Trying to set up IPtables...

Hi!

I am trying to set up an asterisk server with 2 network cards, one with public ip, and the other with dhcp for internal telephones. Below is my attempt to set up IPtables.

I have a feeling it is not as good as it needs, cause I have problems connecting sip clients from the outside, so I ask, what problems do you see with my setup?

I actually have no needs for connecting between the two networks, because everything (telephone calls) goes through the Asterisk system.

Here is the setup:

Code:

---

*mangle
:PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:60]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [164:6544]
:POSTROUTING ACCEPT [148:8939]
:OUTPUT ACCEPT [148:8939]
COMMIT

---

Thanks a lot in advance!

Frode

You have to understand that iptables read the rules from top to bottom.
That being say I beleive your biggest problem is the following line;

Code:

---

-A INPUT -f -j DROP

---

This has no interface listed and as such is applied to both interfaces. The order is very important with IPTABLES and because this rule come right after your SNY rules and nothing below it will ever match because as soon as the packets reach this rule they are dropped. Move this line to the bottom and see if that doesn't help you.

Also don't mix and match what you are doing. Either base your rules on ports alone or base them on the state of connection. All the '--dport ###' lines you should be adding ' -m state -- state NEW' to so that your firewall is doing full stateful inspection.

Hello to all

I am also getting same kind of problem, not able to set the IP tables for
static IP, I dont know what happenend every time I boot up the machine,
it would get the DHCP automatically, and I had disable firewall, Selinux, dhcpd everything but still I am facing the same problem
can anyone tell me why?