Setting Up Firewall

  • paul.kelly
  • 04/05/09
  • Offline
Posted: Thu, 2011-08-18 05:34

I am setting up a firewall to give some additional protection to a remote asterisk server, but want a little help, as, at this level (server), I want to get it right first time!!

1 - I have chosen the option to allow all webmin related activity through, to get the basics going.

2 - I have added in all relevent IP addresses i.e. for my VoIP providers (for the trunk connection) and for the users/extensions, to allow if Source

3 - The providers have static IP adresses, however some extension are on conections that are dynamic. I have added in the dynamic address e.g. 1.1.1.1. Assuming that the ADSL provider works within an address range, what is the correct way to assign a range? Is it 1.1.1.0/24 or 1.1.0.0/24 for a wider pool?

4 - Once I have sorted the ranges, I want to lock the server down, only allowing aproved IP addresses and services to have access. a - Do I do this by dropping/rejecting Source 0.0.0.0/24 b - if this is right, should this be at the top of the list, so it is the first action c- what are the implications of choosing drop/reject. The wiki http://doxfer.webmin.com/Webmin/LinuxFirewall comments on dropping, but not rejecting!

Thanks in advance for you comments.


I have added in the dynamic

  • andreychek
  • 01/04/09
  • Offline
  • Thu, 2011-08-18 07:16

I have added in the dynamic address e.g. 1.1.1.1. Assuming that the ADSL provider works within an address range, what is the correct way to assign a range?

I believe this is all passed directly to iptables... that means when adding an IP to "Source address or network" or "Destination address or network", it could use an IP address, or a network address with a /mask, as you described above. Your "1.1.1.0/24" example would allow "1.1.1.*" to connect.

Once I have sorted the ranges, I want to lock the server down, only allowing aproved IP addresses and services to have access

It sounds like you're saying you plan to add specific IP addresses, and you want to deny everything else.

If that's the case, you can do that by setting the default action to "DROP".

There's a dropdown list on the firewall page for setting the default action.

Just be careful when setting that up for the first time, I'd make sure someone has console access to the server, as it's easy to lock oneself out :-)

-Eric


Eric, thanks for the quick

  • paul.kelly
  • 04/05/09
  • Offline
  • Thu, 2011-08-18 07:43

Eric,

thanks for the quick response.

If I set the default action to DROP, I assume that I would have to enter all of the Webmin related settings as well. Do I take it that drop 0.0.0.0/24 as the first setting is not advisable/workable?

Paul


Hmm, I may not understand how

  • andreychek
  • 01/04/09
  • Offline
  • Thu, 2011-08-18 07:58

Hmm, I may not understand how you're looking to use 0.0.0.0 (no need to add /24 to that).

Can you describe how you were thinking of adding that?

It initially sounded like you were thinking of adding a rule that said to drop requests from "0.0.0.0" after all of your allow rules... which would have the same effect as using a default DROP rule.

But, perhaps I'm just not following what it is you're planning there :-)

-Eric


I am working from the premise

  • paul.kelly
  • 04/05/09
  • Offline
  • Thu, 2011-08-18 08:08

I am working from the premise that first you block everything, then let what you want through.

Using the Webmin settings allows relevant 'services' through, but, it does not seem to want to restrict anything. This appears to be no better than switching the firewall off, but, that might be my lack of knowledge in these matters!

So, basically, I (think I) want to only allow core webmin services through and everything thing relating to the relevant IP addresses (so I do not have to start splitting ports out) to make my Asterisk server work i.e. VoIP providers and extensions.


Aha, those firewall rules

  • andreychek
  • 01/04/09
  • Offline
  • Thu, 2011-08-18 08:15

Aha, those firewall rules work the other way around.

With firewall rules -- the first rule that matches is what's used.

So, if your first rule is to block everything -- everything will be blocked :-) It won't work it's way down to the next rule.

As far as the Webmin defaults go -- Webmin doesn't actually setup a firewall. During Virtualmin installation, a few allow rules are added, just in case you happen to have a firewall already setup... but Webmin doesn't attempt to setup a firewall for you, or to block anything.

If you're interested in blocking things, you'd need to set that up (as you're doing now).

The way to do that would be to setup a series of rules of what should be allowed, followed by what should be blocked.

-Eric


your help is really

  • paul.kelly
  • 04/05/09
  • Offline
  • Thu, 2011-08-18 08:18

your help is really appreciated.

Is there a rule that says 'block everything else??????????' I can stick on the end of the table?

That may be a bit 'tongue in cheek'!


You could make the last rule

  • andreychek
  • 01/04/09
  • Offline
  • Thu, 2011-08-18 08:25

You could make the last rule a rule that says to block anything coming from "0.0.0.0".

But at that point, you might just want to set the default action to be "DROP". The default action is what happens if no other rules are matched.

-Eric


Understood! Thanks.

  • paul.kelly
  • 04/05/09
  • Offline
  • Thu, 2011-08-18 08:36

Understood!

Thanks.


BTW, whilst 'playing with the

  • paul.kelly
  • 04/05/09
  • Offline
  • Thu, 2011-08-18 08:45

BTW, whilst 'playing with the settings, to ensure I do not locl myself out, I have set 'activate at boot' to no, which seems the snsible option (when I am happy, I will change to yes).

I assume this does what it indicates, so, if I do screw up, I just reboot and the firewall does not start?


Yup, that seems look a good

  • andreychek
  • 01/04/09
  • Offline
  • Thu, 2011-08-18 08:50

Yup, that seems look a good idea, to not have that activated at boot time.

Alternatively, I think all Webmin does is tweak the default CentOS iptables settings -- if that's the case, you could run a command line this as root from the console to stop the firewall:

/etc/init.d/iptables stop