Tom, Disable the SIP-VOIP plugin, that is the problem... -- Using SIP UDP for 0/0 (INET) to port(s): 5060 -- or configure it with SIP_VOIP_REMOTE_HOSTS="66.241.96.96" in the plugin.
Lonnie On Mar 14, 2011, at 10:56 PM, Tom Mazzotta wrote: > Lonnie & Gene, > > Below is the output you both requested. Since having the problem, I have > modified the rules to replace the hostnames with static IP addresses and > added my internal LAN to the adaptive ban whitelist. Also, although the > Soekris box has multiple interfaces, I am only using the external interface > since I am forced to use my current ISP's router, i.e., I no longer have > networks connected to the internal interfaces of astlinux. > > pbx ~ # iptables -nL |grep ACCEPT > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED > tcp dpts:1024:65535 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED > udp dpts:1024:65535 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED > tcp dpts:1024:65535 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED > udp dpts:1024:65535 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > limit: avg 20/sec burst 100 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > limit: avg 20/sec burst 100 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp > dpts:10000:10100 > ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:4569 > ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:5060 > ACCEPT udp -- 66.241.96.96 0.0.0.0/0 udp > dpts:10000:10100 > ACCEPT udp -- 66.241.96.96 0.0.0.0/0 udp dpt:5060 > ACCEPT udp -- xxx.xxx.xxx.xxx 0.0.0.0/0 udp dpt:4569 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > limit: avg 20/sec burst 100 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > limit: avg 20/sec burst 100 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > limit: avg 20/sec burst 100 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > pbx ~ # > > pbx ~ # arno-iptables-firewall restart > Arno's Iptables Firewall Script v2.0.0a > ------------------------------------------------------------------------------- > Stopping (user) plugins... > SIP-VOIP plugin v0.3BETA > SSH Brute-Force Protection plugin v1.1a > Traffic-Shaper plugin v1.2.06-astlinux > Adaptive Ban plugin v1.01 BETA > Adaptive Ban - Stopping... Stopped. > Checking/probing Iptables modules: > Loaded kernel module ip_tables. > Loaded kernel module nf_conntrack. > Loaded kernel module nf_conntrack_ftp. > Loaded kernel module xt_conntrack. > Loaded kernel module xt_limit. > Loaded kernel module xt_state. > Loaded kernel module xt_multiport. > Loaded kernel module iptable_filter. > Loaded kernel module iptable_mangle. > Loaded kernel module ipt_REJECT. > Loaded kernel module ipt_LOG. > Loaded kernel module xt_TCPMSS. > Loaded kernel module nf_nat_ftp. > Loaded kernel module iptable_nat. > Loaded kernel module ipt_MASQUERADE. > Module check done... > Configuring general kernel parameters: > Setting the max. amount of simultaneous connections to 16384 > net.nf_conntrack_max = 16384 > net.netfilter.nf_conntrack_acct = 1 > Configuring kernel parameters: > Disabling send redirects > net.ipv4.conf.all.send_redirects = 0 > net.ipv4.conf.default.send_redirects = 0 > net.ipv4.conf.lo.send_redirects = 0 > net.ipv4.conf.eth0.send_redirects = 0 > net.ipv4.conf.eth3.send_redirects = 0 > net.ipv4.conf.br0.send_redirects = 0 > Enabling protection against source routed packets > net.ipv4.conf.all.accept_source_route = 0 > net.ipv4.conf.default.accept_source_route = 0 > net.ipv4.conf.lo.accept_source_route = 0 > net.ipv4.conf.eth0.accept_source_route = 0 > net.ipv4.conf.eth3.accept_source_route = 0 > net.ipv4.conf.br0.accept_source_route = 0 > net.ipv4.icmp_echo_ignore_broadcasts = 1 > net.ipv4.icmp_ignore_bogus_error_responses = 1 > Enabling packet forwarding > net.ipv4.conf.all.forwarding = 1 > net.ipv4.conf.default.forwarding = 1 > net.ipv4.conf.lo.forwarding = 1 > net.ipv4.conf.eth0.forwarding = 1 > net.ipv4.conf.eth3.forwarding = 1 > net.ipv4.conf.br0.forwarding = 1 > Setting some kernel performance options > net.ipv4.tcp_window_scaling = 1 > net.ipv4.tcp_timestamps = 1 > net.ipv4.tcp_sack = 1 > net.ipv4.tcp_dsack = 1 > net.ipv4.tcp_fack = 1 > net.ipv4.tcp_low_latency = 0 > Enabling reduction of the DoS'ing ability > net.ipv4.tcp_fin_timeout = 30 > net.ipv4.tcp_keepalive_time = 1800 > net.ipv4.tcp_syn_retries = 3 > net.ipv4.tcp_synack_retries = 2 > net.ipv4.tcp_rfc1337 = 1 > net.ipv4.ip_local_port_range = 32768 61000 > Enabling anti-spoof with rp_filter > net.ipv4.conf.all.rp_filter = 1 > net.ipv4.conf.default.rp_filter = 1 > net.ipv4.conf.lo.rp_filter = 1 > net.ipv4.conf.eth0.rp_filter = 1 > net.ipv4.conf.eth3.rp_filter = 1 > net.ipv4.conf.br0.rp_filter = 1 > net.ipv4.icmp_echo_ignore_all = 0 > Enabling SYN-flood protection via SYN-cookies > net.ipv4.tcp_syncookies = 1 > Disabling the logging of martians > net.ipv4.conf.all.log_martians = 0 > net.ipv4.conf.default.log_martians = 0 > net.ipv4.conf.lo.log_martians = 0 > net.ipv4.conf.eth0.log_martians = 0 > net.ipv4.conf.eth3.log_martians = 0 > net.ipv4.conf.br0.log_martians = 0 > Disabling the acception of ICMP-redirect messages > net.ipv4.conf.all.accept_redirects = 0 > net.ipv4.conf.default.accept_redirects = 0 > net.ipv4.conf.lo.accept_redirects = 0 > net.ipv4.conf.eth0.accept_redirects = 0 > net.ipv4.conf.eth3.accept_redirects = 0 > net.ipv4.conf.br0.accept_redirects = 0 > Setting default TTL=64 > net.ipv4.ip_default_ttl = 64 > Disabling ECN (Explicit Congestion Notification) > net.ipv4.tcp_ecn = 0 > Enabling kernel support for dynamic IPs > net.ipv4.ip_dynaddr = 1 > Enabling PMTU discovery > net.ipv4.ip_no_pmtu_disc = 0 > Flushing route table > net.ipv4.route.flush = 1 > Kernel setup done... > Reinitializing firewall chains > Setting all default policies to DROP while "setting up firewall rules" > IPv4 mode selected, no IPv6 available > Using loglevel "info" for syslogd > > Setting up firewall rules: > ------------------------------------------------------------------------------- > Enabling setting the maximum packet size via MSS > Logging of stealth scans (nmap probes etc.) enabled > Logging of packets with bad TCP-flags enabled > Logging of INVALID TCP packets disabled > Logging of INVALID UDP packets disabled > Logging of INVALID ICMP packets disabled > Logging of fragmented packets enabled > Logging of access from reserved addresses disabled > Setting up antispoof for INTERNAL net(s): 192.168.168.0/24 > Setting up antispoof for DMZ net(s): 192.168.169.0/24 > Reading custom rules from /etc/arno-iptables-firewall/custom-rules > Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins... > SIP-VOIP plugin v0.3BETA > Loaded kernel module ip_nat. > Using SIP UDP for 0/0 (INET) to port(s): 5060 > Loaded kernel module ip_conntrack_sip. > Loaded kernel module ip_nat_sip. > SSH Brute-Force Protection plugin v1.1a > Loaded kernel module ipt_recent. > Protecting TCP port(s): 22 > Traffic-Shaper plugin v1.2.06-astlinux > Loaded kernel module ip_nat. > Shaping as 30000/5000 kb/s using 'htb' for interface: eth0 > Adaptive Ban plugin v1.01 BETA > Adaptive Ban - Whitelisting INTERNAL net(s): 192.168.168.0/24 > Adaptive Ban - Whitelisting host(s): 192.168.1.0/24 > File=/var/log/messages Time=10 Count=6 Types=sshd asterisk > Loaded 4 plugin(s)... > Setting up external(INET) INPUT policy > Logging of ICMP flooding enabled > Enabling support for DHCP-assigned-IP (DHCP client) > Logging of explicitly blocked hosts disabled > Logging of denied local output connections enabled > Allowing 0/0 for TCP port(s): 22 > Allowing 0/0 for TCP port(s): 443 > Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 > Allowing 192.168.1.0/24 for UDP port(s): 4569 > Allowing 192.168.1.0/24 for UDP port(s): 5060 > Allowing 66.241.96.96 for UDP port(s): 10000:10100 > Allowing 66.241.96.96 for UDP port(s): 5060 > Allowing xxx.xxx.xxx.xxx for UDP port(s): 4569 > Packets will NOT be checked for private source addresses > Allowing ANYHOST to send IPv4 ICMP-requests (ping) > Logging of possible stealth scans enabled > Logging of (other) packets to PRIVILEGED TCP ports enabled > Logging of (other) packets to PRIVILEGED UDP ports enabled > Logging of (other) packets to UNPRIVILEGED TCP ports enabled > Logging of (other) packets to UNPRIVILEGED UDP ports enabled > Logging of IPv4 IGMP packets disabled > Enabling support for NAT local redirect > Logging of dropped ICMP-request(ping) packets disabled > Logging of dropped other ICMP packets enabled > Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled > Setting up external(INET) OUTPUT policy > Applying external(INET) policy to interface: eth0 > (EXTERNAL_NET=192.168.1.201/24) > Setting up internal(LAN) INPUT policy > Allowing ICMP-requests(ping) > Allowing all (other) ports/protocols > Applying internal(LAN) policy to interface: br0 > Setting up DMZ INPUT policy > Allowing ICMP-requests(ping) > Applying DMZ policy to interface: eth3 > Setting up DMZ FORWARD policy > Logging of denied DMZ (forward) output connections enabled > Logging of denied DMZ (forward) input connections enabled > Setting up INET->DMZ policy > Denying all other INET->DMZ packets > Setting up DMZ->INET policy > Allowing ICMP-requests(ping) > Allowing all (other) TCP ports > Allowing all (other) UDP ports > Allowing all (other) protocols > Setting up DMZ->LAN policy > Applying DMZ FORWARD policy to interface: eth3 > Setting up internal(LAN) FORWARD policy > Logging of denied LAN->INET FORWARD connections enabled > Setting up LAN->INET policy > Allowing ICMP-requests(ping) > Allowing all (other) TCP ports > Allowing all (other) UDP ports > Allowing all (other) protocols > Applying internal(LAN) FORWARD policy to interface: br0 > Enabling masquerading(NAT) via external interface(s): eth0 > Adding (internal) host(s): 192.168.168.0/24 192.168.169.0/24 > Security is ENFORCED for external interface(s) in the FORWARD chain > Logging of dropped FORWARD packets disabled > > Mar 14 23:40:27 All firewall rules applied. > pbx ~ # > > -----Original Message----- > From: Tom Mazzotta > Sent: Monday, March 14, 2011 10:26 PM > To: AstLinux Users Mailing List > Subject: Arno firewall problem > > I am running astlinux-0.7.7 (Asterisk 1.4.40) on a Soekris box behind my > ISP's cable router on my LAN. I am forwarding all SIP & RTP packets from this > router to the external interface of astlinux. All of my phones connect to > astlinux through the external interface of the Soekris box as well. Using > Arno, I setup rules to allow inbound SIP/RTP from my LAN clients and my SIP > provider. In the rules for the SIP provider, I used the hostname of their > server as opposed to an IP address. While my system was booting, I saw the > following messages displayed on the console: > > ------------------------------ > Allowing 0/0 for TCP port(s): 22 > Allowing 0/0 for TCP port(s): 443 > Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 > Allowing 192.168.1.0/24 for UDP port(s): 4569 > Allowing 192.168.1.0/24 for UDP port(s): 5060 > Allowing inbound23.vitelity.net for UDP port(s): 10000:10100 > /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 > -p udp --dport 10000:10100 -j ACCEPT > ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found > Try `iptables -h' or 'iptables --help' for more information. > Allowing inbound23.vitelity.net for UDP port(s): 5060 > /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 > -p udp --dport 5060 -j ACCEPT > ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found > Try `iptables -h' or 'iptables --help' for more information. > > [cut] > > Mar 14 19:57:22 WARNING: Not all firewall rules are applied. > ------------------------------ > > There seems to be a problem using hostnames in the rules. Since then I have > substituted the IP addresses in my rules to resolve the errors (although I > would really prefer to use hostnames). However, it looks like Arno permitted > SIP connections from ANY host, because the adaptive ban plugin logged the > following messages to /var/log: > > pbx log # cat messages > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"604"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"605"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"606"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"607"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"608"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"609"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"610"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"611"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"612"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"613"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"614"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"615"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > ... > > Apparently, my box was under attack by a system at 173.192.216.91. > > So if hostnames are not supported in the Arno rules and those rules failed to > execute, I would have thought that all SIP connections outside of my LAN > would have been blocked, however, it seems that wasn't the case. Is this the > expected behavior of the system or have I misconfigured something? > > > -tm > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
