What is the correct way to save added IPTables rules to the FreePBX 12 Distro? I’ve added them in working mode, iptables-save doesn’t live through a reboot and service iptables save gets me duplicate rules after a reboot (2 copies of the default rules plus the rules I’ve added)
Gonna bump this to the top, has to be a simple answer.
Maybe just getting rid of the default distro rules that re-apply themselves every boot. I don’t know where those live.
Hi,
You can use your own BASH script to force your rules to the iptables firewall.
to verify what are the current rules you can use this command:
iptables -nL
If you want to wipe all of your rules, use this command:
iptables -F
if the rules are good enough for you and you want to save them, use this command:
iptables-save > /etc/sysconfig/iptables
Just another precaution:
If you are not sure at your commands, make sure that you can login to your server via the Linux console.
Thank you,
Daniel Friedman
Trixton LTD.
I’m not having any problem creating or saving the rules, I have them just the way I want.
My problem is that when I use:
iptables-save > /etc/sysconfig/iptables
There is something specific to the FreePBX Distro that I get a duplicate copy of the default rules. It appears there is some bash script that runs on startup that add the FreePBX Distro rules.
So what happens is I get:
Default rules
Some of my rules
The default rules again (because they are included in my file)
If I just remove the default from my list then they aren’t in the right order. If I could remove the default rules from applying on boot I would be where I want to be.
Hi,
What is your Freepbx version? 12 or 13?
Can you paste your iptables rules here (iptables -nL) here?
Thank you,
Daniel Friedman
Trixton LTD.
The file /etc/sysconfig/iptables:
*filter
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-BadBots
-N fail2ban-FTP
-N fail2ban-SIP
-N fail2ban-SSH
-N fail2ban-apache-auth
-N fail2ban-recidive
-N IPSPF
-A INPUT -s 192.168.56.0/24 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -j IPSPF
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p udp -m udp --dport 5060:5082 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5082 -m string --string vm1.addisonburnside.com --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060:5082 -m limit --limit 5/min -j LOG --log-prefix "SIP - No domain match: " --log-level 4
-A INPUT -p udp --dport 5060:5082 -j DROP
-A INPUT -p udp --dport 10000:19000 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -m string --string vm1.addisonburnside.com --algo bm -j ACCEPT
-A INPUT -p udp --dport 4569 -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 194 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p udp --dport 123 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
-A IPSPF -s 10.8.8.0/24 -i tun0 -j RETURN
-A IPSPF -s 192.168.10.0/24 -i eth0 -j RETURN
-A IPSPF -s 192.168.0.0/23 -i eth0 -j RETURN
-A IPSPF -s 10.0.0.0/8 -j DROP
-A IPSPF -s 172.16.0.0/12 -j DROP
-A IPSPF -s 192.168.0.0/16 -j DROP
-A IPSPF -s 0.0.0.0/8 -j DROP
-A IPSPF -s 100.64.0.0/10 -j DROP
-A IPSPF -s 127.0.0.0/8 -j DROP
-A IPSPF -s 169.254.0.0/16 -j DROP
-A IPSPF -s 192.0.0.0/24 -j DROP
-A IPSPF -s 192.0.2.0/24 -j DROP
-A IPSPF -s 198.18.0.0/15 -j DROP
-A IPSPF -s 198.51.100.0/24 -j DROP
-A IPSPF -s 203.0.113.0/24 -j DROP
-A IPSPF -s 224.0.0.0/4 -j DROP
-A IPSPF -s 240.0.0.0/4 -j DROP
-A IPSPF -s 255.255.255.255 -j DROP
-A IPSPF -d 0.0.0.0/8 -j DROP
-A IPSPF -d 127.0.0.0/8 -j DROP
-A IPSPF -d 224.0.0.0/4 -j DROP
-A IPSPF -d 255.255.255.255 -j DROP
-A IPSPF -p tcp --tcp-flags ALL NONE -j DROP
-A IPSPF -p tcp --tcp-flags ALL ALL -j DROP
-A IPSPF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A IPSPF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A IPSPF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A IPSPF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A IPSPF -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A IPSPF -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A IPSPF -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
-A IPSPF -p udp -m length --length 0:28 -j DROP
-A IPSPF -p tcp --syn -m recent --update --name INSYN --seconds 1 --hitcount 11 -j DROP
-A IPSPF -p tcp --syn -m recent --set --name INSYN -j RETURN
-A IPSPF -j RETURN
COMMIT
This is FreePBX 12
The output of iptables -nL after a reboot:
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
ACCEPT all – 192.168.56.0/24 0.0.0.0/0
ACCEPT all – 192.168.10.0/24 0.0.0.0/0
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
IPSPF all – 0.0.0.0/0 0.0.0.0/0
DROP all – 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5082 state RELATED,ESTABLISHED
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5082 STRING match “vm1.addisonburnside.com” ALGO name bm TO 65535
LOG udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5082 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `SIP - No domain match: '
DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5082
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:19000
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 state RELATED,ESTABLISHED
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 STRING match “vm1.addisonburnside.com” ALGO name bm TO 65535
DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:194
ACCEPT udp – 192.168.10.0/24 0.0.0.0/0 udp dpt:123
DROP all – 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain IPSPF (1 references)
target prot opt source destination
RETURN all – 10.8.8.0/24 0.0.0.0/0
RETURN all – 192.168.10.0/24 0.0.0.0/0
RETURN all – 192.168.0.0/23 0.0.0.0/0
DROP all – 10.0.0.0/8 0.0.0.0/0
DROP all – 172.16.0.0/12 0.0.0.0/0
DROP all – 192.168.0.0/16 0.0.0.0/0
DROP all – 0.0.0.0/8 0.0.0.0/0
DROP all – 100.64.0.0/10 0.0.0.0/0
DROP all – 127.0.0.0/8 0.0.0.0/0
DROP all – 169.254.0.0/16 0.0.0.0/0
DROP all – 192.0.0.0/24 0.0.0.0/0
DROP all – 192.0.2.0/24 0.0.0.0/0
DROP all – 198.18.0.0/15 0.0.0.0/0
DROP all – 198.51.100.0/24 0.0.0.0/0
DROP all – 203.0.113.0/24 0.0.0.0/0
DROP all – 224.0.0.0/4 0.0.0.0/0
DROP all – 240.0.0.0/4 0.0.0.0/0
DROP all – 255.255.255.255 0.0.0.0/0
DROP all – 0.0.0.0/0 0.0.0.0/8
DROP all – 0.0.0.0/0 127.0.0.0/8
DROP all – 0.0.0.0/0 224.0.0.0/4
DROP all – 0.0.0.0/0 255.255.255.255
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
REJECT tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 ctstate NEW reject-with tcp-reset
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
DROP udp – 0.0.0.0/0 0.0.0.0/0 length 0:28
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: UPDATE seconds: 1 hit_count: 11 name: INSYN side: source
RETURN tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: SET name: INSYN side: source
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-BadBots (0 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-FTP (2 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SIP (4 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (2 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-auth (2 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-recidive (2 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
This is the block that is duplicated twice:
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
Hi,
All the rules that contains fail2ban are generated from the fail2ban server. This is ok.
Can you paste your rules without your personal rules?
Thank you,
Daniel Friedman
Trixton LTD.