Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: stiperstones on February 20, 2006, 01:18:50 PM

Title: Opening ports on server
Post by: stiperstones on February 20, 2006, 01:18:50 PM

I need to open multiple port's on the server 6881-6889 i dont want port fowarding to internal machines
So reading the documentation i can see how to with this command

Quote

config set myservice service TCPPort xxxx access public status enabled
signal-event remoteaccess-update

but i would like to do all these ports 6881-6889 in one hit would this way do that

Code: [Select]

config set myservice service TCPPort 6881-6889 access public status enabled

Code: [Select]

signal-event remoteaccess-update

thanks in advance

this is associated with this post
http://forums.contribs.org/index.php?topic=30787.0

Title: Re: Opening ports on server
Post by: CharlieBrady on February 20, 2006, 05:18:29 PM

Quote from: "stiperstones"

I need to open multiple port's on the server 6881-6889 i dont want port fowarding to internal machines
So reading the documentation i can see how to with this command

Quote

config set myservice service TCPPort xxxx access public status enabled
signal-event remoteaccess-update

but i would like to do all these ports 6881-6889 in one hit would this way do that

Code: [Select]

config set myservice service TCPPort 6881-6889 access public status enabled

Try '6881:6889'.

Title: Opening ports on server
Post by: stiperstones on February 20, 2006, 05:22:37 PM

Thanks CharlieBrady

Title: Opening ports on server
Post by: chris burnat on March 28, 2006, 02:33:09 PM

Code: [Select]

config set myservice service TCPPort 688:6889 access public status enabled
Thanks Charlie.  
Does this also work for UDP?

Title: Opening ports on server
Post by: JonB on March 28, 2006, 04:07:50 PM

Chris,

Unfortunately the method that Charlie mentioned does not work. See bug 1000 and bug 56.

The ability to open a range of ports using colon seperated values has been punted to SME7.1 along with the ability to open multiple comma seperated ports e.g

UDPPorts 5060,4569

see bug 989

I must admit I find this a bit frustrating as it means that to have any real control over the firewall involves having to write custom firewall rules or open multiple ports individually (not an option when you need to open 10000 udp ports)

Jon

Title: Opening ports on server
Post by: chris burnat on March 28, 2006, 04:25:21 PM

"I must admit I find this a bit frustrating as it means that to have any real control over the firewall involves having to write custom firewall rules or open multiple ports individually (not an option when you need to open 10000 udp ports)"

JohnB, Many thanks for clarification. Now I know where I stand as regards Asterisk on a Gateway...  Been trying Charlie recipe for a while now, no joy.   Custom firewall rules are outside the scope of what I can do at the moment (new at all of this..).  So Asterisk will have to go back on a dedicated server + port-forwarding from my gateway.  Small price to pay, just another box until 7.1 comes along.

Title: Opening ports on server
Post by: JonB on March 28, 2006, 04:29:19 PM

Chris,

If you are wanting to open a range of UDP ports for RTP I have a custom rule already written and working on my server. let me know and I will post it.

Jon

Title: Opening ports on server
Post by: chris burnat on March 28, 2006, 04:37:22 PM

"If you are wanting to open a range of UDP ports for RTP I have a custom rule already written and working on my server. let me know and I will post it. "

Jon, your offer is gratefully accepted. I am sure others will also benefit from your post. Many thanks. (phew, you mean this one is finally getting sorted out?)  Regards, chris.

Title: Opening ports on server
Post by: JonB on March 28, 2006, 04:42:46 PM

Here it is anyway

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
pico 90InboundUDP20rtp_udp

and add the following

Code: [Select]

# RTP: UDPPort 10000:20000, AllowHosts: 0.0.0.0/0, DenyHosts:
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
  --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
  --destination $OUTERNET --jump denylog

save and

Code: [Select]

signal-event remoteaccess-update

You can check with  iptables -L

Jon

Title: Opening ports on server
Post by: chris burnat on March 28, 2006, 04:51:37 PM

Thank you Jon.    chris.

Title: Opening ports on server
Post by: chris burnat on April 01, 2006, 11:09:03 AM

John, I would like to allow access to UDP ports  ONLY  to certain IP addresses or domains .  I am a bit worried to open my box to all and sundries.  Is this justified?

To make my life easy, I have combined all ports of interest in your patch, please refer below.  

a) How do I modify your codes to allow access to a couple of IP addresses or domains only , i.e. sip03.astrasip.com.au and gw3.austechpartnerships.com - 220.233.127.10

b) How do I modify your codes to enable logging for these events?

pico 90InboundUDP20rtp_udp:
# RTP: UDPPort 10000:20000, AllowHosts: 0.0.0.0/0, DenyHosts:
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
    --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
    --destination $OUTERNET --jump denylog

# IAX2: UDPPort 4569, AllowHosts: 0.0.0.0/0, DenyHosts:
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 4569 \
    --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 4569 \
    --destination $OUTERNET --jump denylog

# SIP: UDPPort 5060, AllowHosts: 0.0.0.0/0, DenyHosts:
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 5060 \
    --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 5060 \
    --destination $OUTERNET --jump denylog

Title: Opening ports on server
Post by: JonB on April 01, 2006, 12:00:27 PM

Chris,

You would add the allowed addresses as comma seperated values e.g

Code: [Select]

# RTP: UDPPort 10000:20000, AllowHosts: 220.233.127.10,210.8.40.188, DenyHosts:
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --jump denylog


Watch the line wrap

As for logging, all unauthorised access will be logged.

Jon

Title: Opening ports on server
Post by: chris burnat on April 01, 2006, 03:18:59 PM

Thanks John,
Why do you have # in front of the first line, i.e.

# RTP: UDPPort 10000:20000, AllowHosts: 220.233.127.10,210.8.40.188, DenyHosts:
I do not understand this...

Title: Opening ports on server
Post by: JonB on April 01, 2006, 04:41:50 PM

oops :oops:

It should be

Code: [Select]

# RTP: UDPPort 10000:20000, AllowHosts: 220.233.127.10,210.8.40.188, DenyHosts:
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --src 220.233.127.10 --jump ACCEPT
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --src 210.8.40.188 --jump ACCEPT  
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --jump denylog

Title: Opening ports on server
Post by: lightman on October 28, 2006, 05:19:25 AM

Hi
Thanks JonB for the Fix.

Asterisk was working perfecly (SME7) in LAN but not reacheable in WAN, tried several ways to open ports but didn't worked out, yours did.

Thanks a lot! :)

now small question, where did you find out the variables $NEW_InboundUDP and $OUTERNET ???

is there any place I can learn about them?, some things looks so obscure, I really love to be able to understand it :)

thanks a lot
lightman