[Asterisk-Users] re: asterisk and iptables

[steve]

looks like your nmap only scanned for tcp connections.  Try the -u switch.
netstat shows that udp 5060 is accepting connections.
Your iptables ruleset gives me a headache to look at and is quite 
redundant.  Wouldn't it be better to just disallow all packets at the 
beginning and
then open the ports tht you want.  I noticed you started to do this and 
then repeated it again later in the ruleset,  i.e.

/sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

/sbin/iptables -A INPUT -p udp --dport 137 -j DROP
/sbin/iptables -A INPUT -p udp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

/sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

also it would be much easier to allow your localhost to have access regardless at the beginning of the ruleset,
thus having to avoid adding these rules.

/sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

                      or

/sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

                      or

/sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

I'll have to give you an "A" for effort thought.  In the world of netfilter less is more and to be honest it probably
took me close to six months before I was able to really understand what was happening.  Obviously you are one of those hardheads like I am and prefer the 'do-it-yourself' method.  I've never been fond of GUI-based firewall programs so
may I recomend that you give the firewall script generator called 'quicktables' a try.  Its available at 
http://qtables.radom.org/  I've been using it for years and it should do just what you need.

Regards,
Steve Cayona

p.s.  whay are you wanting to mangle packets?