Find the answer to your Linux question:
Results 1 to 8 of 8
I have a Linux Box running CentOS 5.3 Final, installed with the AsteriskNow install CD. I'm (obviously) running Asterisk on it. I have it interfaced to my Cisco Call Manager ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7

    Assistance with iptables


    I have a Linux Box running CentOS 5.3 Final, installed with the AsteriskNow install CD. I'm (obviously) running Asterisk on it. I have it interfaced to my Cisco Call Manager over our VPN. This will allow me to use 4-digit dialing from IP phones using the Asterisk system at our tent sale to our building as well as the reverse. There are two network cards in the Asterisk box, and I need to provide data connections to our store and the internet as well. Everything is working on our LAN right now (forcing things to tunnel through the VPN), however I'm very uneasy about the security of the system.

    The reason for this is that this machine will be directly exposed to the internet and basically EVERYTHING is accepted by iptables. I know how to use pf in BSD and love the simplicity and elegance of it, but I haven't used iptables for the past five or more years. Quite honestly, I don't remember much about it, other than it was a royal pain to get it to act like I wanted.



    Basically, I need the firewall to do the following:


    Provide a trusted NAT segment with static IPs on eth1.

    Allow all connections from eth1 and forward them out either eth0 or the VPN tunnel as appropriate. (Which packets get sent out the VPN and which go directly out to the internet appears to be handled transparently by the Cisco VPN client software. I have everything forwarded out eth0 and it appears to allow me to access the store via the VPN.)

    Allow traffic coming in on eth0 related to connections established by boxes on eth1 through.

    Allow connections on specific ports/port ranges using specific protocols on the VPN interface from specific IPs/IP ranges. (This is to allow the VOIP to work correctly from the store to the tent sale/Asterisk box.) All of these connections will be coming from the virtual VPN interface created by the Cisco VPN client.

    Drop everything else coming in on eth0 or the virtual VPN interface.



    I know I must be making this harder than it is. BSD's pf will do exactly what I want in about 20 lines. So far, I've got about 4 pages of iptables rules and all it really does is forward everything from eth1 out eth0. Doing port scans from elsewhere on my LAN to eth0 shows there to be no security on it at a firewall level. I've read documentation on iptables and it's given me a massive headache, but I don't see where it can be made simpler; I'll need several more pages of rules to accomplish what I want and even then I'm not 100% that it'll work the way I want to. I would like to stick with iptables if I could, just for simplicities sake.

    I did find reference to a port of pf to linux via google (can't link yet - it's at lolsson.com/pf4lin.html ), but it appears the project is abandoned, as the page was last updated in 2004 and the name of the machine where the code resides cannot be resolved.



    Could somebody please help me with the rule-set I need to accomplish the above goal? I need to set up for our tent sale on this coming Tuesday and would rather not put the box on the public internet as unprotected as it is.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    PM me what you already have so that I have something to work off of and will give me a better idea what you have already. No need to rebuild the wheel.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7
    Since my first attempt was such a mess, I junked it and started over. Working with an example I found online as a base, I was able to get some security on the connection, but broke the ability to call the phones on the Asterisk side from the Cisco phones; I believe these two events to be related. I can surf the internet successfully. I'm able to ping and browse to some machines over the VPN, but not to all of them.

    Here's the script the way it is now with a few things changed/masked out in the variable section (IPs and a name):

    Code:
    #!/bin/bash
    
    IF_INET="eth0"
    IF_TENT="eth2"
    IF_CVPN="cipsec0"
    
    IP_INET=""
    IP_TENT=""
    IP_CVPN="111.111.111.111"
    
    VOIP_UDP="5060, 6000:6050"
    VOIP_IPS="123.123.123.123 234.234.234.234"
    
    DEBUG="YES"
    
    IPTABLES="/sbin/iptables"
    
    #############################################################################
    ############################### End of Variables ############################
    #############################################################################
    ############### If you change anything below this line, #####################
    ################ make sure you know what you're doing! ######################
    #############################################################################
    #### THIS MEANS THAT IF YOU BREAK IT, DON'T EXPECT ME TO FIX IT FOR YOU! ####
    ## If you were smart enough to break it, you can be smart enough to fix it. #
    ################## (Yes, this even includes you -----.) #####################
    #############################################################################
    
    if [ "$IP_INET" = "" ]; then
      IP_INET=`ifconfig |grep -A1 "$IF_INET" |grep "inet addr:" |cut -c 21- |cut -d" " -f1`
    fi
    if [ "$IP_TENT" = "" ]; then
      IP_TENT=`ifconfig |grep -A1 "$IF_TENT" |grep "inet addr:" |cut -c 21- |cut -d" " -f1`
    fi
    if [ "$IP_CVPN" = "" ]; then
      IP_CVPN=`ifconfig |grep -A1 "$IF_CVPN" |grep "inet addr:" |cut -c 21- |cut -d" " -f1`
    fi
    
    if [ "$DEBUG" = "YES" ]; then
      echo "Public->$IP_INET<-"
      echo "Private->$IP_TENT<-"
      echo "VPN->$IP_CVPN<-"
    fi
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -t nat -F
    $IPTABLES -t nat -X
    
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A FORWARD -i $IF_TENT -j ACCEPT
    $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A INPUT -i $IF_TENT -j ACCEPT
    
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t nat -P OUTPUT ACCEPT
    $IPTABLES -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE

    I feel that I'm going to need the two variables I defined for VOIP, but don't know how to continue. I don't want to accept everything from the IF_CVPN, only traffic from the 2 VOIP_IPS on the VOIP_UDP ports with the UDP protocol.


    I really appreciate your reply and help with this.

  4. #4
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7
    BTW, the warning block in there was put in not in reference to anybody here, but directed at one particular person in our organization who does not understand much, but thinks that he does. He likes to change random settings because "that way makes more sense", but of course he doesn't document what he does or when he does it and cannot remember what was changed when asked. His nickname is 'teflon man' because nothing ever seems to stick to him. Since I started putting warnings like this in what I do, he tends to screw with them less than other people's.

  5. #5
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7
    I've been playing with this for most of the day and have it semi-working. I start the machine, get a DHCP address from my modem, start up the VPN and let it connect, then run the firewall script I have. The windoze computer hanging off eth2 is able to ping the internet and surf. However, I'm unable to connect to anything over our VPN from this machine.


    My firewall script as it stands now:
    Code:
    $IPTABLES="/sbin/iptables"
    
    $IF_INET="eth0"
    $IF_TENT="eth2"
    $IF_CVPN="cipsec0"
    
    #############################################################################
    ############################### End of Variables ############################
    #############################################################################
    ############### If you change anything below this line, #####################
    ################ make sure you know what you're doing! ######################
    #############################################################################
    #### THIS MEANS THAT IF YOU BREAK IT, DON'T EXPECT ME TO FIX IT FOR YOU! ####
    ## If you were smart enough to break it, you can be smart enough to fix it. #
    ################## (Yes, this even includes you -----.) #####################
    #############################################################################
    
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD DROP
    
    $IPTABLES -A INPUT -i lo -p all -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
    
    $IPTABLES -A INPUT -i $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -i $IF_TENT -j ACCEPT
    $IPTABLES -A INPUT -i $IF_CVPN -j ACCEPT
    
    $IPTABLES -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $IF_CVPN -j MASQUERADE
    
    $IPTABLES -A FORWARD -i $IF_TENT -o $IF_INET -j ACCEPT
    $IPTABLES -A FORWARD -i $IF_TENT -o $IF_CVPN -j ACCEPT

    There are two interesting behaviors I observed about this:

    If I run tcpdump -a -i eth2 on the console, nothing at all appears when I try to ping a machine over the VPN from my laptop. If I ping a box out on the internet, the ping and reply appear.

    I can ping both the internet and corporate network from the console.



    Any ideas on this? My tent sale starts Tuesday and I'd really like to have it up and running if possible. I've played with the script so much that I don't really know what else to try.

