Topic: Firewalls & SME Servers Public Access

[kirkf]

Would it have been much easyier if SME had firewall opens in all modes not just port forwarding in Gateway mode.
 

I've had the same thought.  Server-only installs seem pretty open to me.  As a simpler solution to your immediate situation, why not just add some iptables rules on each server to allow the traffic you want and drop everything else?

Kirk

[Skydiver]

I dont think the developers know how to implement it and if they can not i am sure i will not be able to..
They have rpm's available for older releases but it has never been placed as a perm part of the platform.

Makes more sence to have firewall options in all modes with the server manager for configuration.

Checking the iptables, they are not the same as in the older versions. 6.5 is new and so is 7.0, way over my head.

The above comments made are not to flame or upset any of the developers, just a wish we had item to make life easy.

   

[kirkf]

I dont think the developers know how to implement it and if they can not i am sure i will not be able to..

Don't know how?    Don't view this as a priority, perhaps.

Checking the iptables, they are not the same as in the older versions. 6.5 is new and so is 7.0, way over my head

.

Not very different since 6.0.1:

[root@buffy root]# /sbin/e-smith/db configuration getprop sysconfig ReleaseVersion
6.0.1-01

[root@buffy root]# iptables -V
iptables v1.2.5

--------------------------

[root@slim root]# /sbin/e-smith/db configuration getprop sysconfig ReleaseVersion
7.0alpha3

[root@slim root]# iptables -V
iptables v1.2.8

You can just create your own iptables rules to allow what you like.  Try them at the prompt until they work right, and then save them to survive a reboot.  You can put them in /etc/rc.d/rc.local, although I suspect that there is a more proper way to accomplish this.

Before you start with iptables, you could disable services that you don't need to have running.

Using iptables, permit what you want, port by port.  Use nmap or some equivalent port scanner from a separate machine to determine which ports are open as you go along.

Permit traffic from anywhere to a certain port:

/sbin/iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p tcp --dport 80
-i eth0 -j ACCEPT

Drop traffic to other ports:

/sbin/iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p tcp --dport 110
 -i eth0 -j DROP

Limit access to a single host or range of hosts, port by port:

/sbin/iptables -A INPUT -s x.x.x.x/255.255.255.255 -d 0.0.0.0/0.0.0.0 -p tcp --dport xxx -i eth0 -j ACCEPT

[/quote]

Using a combination of service control and iptables rules, you should be able to fine tune each server to listen only on the ports you want, and run only the minimum services required pretty quickly.

Kirk

[arne]

To clear out the existing firewall on a sme or any other modern Linux should be easy enough. This should require only one or two commands:

"iptables -F" (This should clear out the input chain)
"iptables -t nat -F" (And this should clear out the nat forwarding chain.)

I hope that you will post some info about how trafic analysis via a bridge will work and also more specifick about your finding.

Can try to help with a firewall script that could do reasonable things according to the monitored trafic.

Best reg Arne.

[arne]

Any futher development ? Just courious .. Rather interesting project  

[Skydiver]

Hi
Arne

I have preped a system for the firewall bridge it boots and i have completed the config as i feel it will work best. Will not place it live untill i have the new connection. This will be later this week, monday at the latest, so the isp has informed myself.

The balance of the project is near completion few minor bugs and rates to be compiled but its seems all go. Oh still one big issue i need to upgrade mysql from 3 to 4 because it has  Union, this is only minor.

Missed calls are not displayed in the user account yet but once the upgrade is completed all is good for this feature.

Care to do the upgrade for me. i tried and broke the SME server manager, format and reload fixed that, but i really would like to complete this before we place the servers in live test mode.

Cheers

[Skydiver]

Hi

For those interested in my results.

The firewall bridge works a treat. One item i noted was registration to the VOIP services failed from the internet but success from the local network.
"service iptables stop" on the servers in server only mode allowed connections to register.

So i still needed to make some changes to the iptables allowing connections from the internet. The Firewall bridge works and i am testing security over the next few days.

Port scans only show the ports i have set to allow pass through and the firewall bridge seems invisible.

All on SME and all open source
I have a H323 gatekeeper working as it should.
I have a SIP Proxy server operational
I have Asterisk as a Bridge betweeen H323 & SIP end points and connection to my PSTN with Billing(PSTN is in test mode)
I have mediaproxy and RTPproxy and stun operational on a SME box now.

I have completed my website for user provisioning and user account sections.
I have completed revamping an open source Dialer that will now connect to either the H323 or the SIP servers
with video support text messages and Phone book.

Next i need to make all the applications on the servers start auto on reboot and minor bug repairs in this testing phase.

If you can help with the testing or auto start applications please let me know. I strugle with testing the services by calling myself all day.

I also need direction in setting up the backup system on SME 7.0 alpha 5 and SME 6.5 as part of the disaster recovery plan.

Iptables on the SME 7.0 alpha 5 need addressing.

Thanks for those that have help so far.

[jazbokes]

Is possible to provide a detailed howto of SME firewall bridge and is it based on sme6, sme6.5 or sme7. and also what open source applications are using  for voip setup.. I am interested in having a similar setup..

Thanks in advance
john

[Skydiver]

Is possible to provide a detailed howto of SME firewall bridge and is it based on sme6, sme6.5 or sme7. and also what open source applications are using  for voip setup.. I am interested in having a similar setup..

Thanks in advance
john

Hi John here is the link provided by arne

Firewall bridge
http://www.zelow.no/floppyfw/index.html

Project source applications
Gnugk - Gatekeeper - H323
Asterisk - Protcol Bridging and PSTN
SER Express Router - SIP
SerWeb
Mediaproxy
RTPproxy
STUN
SME 7.0 alpha 5
SME 6.5
MyPhone
GKGui
ISPBS
PHPbb

Same project but different topic but still on SME
DialupAdmin - ISP Related not VOIP
FreeRadius - ISP Related not VOIP

All above on the SME platform, i may have missed an item or two but not on purpose.

With billing in mysql and the rate engine working from  
the asterisk end i was able to implement auth & billing using mysql from both the Gnugk and SER to one database. SERWEB for user provisioning and account information via the one mysql data base for SER and Gnugk.


Using Asterisk allowed for a prepaid and postpaid setup to work for both ends of the network. If you try to use prepaid from SER you will need to do things like polling and use Sipack to send BYE mesages.

It has been a very interesting project with many issues needed to be resolved from the base source code provided.

Check it out at altcall dot com
I need some testers for the final testing phase, there will be some freebee's for those that help out testing.

The completely revised Myphone client is not listed for download as i am instructed keep it to testers only untill the soft release day. So let me know if you want a copy to help with testing.

[jazbokes]

appreciated for your prompt response & info ..count me in.. as your tester..
john