[asterisk-users] iptables for Asterisk - Any good guides out there?

Bruce B bruceb444 at gmail.com
Sat May 14 19:53:11 CDT 2011 

Thanks Hans.

So basically run the following commands:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
service iptables save
iptables -F

Is that all right so far?

I am not sure on these:
iptables -A INPUT  -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC "
iptables -A OUTPUT  -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT "
iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD "

And yes, of course I will need DHCP and all other necessary services to run
the server. I am wondering why iptables is so complex. Is there a standard
template that I can use to replace /etc/sysconfig/iptables with it and let
it accept all traffic from one subnet on my tun0 which is my VPN and block
all other traffic?

Thanks again



On Sat, May 14, 2011 at 8:14 PM, Hans Witvliet <hwit at a-domani.nl> wrote:

> On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote:
> > Hi everyone,
> >
> >
> > I want to issue the command:
> >
> >
> > iptables -F
> >
> >
> > and then rebuild everything from the beginning with a very limited
> > scope and then without locking myself block all other traffic. Can you
> > suggest what I should put in the shell that would get me this:
> >
> >
> > Allow traffic from subnet 172.16.0.0/24      (my VPN tunnels) - All
> > traffic including those of Asterisk and HTTP - I trust this network
> > Allow traffic from subnet 192.168.1.0/24    (other side of VPN
> > network) - All traffic including those of Asterisk and HTTP - I trust
> > this network
> > Allow traffic from single IP of DID provider     - 5060 TCP/UDP and
> > 10000-10200 UDP
> > Allow VPN access on port 1194 UDP   --- I have that figured out to be
> > (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for
> > this.
> >
> >
> > BLOCK all other traffic <----- Important most of all
> >
> >
> > Please note that from the subnets I want to allow every single port
> > possible and all traffic. I specially have problems with getting a
> > whole subnet be able to access everything.
> >
> >
> > Thanks
>
> It's a bit more complicated....
>
> Firstly you have to set the default rules FIRST
> $IPT -P INPUT DROP
> $IPT -P OUTPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> And then do the flusing, not the otherway round
> After that you can add rules to accept trafic
>
> after the last rules, it is handy to put:
> $iptables -A INPUT  -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC "
> iptables -A OUTPUT  -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT "
> iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD "
> So can can see in the syslog what you are missing ;-)
>
>
>
> I'll guess, you would also like to accepts ntp,dhcp, domain-dns from
> your isp-provider.
>
> Perhaps also http, https, pop, pops, imap, imaps.
> And probably some more, depending on your need
> So'll see them soon enough in your logfiles
>
> hw
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110514/5d0f6040/attachment.htm>

More information about the asterisk-users mailing list