Find the answer to your Linux question:
Results 1 to 3 of 3
Hi! I am trying to set up an asterisk server with 2 network cards, one with public ip, and the other with dhcp for internal telephones. Below is my attempt ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2009
    Posts
    1

    Trying to set up IPtables...


    Hi!

    I am trying to set up an asterisk server with 2 network cards, one with public ip, and the other with dhcp for internal telephones. Below is my attempt to set up IPtables.

    I have a feeling it is not as good as it needs, cause I have problems connecting sip clients from the outside, so I ask, what problems do you see with my setup?

    I actually have no needs for connecting between the two networks, because everything (telephone calls) goes through the Asterisk system.

    Here is the setup:

    Code:
    *mangle
    :PREROUTING ACCEPT [83145:120824770]
    :INPUT ACCEPT [83145:120824770]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [46823:2584014]
    :POSTROUTING ACCEPT [46823:2584014]
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1:60]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 5061 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 4569 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-port-unreachable
    COMMIT
    *nat
    :PREROUTING ACCEPT [164:6544]
    :POSTROUTING ACCEPT [148:8939]
    :OUTPUT ACCEPT [148:8939]
    COMMIT
    Thanks a lot in advance!

    Frode

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    You have to understand that iptables read the rules from top to bottom.
    That being say I beleive your biggest problem is the following line;
    Code:
    -A INPUT -f -j DROP
    This has no interface listed and as such is applied to both interfaces. The order is very important with IPTABLES and because this rule come right after your SNY rules and nothing below it will ever match because as soon as the packets reach this rule they are dropped. Move this line to the bottom and see if that doesn't help you.

    Also don't mix and match what you are doing. Either base your rules on ports alone or base them on the state of connection. All the '--dport ###' lines you should be adding ' -m state -- state NEW' to so that your firewall is doing full stateful inspection.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Oct 2009
    Posts
    17
    Hello to all

    I am also getting same kind of problem, not able to set the IP tables for
    static IP, I dont know what happenend every time I boot up the machine,
    it would get the DHCP automatically, and I had disable firewall, Selinux, dhcpd everything but still I am facing the same problem
    can anyone tell me why?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •