[asterisk-users] iptables for Asterisk - Any good guides out there?

Sat May 14 19:14:04 CDT 2011

On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote:
> Hi everyone,
> 
> 
> I want to issue the command:
> 
> 
> iptables -F
> 
> 
> and then rebuild everything from the beginning with a very limited
> scope and then without locking myself block all other traffic. Can you
> suggest what I should put in the shell that would get me this:
> 
> 
> Allow traffic from subnet 172.16.0.0/24      (my VPN tunnels) - All
> traffic including those of Asterisk and HTTP - I trust this network
> Allow traffic from subnet 192.168.1.0/24    (other side of VPN
> network) - All traffic including those of Asterisk and HTTP - I trust
> this network
> Allow traffic from single IP of DID provider     - 5060 TCP/UDP and
> 10000-10200 UDP
> Allow VPN access on port 1194 UDP   --- I have that figured out to be
> (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for
> this.
> 
> 
> BLOCK all other traffic <----- Important most of all
> 
> 
> Please note that from the subnets I want to allow every single port
> possible and all traffic. I specially have problems with getting a
> whole subnet be able to access everything.
> 
> 
> Thanks

It's a bit more complicated....

Firstly you have to set the default rules FIRST
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
And then do the flusing, not the otherway round
After that you can add rules to accept trafic

after the last rules, it is handy to put:
$iptables -A INPUT  -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC "
iptables -A OUTPUT  -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT "
iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD "
So can can see in the syslog what you are missing ;-)

I'll guess, you would also like to accepts ntp,dhcp, domain-dns from
your isp-provider.

Perhaps also http, https, pop, pops, imap, imaps.
And probably some more, depending on your need
So'll see them soon enough in your logfiles

hw