  6. #6
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7
    Here's something else interesting that just hit me: the firewall script from my old RedHat 7.3 box that I've been using as a gateway does not work on this new machine. It handled only data, but did so perfectly and I was able to access both machines over the VPN and on the internet. (It's very old and underpowered, so I don't think it'd handle running asterisk.)

    The differences between these machines that would have an impact on this issue that I can see are:

    2.4 kernel vs 2.6
    Different version of iptables
    4.0 Cisco VPN client software vs 4.9 (4.0 does not work with 2.6 kernels)

    I don't remember a cipsec interface being created by the cisco client on the redhat box, so this probably explains why that firewall doesn't work with one that does.

    I'm still at a loss to explain why what I have above doesn't work though.

  7. #7
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7
    Important correction to my last post. The old gateway machine runs Slackware 10.1, NOT RedHat 7.3. (Got my old machines I hardly ever use confused. ) It's got kernel 2.4.29 and Cisco VPN Client software version 4.0 installed.

  8. #8
    Just Joined!
    Join Date
    Jun 2009
    Location
    Mid-Michigan
    Posts
    7
    OK, I managed to get things working. Don't ask me how, because I'm not exactly 100% sure. I do know that there was a problem somewhere in the VPN concentrator, though I really didn't do anything other than change some settings, save, change them all back the way they were, and re-save. (Gotta love overly complex designs... )

    Anyways, with the below firewall script I have everything working. (Sorry about the typos in the last one; didn't copy the file, but retyped it because I couldn't find my flash drive and I was very, very, very tired. The one below is pasted from the file.) I can ping and make connections to the internet and to machines over the VPN. I then tested my IP phones and the SIP trunk to the Cisco Call Manager from Asterisk is working perfectly.

    Code:
    #!/bin/bash
    
    IPTABLES="/sbin/iptables"
    IF_INET="eth0"
    IF_TENT="eth2"
    IF_CVPN="cipsec0"
    
    #############################################################################
    ############################### End of Variables ############################
    #############################################################################
    ############### If you change anything below this line, #####################
    ################ make sure you know what you're doing! ######################
    #############################################################################
    #### THIS MEANS THAT IF YOU BREAK IT, DON'T EXPECT ME TO FIX IT FOR YOU! ####
    ## If you were smart enough to break it, you can be smart enough to fix it. #
    ################## (Yes, this even includes you -----.) #####################
    #############################################################################
    
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD DROP
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    $IPTABLES -A INPUT -i lo -p all -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
    
    $IPTABLES -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $IF_CVPN -j MASQUERADE
    
    $IPTABLES -A FORWARD -i $IF_TENT -o $IF_INET -j ACCEPT
    $IPTABLES -A FORWARD -i $IF_TENT -o $IF_CVPN -j ACCEPT
    $IPTABLES -A FORWARD -i $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $IF_CVPN -o $IF_TENT -j ACCEPT
    
    $IPTABLES -A INPUT -i $IF_TENT -j ACCEPT
    $IPTABLES -A INPUT -i $IF_CVPN -j ACCEPT
    $IPTABLES -A INPUT -i $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT
    I did a bunch of port scans from different sources. The only problem that I can see is that I am able to connect from the internet using various UDP ports. For example, I can connect to port 5060 (sip) from the internet to the public IP of eth0 and can see the packets being accepted by tcpdump running on the console as I hit enter in netcat. I tried adding the following to the firewall:

    Code:
    $IPTABLES -A INPUT -i $IF_INET -p udp -j DROP
    This had no effect, other than REALLY slowing down tcpdump. (Literally, 45-60 seconds for any packets to show up, even though they did, and couldn't break out for a minute or more. I repeated this, so I'm confident that it's not a fluke.) nmap with a UDP scan on eth0 reports that all the ports I scanned are in status open|filtered, while the same UDP port scan on the IP assigned to the VPN client indicates that only select ones are open.

    How would I go about effectively blocking new UDP connections from being accepted when originating from the internet on eth0? Should I even be concerned about this type of connection? (My gut feeling is yes.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •