Menu

Problem with IPTABLES settings

Help
Nobody/Anonymous
2004-05-10
2004-05-11

  • Nobody/Anonymous

    Nobody/Anonymous - 2004-05-10

    Hi,

    I've been getting on very well siproxd and it seems to do exactly what it says on the tin without fuss.

    I've been having some problems with my IPTABLES settings however. If I use a "clean" IPTABLES settings (i.e. with no firewall features, and MASQUERADE activated) everything works fine.

    However I've tried to install more secure firewall settings and then I get a problem. I'm able to log into the proxy, but not able to make any calls (I've only been able to test internal calls, i.e. within the local network but via the proxy).

    From looking at the debug, siproxd receives my INVITE and sends a reply, but my UA log shows no reply received.

    Here is my firewall setup:

    # Generated by iptables-save v1.2.9 on Thu May  6 12:29:16 2004
    *filter
    :INPUT DROP [1:28]
    :FORWARD DROP [47:2140]
    :OUTPUT DROP [1:58]
    :ok - [0:0]
    -A INPUT -s 192.168.100.0/255.255.255.0 -i eth1 -j ACCEPT
    -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
    -A INPUT -s 192.168.100.1 -i lo -j ACCEPT
    -A INPUT -d 192.168.100.255 -i eth1 -j ACCEPT
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ok
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ok
    -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ok
    -A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ok
    -A INPUT -i eth0 -p udp -m udp --dport 21 -j ok
    -A INPUT -i eth0 -p udp -m udp --dport 22 -j ok
    -A INPUT -i eth0 -p udp -m udp --dport 80 -j ok
    -A INPUT -i eth0 -p udp -m udp --dport 5060 -j ok
    -A INPUT -i eth0 -p udp -m udp --dport 7070:7080 -j ok
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A FORWARD -i eth1 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -s 127.0.0.1 -j ACCEPT
    -A OUTPUT -s 192.168.100.1 -j ACCEPT
    -A OUTPUT -s 192.168.100.255 -j ACCEPT
    -A OUTPUT -j ACCEPT
    -A ok -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A ok -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ok -p udp -j ACCEPT
    COMMIT
    # Completed on Thu May  6 12:29:16 2004
    # Generated by iptables-save v1.2.9 on Thu May  6 12:29:16 2004
    *nat
    :PREROUTING ACCEPT [65:5211]
    :POSTROUTING ACCEPT [10:672]
    :OUTPUT ACCEPT [13:864]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT

    Can anyone see anything wrong?

    Thanks,

    Simon

     

    • Thomas Ries

      Thomas Ries - 2004-05-10

      Right now, I cannot see anything obviously wrong in your iptables rules. You should consider to put in an additional rule
      at the end of each of INPUT, OUTPUT, FORWARD that
      does a "--log" - so your have a chance to see what packets
      are dropped.

      /Thomas

       

    • Nobody/Anonymous

      Nobody/Anonymous - 2004-05-11

      Thanks Thomas,

      I spotted the problem straight away with the logging:

      IN=lo OUT= MAC=00:00:00:00:00:00:00:00:0
      0:00:00:00:08:00 SRC=195.168.145.126 DST=195.168.145.126 LEN=791 TOS=0x00 PREC=0
      x00 TTL=64 ID=0 DF PROTO=UDP SPT=5060 DPT=5060 LEN=771

      I had only allowed IP addresses 127.0.0.1 and 192.168.100.1 as my public IP address is not static.
      I've fixed it by adding the following line:

      -A INPUT -i lo -p udp -j ACCEPT

      I'm too much of a newbie to know whether this is a security risk though - I can't see why it would be.

      My new iptables is shown below. Note that because of the non-static public IP address I also had to add the line:

      -A OUTPUT -j ACCEPT

      Which potential would allow spoofing on my public port, but I can't see anyway around that.

      Simon

      * New secure IPTABLES
      *filter
      :INPUT DROP [2:56]
      :FORWARD DROP [0:0]
      :OUTPUT DROP [0:0]
      :ok - [0:0]
      -A INPUT -s 192.168.100.0/255.255.255.0 -i eth1 -j ACCEPT
      -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
      -A INPUT -s 192.168.100.1 -i lo -j ACCEPT
      -A INPUT -i lo -p udp -j ACCEPT
      -A INPUT -d 192.168.100.255 -i eth1 -j ACCEPT
      -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ok
      -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ok
      -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ok
      -A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ok
      -A INPUT -i eth0 -p udp -m udp --dport 21 -j ok
      -A INPUT -i eth0 -p udp -m udp --dport 22 -j ok
      -A INPUT -i eth0 -p udp -m udp --dport 80 -j ok
      -A INPUT -i eth0 -p udp -m udp --dport 5060 -j ok
      -A INPUT -i eth0 -p udp -m udp --dport 7070:7080 -j ok
      -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
      -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
      -A FORWARD -i eth1 -j ACCEPT
      -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -s 127.0.0.1 -j ACCEPT
      -A OUTPUT -s 192.168.100.1 -j ACCEPT
      -A OUTPUT -s 192.168.100.255 -j ACCEPT
      -A OUTPUT -j ACCEPT
      -A ok -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
      -A ok -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A ok -p tcp -j DROP
      COMMIT

       

Log in to post a comment.