Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Trying to set up IPtables...


    I am trying to set up an asterisk server with 2 network cards, one with public ip, and the other with dhcp for internal telephones. Below is my attempt to set up IPtables.

    I have a feeling it is not as good as it needs, cause I have problems connecting sip clients from the outside, so I ask, what problems do you see with my setup?

    I actually have no needs for connecting between the two networks, because everything (telephone calls) goes through the Asterisk system.

    Here is the setup:

    :PREROUTING ACCEPT [83145:120824770]
    :INPUT ACCEPT [83145:120824770]
    :OUTPUT ACCEPT [46823:2584014]
    :POSTROUTING ACCEPT [46823:2584014]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [1:60]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 5061 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 4569 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-port-unreachable
    :PREROUTING ACCEPT [164:6544]
    :POSTROUTING ACCEPT [148:8939]
    :OUTPUT ACCEPT [148:8939]
    Thanks a lot in advance!


  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    The Keystone State
    You have to understand that iptables read the rules from top to bottom.
    That being say I beleive your biggest problem is the following line;
    -A INPUT -f -j DROP
    This has no interface listed and as such is applied to both interfaces. The order is very important with IPTABLES and because this rule come right after your SNY rules and nothing below it will ever match because as soon as the packets reach this rule they are dropped. Move this line to the bottom and see if that doesn't help you.

    Also don't mix and match what you are doing. Either base your rules on ports alone or base them on the state of connection. All the '--dport ###' lines you should be adding ' -m state -- state NEW' to so that your firewall is doing full stateful inspection.


    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Hello to all

    I am also getting same kind of problem, not able to set the IP tables for
    static IP, I dont know what happenend every time I boot up the machine,
    it would get the DHCP automatically, and I had disable firewall, Selinux, dhcpd everything but still I am facing the same problem
    can anyone tell me why?

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts