Webmin/Shorewall Help / Setup Guide
Submitted by Zion800 on Mon, 05/19/2008 - 1:42pm.
Hi all,
I am setting up Trixbox for a friend and would like to protect it using Shorewall firewall. I have successfully used Webmin in the past to protect other systems that I have created. For some reason, I am unable to properly configure Shorewall on this system. I basically used my working system as a guide to setting up this system that I am having issues with (taking note that eth0 is my public "net" connection, and there is no local network adapter). My working system has 2 ethernet ports (eth0 - local, eth1 - net).
Here is the problem:
When Shorewall is running, audio doesn't pass through the system, however, Asterisk sees the call come in. If I stop Shorewall, the same problem exists. If I stop Shorewall AND IPTables (service stop iptables), everything works fine.
I have configured Shorewall to allow all addresses and accept all connections when stopped. I have the following firewall policies:
$FW net ACCEPT
all all DROP
I have the following firewall rules:
ACCEPT net $FW tcp 22
ACCEPT net:216.82.225.202,216.82.224.202,4.79.212.236 all all
DROP net $FW tcp 80
ACCEPT net $FW tcp 10000
ACCEPT net $FW udp 5060:5082
ACCEPT net $FW udp 10000:20000
I have the following rule in Route Stopped:
eth0 - routeback,source,dest,critical
I feel like I'm just making a simple error or mistake...and I'm just blind to seeing it! Any help would be GREATLY appreciated. Please let me know if you need any additional information.
Thank you in advance!
-Michael
 
Shorewall Issues
Tue, 06/03/2008 - 12:18pm
Did you ever resolve this? Any info would be appreciated - I am having the exact same problem.. one NIC, simple rules, all ports (both TCP and UDP), and the server does not see the calls/phones at all. The other service defined in shorewall (ssh, etc) work as expected.
Has anyone figured out how to use shorewall on the same machine as trixbox?
Thanks
 
I did resolve it. In Webmin
Tue, 06/03/2008 - 3:27pm
I did resolve it. In Webmin under Networking, go to Linux Firewall. Go all the way down, select 'Yes' for activate on Boot, and click the Activate on Boot button. You can now restart your server or click Apply Configuration and it will work.
I'm not sure why I had to do this, but it solved my problem :-)
Good Luck!
-Michael
 
Cisco Phones not working with Shorewall..
Wed, 06/04/2008 - 10:01am
Thanks, enabling the Linux Firewall (which is just basic iptables) HALF WAY worked...
We use a combination of Xlite soft-phones and Cisco 79X0 hard-phones. With shorewall OFF all is good, with shorewall ON and the linux firewall OFF (before reading your post) nothing would connect/call....
NOW with the shorewall ON and the linux firewall OFF -- soft-phones work perfectly --- but the Cisco phones cannot make calls or receive/send audio, they do appear to register with asterisk, but their LCD shows disconnected, they do ring when called and are able to accept the call, but as mentioned no audio is passed.
I have turned on verbose logging in shorewall and I do not see anything packets being rejected! This is driving me crazy. A basic shorewall setup like this one will be perfect for trixbox and in my opinion should be recommended ---- if we can get this kink out.
Do you or does anyone else have some insight. I would think it has something with the ports used to send audio. I have pasted the rule I use below:
ACCEPT Zone NET Firewall UDP Any 5060:5082,10000:20000,4569,2727,69,123
THANKS
 
Do you have nat=yes set for
Wed, 06/04/2008 - 9:09pm
Do you have nat=yes set for your Cisco phones? XLite uses STUN to avoid NAT problems, so this may be why they are working and your Cisco phone aren't.
 
Guide for setting security
Thu, 06/05/2008 - 7:48am
Guys, where I can find a guide on how to protect trixbox using webmin?
 
No Nat / Linux Firewall
Thu, 06/05/2008 - 8:02am
Thanks, good suggestion - I do not have NAT set -- BUT -- All Cisco phones either have true public IP addresses, or have private IPs on the same network as the Trixbox. So they are really not NATed. Same goes for the XLite softphones. However, the trixbox server is NATed in respect to the external phones.
Is the NAT setting referring to the phones or the server? I will try the setting regardless and post the results if it works.
FYI - I setup the exact same rule set in the 'Linux Firewall', turned off Shorewall, and it works perfectly!!! I am fine with using the Webmin's 'Linux Firewall' tool for future one NIC installs, works great -- but if the machine has more than one NIC, Shorewall is needed to alleviate complexity.
 
Guide..
Thu, 06/05/2008 - 9:10am
There is not one that I know of...
Do a search for how to install Webmin using Yum. Webmin's runs on port 10000 by default - Trixbox uses port 10000 for RTP - so its good practice first set Webmin to run on another port - I use TCP port 9990. If you only have one network card, I would recommend the Networking > Linux Firewall tool inside Webmin.
If your have multiple NICs or have a more complicated setup, Shorewall may prove to be a much more powerful tool - but mastering it is a task in itself. I am still having issues with it on a Trixbox, but I am sure they will be resolved in time. There are numerious example configuration guides for Shorewall on the internet.
Here are the basic rules that I would use for either one:
Accept If protocol is ICMP and source is [Mgmt Nets]
Accept If protocol is TCP and source is [Mgmt Nets] and destination ports are 22,9990,443,4445
Accept If protocol is UDP and source is [Phone Nets] and destination port is 5060:5082
Accept If protocol is UDP and source is [Phone Nets] and destination port is 10000:20000
Accept If protocol is UDP and source is [Phone Nets] and destination ports are 80,69,123,4569,2727
Deny everything else by Default.
Hope this helps!
 
I decided to use my crappy
Thu, 06/05/2008 - 11:43am
I decided to use my crappy guide making skills to write out how I set up Shorewall. If anyone has anything else to add, please do so, so we can make this as useful as possible. Hopefully it helps you guys out. **For some reason, my formatting doesn't get posted in here, so you're probably better off copying and pasting this into a word processor.
My Setup:
• 2 NICs - 1 Internal (private IP, eth0) and 1 External (public IP, eth1)
o NOTE: Make sure to make your eth0 INTERNAL and your eth1 EXTERNAL. When Linux is booting up, it will configure eth0 first, and eth1 second. Since eth1 was the second eth to be configured by the system, when Trixbox needs to access the internet, it will access it through eth1.
Configuring Shorewall using Webmin:
1. Go to the "Network Zones" section
a. Add new zone: Zone ID: loc (leave all other settings default/blank)
b. Add new zone: Zone ID: net (leave all other settings default/blank)
c. Return to list of tables
2. Go to "Network Interface"
a. Add New Network Interface
i. Interface: eth0, Zone Name: loc (leave all other settings untouched)
ii. Click on Create
b. Add New Network Interface
i. Interface: eth1, Zone Name: net
ii. Check off the following: Enable anti-spoofing route filtering, Reject packets on blacklist, Check for illegal TCP flags
iii. Click on Create
c. Return to list of tables
3. Go to Default Policies and create the 3 following rules
a. Rule 1:
i. Source Zone: Any
ii. Destination Zone: Any
iii. Policy: DROP
iv. Syslog level: Logging disabled
v. Traffic Limit: None
b. Rule 2:
i. Source Zone: loc
ii. Destination Zone: net
iii. Policy: ACCEPT
iv. Syslog Level: Logging Disabled
v. Traffic Limit: None
c. Rule 3:
i. Source Zone:
ii. Destination Zone: net
iii. Policy: ACCEPT
iv. Syslog Level: Logging Disabled
v. Traffic Limit: None
4. Go to Firewall Rules and create the following rules at your discretion
a. Allowing SIP traffic
i. Action: ACCEPT
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: UDP
v. Source Ports: Any
vi. Destination Ports: 5060:5082
vii. All fields that were omitted, leave as default
b. Accepting RTP traffic
i. Action: Accept
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: UDP
v. Source Ports: Any
vi. Destination Ports: 10000:20000
vii. All fields that were omitted, leave as default
c. Allowing access to Webmin from external internet
i. Action: ACCEPT
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: TCP
v. Source Ports: Any
vi. Destination Ports: 10000
vii. All fields that were omitted, leave as default
d. Accepting SSH
i. Action: ACCEPT
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: TCP
v. Source Ports: Any
vi. Destination Ports: 22
vii. All fields that were omitted, leave as default
e. Disallowing access to Trixbox web interface from external internet
i. Action: DROP
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: TCP
v. Source Ports: Any
vi. Destination Ports: 80
vii. All fields that were omitted, leave as default
f. Accepting traffic from a specific IP Address (this is useful if you want to allow yourself to access to Trixbox web interface without allowing everyone access)
i. Action: ACCEPT
ii. Source Zone: net
1. Check off “Only hosts in zone with addresses” and put your IP address in the box. Multiple IP addresses can be entered by putting a space between each IP address. Entering an IP address in this field will allow complete access to the box from that specific IP address.
iii. Destination zone or port: Any
iv. All fields that were omitted, leave as default
5. Go to “When Stopped”
a. In my instance, I wanted the firewall to completely allow everything in the event the firewall is stopped. Furthermore, if you make a mistake in your configuration, and Shorewall shuts down, you will not want to be locked out of your box.
b. Add a new stopped address
i. Interface: eth1
ii. Accessible addresses: All addresses
iii. Route Options (Check off the following): Accept traffic back to host, Allow from host to any destination, Allow to host from any source, Always allow traffic between firewall
iv. Click Create
c. Add a new stopped address
i. Interface: eth0
ii. Accessible addresses: All addresses
iii. Route Options (Check off the following): Accept traffic back to host, Allow from host to any destination, Allow to host from any source, Always allow traffic between firewall
iv. Click Create
6. Go to Master Configuration file
a. Check to see if “STARTUP_ENABLED” is set to Yes. By default, it is set to No, so you must change it.
7. From the list of tables, click on Check Firewall to make sure your settings don’t have conflicts.
8. Click Apply Configuration when you’re ready to start up your firewall and cross your fingers everything works ok!
 
