1 post / 0 new
rmrg
rmrg's picture
Joined: 2010/02/06
Points: 0

I have an Thirdlane MTE with PBX Manager 6.1.1.7
When I first installed Thirdlane it came with an iptables configuration by default, listed below.
There are several ports that are open in this configuration, and I would like to know if I can close them. For example I dont use port 69 (UDP-TCP) for tftp.

I would like to change it to something more secure, and create a whitelist chain in order to accept connections only from IPs that belong to my country. I have installed also fail2ban, and its working fine, but almost everyday I receive email notifications that IPs from China, Palestine, Russia, India, Africa are banned by fail2ban, because they are scanning and trying to register to our server. Please check proposed configuration below.
Thank you.

IPtables default configuration that came with Thirdlane:
# Generated by iptables-save v1.3.5 on Mon Jun 9 11:01:52 2008
*nat
:PREROUTING ACCEPT [1:60]
:POSTROUTING ACCEPT [4:466]
:OUTPUT ACCEPT [4:466]
COMMIT
# Completed on Mon Jun 9 11:01:52 2008
# Generated by iptables-save v1.3.5 on Mon Jun 9 11:01:52 2008
*mangle
:PREROUTING ACCEPT [26:2130]
:INPUT ACCEPT [26:2130]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3174]
:POSTROUTING ACCEPT [26:3174]
COMMIT
# Completed on Mon Jun 9 11:01:52 2008
# Generated by iptables-save v1.3.5 on Mon Jun 9 11:01:52 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from lo
-A INPUT -i lo -j ACCEPT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow connections to our FLASHPOLICY server
-A INPUT -p tcp -m tcp --dport 843 -j ACCEPT
# Allow connections to SIP and IAX signalling ports
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 5060,4569
# Allow connections to RTP ports
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# Allow connections to UDPTL ports
-A INPUT -p udp -m udp --dport 4000:4999 -j ACCEPT
# Allow connections to TFTP ports
-A INPUT -p tcp -m tcp --dport 69 -j ACCEPT
# Allow connections to TFTP ports
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
# Allow connections to SYSLOG ports
-A INPUT -p udp -m udp --dport 514 -j ACCEPT
# Allow connections to WWW ports
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 80,8080
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Protect our MySQL server
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
# Accept snmp connections
-A INPUT -p udp -m udp --dport 161:162 -j ACCEPT

Proposed configuration
#=========#
# Firewall Start#
#=========#

# Interfase to protect
EXIF="eth0"

# Flush earlier configuration
iptables -F

#==========#
# Whitelist-Start#
#==========#
iptables -N whitelist
#
# ips LAN
#iptables -A whitelist -s 192.168.1.0/24 -j ACCEPT
#
#
# Ip addresses from Peru
iptables -A whitelist -s 46.36.194.201/32 -j ACCEPT
iptables -A whitelist -s 46.36.194.202/31 -j ACCEPT
iptables -A whitelist -s 46.36.194.204/30 -j ACCEPT
iptables -A whitelist -s 46.36.194.208/31 -j ACCEPT
iptables -A whitelist -s 46.36.194.210/32 -j ACCEPT
iptables -A whitelist -s 63.109.70.0/24 -j ACCEPT
......
.....
#===========#
# Whitelist-Finish #
#===========#

# syn-flood protection
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# drop fragmented paquets
iptables -A INPUT -f -j DROP

# drop malformed paquets XMAS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# drop null paquets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Open SIP ports
iptables -A INPUT -p udp -m udp -i $EXIF --dport 5060:5065 -j whitelist

# Open IAX ports
#iptables -A INPUT -p udp -m udp -i $EXIF --dport 4569 -j whitelist

# Open RTP ports
iptables -A INPUT -p udp -m udp -i $EXIF --dport 10000:20000 -j whitelist

# Open snmp ports
iptables -A INPUT -p udp -m udp -i $EXIF --dport 161:162 -j whitelist

# Open ssh port
iptables -A INPUT -p tcp -i $EXIF --dport 22 -j whitelist

# Open HTTPS port
iptables -A INPUT -p tcp -i $EXIF --dport 443 -j whitelist

# Open HTTP port
iptables -A INPUT -p tcp -i $EXIF --dport 80 -j whitelist

# Open webmin port
iptables -A INPUT -p tcp -i $EXIF --dport 10000 -j whitelist

# Open ICMP port
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j whitelist

# Accept asociated traffic with stablished connections or related
iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP all the rest
iptables -A INPUT -p all -i $EXIF -j DROP

#=========#
# Firewall-End #
#=========#