0

I have a Ubuntu server where my SIP proxy server is currently running. I've configured iptables on my proxy server according to following statements:

*filter


# Allows all loopback traffic and drop all traffic to 127/8 that doesn't use lo
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -p icmp --icmp-type 8 -s 0/0 -d 1.2.3.4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth2 -d 1.2.3.4 -p udp -m multiport --dports 5060,5061 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -d 1.2.3.4 -p tcp -m multiport --dports 5060,5061 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -j REJECT

# Reject all other inbound from public (eth2) - default deny unless explicitly allowed policy
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j REJECT

# Outbound traffic
-A OUTPUT -j ACCEPT

# Log
-I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


COMMIT

And by executing iptables -L -v -n i can see that packets, that i have sent from my Jitsi (a audio/video and chat communicator that supports protocols such as SIP, XMPP/Jabber etc.) to my proxy sevrer to authenticate, are being ACCEPTED:

pkts    bytes   target     prot opt in     out     source               destination
14      7881    ACCEPT     udp  --  eth2   *       0.0.0.0/0            1.2.3.4      multiport dports 5060,5061 state NEW,ESTABLISHED
0       0       ACCEPT     tcp  --  eth2   *       0.0.0.0/0            1.2.3.4      multiport dports 5060,5061 state NEW,ESTABLISHED
0       0       REJECT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0    reject-with icmp-port-unreachable

But, iptables reports that these packets are being dropped!

Feb  5 16:55:25 sip kernel: [  788.538025] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5381 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:55:26 sip kernel: [  789.041576] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5387 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:55:27 sip kernel: [  790.041679] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5388 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:55:29 sip kernel: [  792.041974] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5390 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:55:33 sip kernel: [  796.042401] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5391 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:55:41 sip kernel: [  804.043009] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5393 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:55:53 sip kernel: [  816.043858] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5410 PROTO=UDP SPT=2119 DPT=5060 LEN=546
Feb  5 16:58:18 sip kernel: [  961.394041] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5785 PROTO=UDP SPT=1254 DPT=5060 LEN=546
Feb  5 16:58:18 sip kernel: [  961.894736] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5786 PROTO=UDP SPT=1254 DPT=5060 LEN=546
Feb  5 16:58:19 sip kernel: [  962.894533] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5787 PROTO=UDP SPT=1254 DPT=5060 LEN=546
Feb  5 16:58:21 sip kernel: [  964.894617] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5788 PROTO=UDP SPT=1254 DPT=5060 LEN=546
Feb  5 16:58:25 sip kernel: [  968.894651] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=566 TOS=0x00 PREC=0x00 TTL=127 ID=5789 PROTO=UDP SPT=1254 DPT=5060 LEN=546
Feb  5 16:58:32 sip kernel: [  975.544611] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=614 TOS=0x00 PREC=0x00 TTL=127 ID=5793 PROTO=UDP SPT=1254 DPT=5060 LEN=594
Feb  5 16:58:44 sip kernel: [  987.045243] iptables denied: IN=eth2 OUT= MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=4.3.2.1 DST=1.2.3.4 LEN=614 TOS=0x00 PREC=0x00 TTL=127 ID=5808 PROTO=UDP SPT=1254 DPT=5060 LEN=594

Why are my packets being dropped when they are being ACCEPTED by the rule -A INPUT -i eth2 -d 1.2.3.4 -p udp -m multiport --dports 5060,5061 -m state --state NEW,ESTABLISHED -j ACCEPT ?

ClydeFrog
  • 135
  • 6
  • The first interesting thing you show us is that **none** of the lines of iptables you post is a LOG line. That leads me to believe you have more rules in place, and with iptables, order matters. Could you post the entire output of `iptables -L -n -v` in your – MadHatter Feb 06 '13 at 09:32
  • @MadHatter, added entire iptables configuration – ClydeFrog Feb 06 '13 at 09:36
  • 1
    Thanks, but the full contents of the firewall config file isn't what I asked for : for a start, it doesn't have any policies in place, which makes it **very** unclear if those lines which are logging do in fact reflect denies, or are simply misinformative. – MadHatter Feb 06 '13 at 09:37
  • correct me if I'm wrong, but I don't think that there's a security issue by using `iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT` and restricting the `OUTPUT` chain with which hosts/on which ports it may or may not communicate – fuero Feb 06 '13 at 09:51

1 Answers1

2

You are accepting packets with state NEW or ESTABLISHED, but not RELATED. The RELATED state may be assigned to packets which are starting a new connection (or whatever conntrack considers a “connection” for UDP), but are related with another existing connection. This state is used for protocols that use more than a single connection, like FTP or SIP, and for ICMP error replies.

In your case the xt_conntrack_sip module might intercept the SIP control connection and add conntrack entries to mark the associated UDP packets for audio/video streams as RELATED; your rules should accept such packets.

Also you probably need to accept all ESTABLISHED and RELATED packets without checking port numbers — otherwise connections initiated by your machine will not work, because such connections usually use an ephemeral (not fixed) port number on your end. This should be safe, because packets with these states either belong to connections initiated by your machine, or are associated with other already permitted connections for protocols which need more than a single connection.

But in your case the first problem is that your logging rule is in fact inserted at the start of the INPUT chain, and logs everything as “denied”! Just use -A instead of -I to put it at the end of chain (this assumes that -P INPUT DROP is set, and therefore packets which are not explicitly allowed will be dropped).

(Yes, in this case the iptables howto on the Ubuntu wiki suggests to use a wrong command.)

Sergey Vlasov
  • 6,088
  • 1
  • 19
  • 30
  • Good point Sergey! i changed the chain and it seems to be working now. I also traced the traffic on the proxy server and it responds on incoming traffic. the packets is being dropped somewhere else. thanks for your help! – ClydeFrog Feb 06 '13 at 10:25