Quote:
Do a search for how
Thu, 06/05/2008 - 9:11pm
Quote:
Do a search for how to install Webmin using Yum. Webmin's runs on port 10000 by default - Trixbox uses port 10000 for RTP - so its good practice first set Webmin to run on another port
Webmin uses https which is a TCP protocol. RTP is UDP. They do not conflict.
Changing the port seems to add a bit of complexity.
Scott
--
Scott
aka "Skyking"
 
Port 10000
Fri, 06/06/2008 - 11:26am
Other 'guides' I have seen on this forum suggest to modify rtp.conf so the server will operate on ports 10001 to 20000... in my experience this should be avoided because termination providers do not allow you to change the ports that they operate on - that is why I suggested.
You are correct, leaving it as is should not cause a problem.. thanks.
 
Quote:
in my experience this
Fri, 06/06/2008 - 1:03pm
Quote:
in my experience this should be avoided because termination providers do not allow you to change the ports that they operate on -
Well a lot of things are said here that does not mean they are right.
What you said is absolutely correct. You can set your rtp.conf to whatever you like and calls originated from your voip carrier will come use whatever ports the carrier designates.
This is exactly why people have problems with one way audio on inbound calls and other oddities.
What any of this has to do with sharing a tcp application (https) on port 10000 and a udp application (rtp) on port 10000 eludes me.
One of my pet peeves is the absolute laziness exhibited by "network techs" when using the term port. I use to teach Cisco Academy at our local community college and I never would let the students get away with it.
A very quick Skyking refresher course:
There are many protocols underneath the banner of IP or internet protocol (notice the small i, an upper case I refers to the public Internet a lower case i to any network using IP).
The two we are concerned with are TCP and UDP
TCP = Transport Control Protocol - A stateful protocol that encapsulates data in "packets" and uses sockets for service differentiation.
UDP - User Datagram Protocol - A stateless protocol that encapsulates data in "datagrams" and uses ports for service differentiation.
--
Scott
aka "Skyking"
 
Zion800, thanks for the
Mon, 07/07/2008 - 1:55pm
Zion800, thanks for the detailed list. Not too crappy! I just loaded up Shorewall 4.0.12 and only ran into one issue. The Default Policies does not pass the Check Firewall stage. Assuming that the policies are executed in order, it appears they should be reversed. Any-Any-DROP is going to match and stop everything! Even if reversed, the Check Firewall still complains, as loc-net-ACCEPT is already allowed by Any-net-ACCEPT. Is this version 4 being better, or did you mean for something else to be covered?
 
Update
Sun, 11/09/2008 - 12:45pm
Just an update- If you are experiencing one-way audio (callers cannot hear you, but you can hear callers), follow these directions from the Shorewall FAQ (FAQ 77) http://www.shorewall.net/FAQ.htm#faq77 :
VOIP
(FAQ 77) Shorewall is eating my Asterisk egress traffic!
Somehow, my firewall config is causing a one-way audio problem in Asterisk. If a person calls into the PBX, they cannot hear me speaking, but I can hear them. If I plug the Asterisk server directly into the router, bypassing the firewall, the problem goes away.
Answer (requires Shorewall 4.0.6 or later): If your kernel version is 2.6.20 or earlier:
rmmod ip_nat_sip
rmmod ip_conntrack_sip
Then change the DONT_LOAD specification in your shorewall.conf to:
DONT_LOAD=ip_nat_sip,ip_conntrack_sip
If your kernel version is 2.6.21 or later:
rmmod nf_nat_sip
rmmod nf_conntrack_sip
Then change the DONT_LOAD specification in your shorewall.conf to:
DONT_LOAD=nf_nat_sip,nf_conntrack_sip
If you are running a version of Shorewall earlier than 4.0.6, you can avoid loading the sip helper modules by following the suggestions in FAQ 59.
 
Member Since:
2007-03-06