Thanks Hans.<div><br></div><div>So basically run the following commands:</div><div><br></div><div>iptables -P INPUT DROP</div><div>iptables -P OUTPUT ACCEPT</div><div>iptables -P FORWARD ACCEPT</div><div>service iptables save</div>
<div>iptables -F</div><div><br></div><div>Is that all right so far? </div><div><br></div><div>I am not sure on these:</div><div>iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC "<br>iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT "<br>
iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD "</div><div><br></div><div>And yes, of course I will need DHCP and all other necessary services to run the server. I am wondering why iptables is so complex. Is there a standard template that I can use to replace /etc/sysconfig/iptables with it and let it accept all traffic from one subnet on my tun0 which is my VPN and block all other traffic?</div>
<div><br></div><div>Thanks again</div><div><br></div><div><br><div><br><div class="gmail_quote">On Sat, May 14, 2011 at 8:14 PM, Hans Witvliet <span dir="ltr"><<a href="mailto:hwit@a-domani.nl">hwit@a-domani.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div></div><div class="h5">On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote:<br>
> Hi everyone,<br>
><br>
><br>
> I want to issue the command:<br>
><br>
><br>
> iptables -F<br>
><br>
><br>
> and then rebuild everything from the beginning with a very limited<br>
> scope and then without locking myself block all other traffic. Can you<br>
> suggest what I should put in the shell that would get me this:<br>
><br>
><br>
> Allow traffic from subnet <a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a> (my VPN tunnels) - All<br>
> traffic including those of Asterisk and HTTP - I trust this network<br>
> Allow traffic from subnet <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> (other side of VPN<br>
> network) - All traffic including those of Asterisk and HTTP - I trust<br>
> this network<br>
> Allow traffic from single IP of DID provider - 5060 TCP/UDP and<br>
> 10000-10200 UDP<br>
> Allow VPN access on port 1194 UDP --- I have that figured out to be<br>
> (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for<br>
> this.<br>
><br>
><br>
> BLOCK all other traffic <----- Important most of all<br>
><br>
><br>
> Please note that from the subnets I want to allow every single port<br>
> possible and all traffic. I specially have problems with getting a<br>
> whole subnet be able to access everything.<br>
><br>
><br>
> Thanks<br>
<br>
</div></div>It's a bit more complicated....<br>
<br>
Firstly you have to set the default rules FIRST<br>
$IPT -P INPUT DROP<br>
$IPT -P OUTPUT ACCEPT<br>
$IPT -P FORWARD ACCEPT<br>
And then do the flusing, not the otherway round<br>
After that you can add rules to accept trafic<br>
<br>
after the last rules, it is handy to put:<br>
$iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC "<br>
iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT "<br>
iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD "<br>
So can can see in the syslog what you are missing ;-)<br>
<br>
<br>
<br>
I'll guess, you would also like to accepts ntp,dhcp, domain-dns from<br>
your isp-provider.<br>
<br>
Perhaps also http, https, pop, pops, imap, imaps.<br>
And probably some more, depending on your need<br>
So'll see them soon enough in your logfiles<br>
<br>
hw<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</blockquote></div><br></div></div>