Opening ports on server

stiperstones

177
+0/-0

Opening ports on server

« on: February 20, 2006, 01:18:50 PM »

I need to open multiple port's on the server 6881-6889 i dont want port fowarding to internal machines
So reading the documentation i can see how to with this command

Quote

config set myservice service TCPPort xxxx access public status enabled
signal-event remoteaccess-update

but i would like to do all these ports 6881-6889 in one hit would this way do that

Code: [Select]

config set myservice service TCPPort 6881-6889 access public status enabled

Code: [Select]

signal-event remoteaccess-update

thanks in advance

this is associated with this post
http://forums.contribs.org/index.php?topic=30787.0

Logged

Stiperstones

http://wiki.contribs.org/Koozali_Foundation
Try the Wiki some great how's there

"My Licence".........

Don't report security issues here - Contact security at contribs dot org
Don't report problems here - Please report bugs @ http://bugs.contribs.org/
Don't ask the same question twice - Please search the forums, your question may have been asked before - Thank You.

CharlieBrady

6,918
+3/-0

Re: Opening ports on server

« Reply #1 on: February 20, 2006, 05:18:29 PM »

Quote from: "stiperstones"

I need to open multiple port's on the server 6881-6889 i dont want port fowarding to internal machines
So reading the documentation i can see how to with this command
Quote
config set myservice service TCPPort xxxx access public status enabled
signal-event remoteaccess-update

but i would like to do all these ports 6881-6889 in one hit would this way do that
Code: [Select]
config set myservice service TCPPort 6881-6889 access public status enabled

Try '6881:6889'.

Logged

stiperstones

177
+0/-0

Opening ports on server

« Reply #2 on: February 20, 2006, 05:22:37 PM »

Thanks CharlieBrady

Logged

Stiperstones

http://wiki.contribs.org/Koozali_Foundation
Try the Wiki some great how's there

"My Licence".........

Don't report security issues here - Contact security at contribs dot org
Don't report problems here - Please report bugs @ http://bugs.contribs.org/
Don't ask the same question twice - Please search the forums, your question may have been asked before - Thank You.

chris burnat

1,135
+2/-0

Opening ports on server

« Reply #3 on: March 28, 2006, 02:33:09 PM »

Code: [Select]

config set myservice service TCPPort 688:6889 access public status enabled
Thanks Charlie.
Does this also work for UDP?

Logged

- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org) - check: http://wiki.contribs.org/Bugzilla_Help . Thanks.

JonB

351
+0/-0

Opening ports on server

« Reply #4 on: March 28, 2006, 04:07:50 PM »

Chris,

Unfortunately the method that Charlie mentioned does not work. See bug 1000 and bug 56.

The ability to open a range of ports using colon seperated values has been punted to SME7.1 along with the ability to open multiple comma seperated ports e.g

UDPPorts 5060,4569

see bug 989

I must admit I find this a bit frustrating as it means that to have any real control over the firewall involves having to write custom firewall rules or open multiple ports individually (not an option when you need to open 10000 udp ports)

Jon

Logged

...

chris burnat

1,135
+2/-0

Opening ports on server

« Reply #5 on: March 28, 2006, 04:25:21 PM »

"I must admit I find this a bit frustrating as it means that to have any real control over the firewall involves having to write custom firewall rules or open multiple ports individually (not an option when you need to open 10000 udp ports)"

JohnB, Many thanks for clarification. Now I know where I stand as regards Asterisk on a Gateway... Been trying Charlie recipe for a while now, no joy. Custom firewall rules are outside the scope of what I can do at the moment (new at all of this..). So Asterisk will have to go back on a dedicated server + port-forwarding from my gateway. Small price to pay, just another box until 7.1 comes along.

Logged

- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org) - check: http://wiki.contribs.org/Bugzilla_Help . Thanks.

JonB

351
+0/-0

Opening ports on server

« Reply #6 on: March 28, 2006, 04:29:19 PM »

Chris,

If you are wanting to open a range of UDP ports for RTP I have a custom rule already written and working on my server. let me know and I will post it.

Jon

Logged

...

chris burnat

1,135
+2/-0

Opening ports on server

« Reply #7 on: March 28, 2006, 04:37:22 PM »

"If you are wanting to open a range of UDP ports for RTP I have a custom rule already written and working on my server. let me know and I will post it. "

Jon, your offer is gratefully accepted. I am sure others will also benefit from your post. Many thanks. (phew, you mean this one is finally getting sorted out?) Regards, chris.

Logged

- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org) - check: http://wiki.contribs.org/Bugzilla_Help . Thanks.

JonB

351
+0/-0

Opening ports on server

« Reply #8 on: March 28, 2006, 04:42:46 PM »

Here it is anyway

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
pico 90InboundUDP20rtp_udp

and add the following

Code: [Select]

# RTP: UDPPort 10000:20000, AllowHosts: 0.0.0.0/0, DenyHosts:
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
 	--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
  /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
 	--destination $OUTERNET --jump denylog

save and

Code: [Select]

signal-event remoteaccess-update

You can check with iptables -L

Jon

Logged

...

chris burnat

1,135
+2/-0

Opening ports on server

« Reply #9 on: March 28, 2006, 04:51:37 PM »

Thank you Jon. chris.

Logged

- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org) - check: http://wiki.contribs.org/Bugzilla_Help . Thanks.

chris burnat

1,135
+2/-0

Opening ports on server

« Reply #10 on: April 01, 2006, 11:09:03 AM »

John, I would like to allow access to UDP ports ONLY to certain IP addresses or domains . I am a bit worried to open my box to all and sundries. Is this justified?

To make my life easy, I have combined all ports of interest in your patch, please refer below.

a) How do I modify your codes to allow access to a couple of IP addresses or domains only , i.e. sip03.astrasip.com.au and gw3.austechpartnerships.com - 220.233.127.10

b) How do I modify your codes to enable logging for these events?

pico 90InboundUDP20rtp_udp:
# RTP: UDPPort 10000:20000, AllowHosts: 0.0.0.0/0, DenyHosts:
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \
--destination $OUTERNET --jump denylog

# IAX2: UDPPort 4569, AllowHosts: 0.0.0.0/0, DenyHosts:
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 4569 \
--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 4569 \
--destination $OUTERNET --jump denylog

# SIP: UDPPort 5060, AllowHosts: 0.0.0.0/0, DenyHosts:
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 5060 \
--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 5060 \
--destination $OUTERNET --jump denylog

Logged

- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org) - check: http://wiki.contribs.org/Bugzilla_Help . Thanks.

JonB

351
+0/-0

Opening ports on server

« Reply #11 on: April 01, 2006, 12:00:27 PM »

Chris,

You would add the allowed addresses as comma seperated values e.g

Code: [Select]

# RTP: UDPPort 10000:20000, AllowHosts: 220.233.127.10,210.8.40.188, DenyHosts: 
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \ 
--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT 
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \ 
--destination $OUTERNET --jump denylog

Watch the line wrap

As for logging, all unauthorised access will be logged.

Jon

Logged

...

chris burnat

1,135
+2/-0

Opening ports on server

« Reply #12 on: April 01, 2006, 03:18:59 PM »

Thanks John,
Why do you have # in front of the first line, i.e.

# RTP: UDPPort 10000:20000, AllowHosts: 220.233.127.10,210.8.40.188, DenyHosts:
I do not understand this...

Logged

- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org) - check: http://wiki.contribs.org/Bugzilla_Help . Thanks.

JonB

351
+0/-0

Opening ports on server

« Reply #13 on: April 01, 2006, 04:41:50 PM »

oops

It should be

Code: [Select]

# RTP: UDPPort 10000:20000, AllowHosts: 220.233.127.10,210.8.40.188, DenyHosts: 
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \ 
--destination $OUTERNET --src 220.233.127.10 --jump ACCEPT
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \ 
--destination $OUTERNET --src 210.8.40.188 --jump ACCEPT  
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 10000:20000 \ 
--destination $OUTERNET --jump denylog

Logged

...

lightman

75
+0/-0

Opening ports on server

« Reply #14 on: October 28, 2006, 05:19:25 AM »

Hi
Thanks JonB for the Fix.

Asterisk was working perfecly (SME7) in LAN but not reacheable in WAN, tried several ways to open ports but didn't worked out, yours did.

Thanks a lot!

now small question, where did you find out the variables $NEW_InboundUDP and $OUTERNET ???

is there any place I can learn about them?, some things looks so obscure, I really love to be able to understand it

thanks a lot
lightman

Logged