them.

I think this is the one I was going for ideally. And thats what I thought the ip-save created, custom configuration file.
2) Custom configuration files can be activated and then edited. This is inherent in the yast implementation, we use it to "hard-code" administrative access.

I added the ip-save file to add the rest of my ips. Then I just needed to add those ips everytime the system starts. Because apparently I am actually doing option 1 with the XT_Recent

[rrb555]

Hey, why not create bash file that contains your IPTABLES script? that works flawlessly to me.

now it depends what are your iptables inputs.

and also, automating it via cron job is a lot cooler

Cheers!!

[KeithHBW]

Well rrb555, ideally that is what I was going for. Have a bash file that runs on startup to safelist all the ips I wanted safelisted.

I feel that is about what I have now, however I use ipstables-restore instead of a bash file. The only negative about it, is my script file is huge for the amount of ips I have to safelist. But Im fine with that as long as it all works. I will be try attempting to setup with william said there a few posts above. Although I am still slightly confused about the crontab addition:
@reboot /usr/bin/XXX /root/XXXX.XX >/dev/null 2>&1
What is in /usr/bin?
/root/xxxx.xx is my whitelist file Im guessing
What is /dev/null 2>&1?

[williamconley]

usr bin is generally the location of the executable of the scripting language (for instance: BASH or SH or PERL).

Then the script is in /root/xxxx.xx (if a perl script, it would likely be xxxx.pl for instance)

If you are using iptables-restore and an iptables script you would use the /path/to/iptables-restore followed by /path/to/iptables.file (just like you would on the command line, only with full path to both the executable and the iptables data file). Remember that this is "cron" and you should always be explicit and use full path on everything to ensure proper operation.

I would say, of course, that your lack of knowledge in this area makes me a bit nervous when it comes to having you create your own firewall system. Please be careful.

[KeithHBW]

I found my problem. I had the firewall enabled on startup in yast. Which seemed to be overwriting it