asterisk users - May 2011 - iptables for Asterisk - Any good guides out there?

Hi everyone,

I want to issue the command:

iptables -F

and then rebuild everything from the beginning with a very limited scope and
then without locking myself block all other traffic. Can you suggest what I
should put in the shell that would get me this:

Allow traffic from subnet 172.16.0.0/24      (my VPN tunnels) - All traffic
including those of Asterisk and HTTP - I trust this network
Allow traffic from subnet 192.168.1.0/24    (other side of VPN network) -
All traffic including those of Asterisk and HTTP - I trust this network
Allow traffic from single IP of DID provider     - 5060 TCP/UDP and
10000-10200 UDP
Allow VPN access on port 1194 UDP   --- I have that figured out to be
(*iptables
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT*) works for this.

*BLOCK all other traffic <----- Important most of all*

Please note that from the subnets I want to allow every single port possible
and all traffic. I specially have problems with getting a whole subnet be
able to access everything.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110514/1cbc809a/attachment.htm>

On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote:
> Hi everyone,
> 
> 
> I want to issue the command:
> 
> 
> iptables -F
> 
> 
> and then rebuild everything from the beginning with a very limited
> scope and then without locking myself block all other traffic. Can you
> suggest what I should put in the shell that would get me this:
> 
> 
> Allow traffic from subnet 172.16.0.0/24      (my VPN tunnels) - All
> traffic including those of Asterisk and HTTP - I trust this network
> Allow traffic from subnet 192.168.1.0/24    (other side of VPN
> network) - All traffic including those of Asterisk and HTTP - I trust
> this network
> Allow traffic from single IP of DID provider     - 5060 TCP/UDP and
> 10000-10200 UDP
> Allow VPN access on port 1194 UDP   --- I have that figured out to be
> (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for
> this.
> 
> 
> BLOCK all other traffic <----- Important most of all
> 
> 
> Please note that from the subnets I want to allow every single port
> possible and all traffic. I specially have problems with getting a
> whole subnet be able to access everything.
> 
> 
> Thanks
It's a bit more complicated....

Firstly you have to set the default rules FIRST
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
And then do the flusing, not the otherway round
After that you can add rules to accept trafic

after the last rules, it is handy to put:
$iptables -A INPUT  -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC "
iptables -A OUTPUT  -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT "
iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD "
So can can see in the syslog what you are missing ;-)



I'll guess, you would also like to accepts ntp,dhcp, domain-dns from
your isp-provider.

Perhaps also http, https, pop, pops, imap, imaps.
And probably some more, depending on your need
So'll see them soon enough in your logfiles

hw

On 5/14/2011 7:51 PM, Bruce B wrote:
> and then rebuild everything from the beginning with a very limited scope
and
> then without locking myself block all other traffic. Can you suggest what I
> should put in the shell that would get me this:
you may want to start with:

http://jeremy.kister.net/code/asterisk/iptables.init

modify RTPRANGE and the trusterd array at the top,
add in your DID providers to the siprtp array at the top,

that should get you near there.

-- 

Jeremy Kister
http://jeremy.kister.net./

On Sat, May 14, 2011 at 7:51 PM, Bruce B <bruceb444 at gmail.com> wrote:
> Hi everyone,
>
> I want to issue the command:
>
> iptables -F
>
> and then rebuild everything from the beginning with a very limited scope
> and then without locking myself block all other traffic. Can you suggest
> what I should put in the shell that would get me this:
>
> Allow traffic from subnet 172.16.0.0/24      (my VPN tunnels) - All
> traffic including those of Asterisk and HTTP - I trust this network
> Allow traffic from subnet 192.168.1.0/24    (other side of VPN network) -
> All traffic including those of Asterisk and HTTP - I trust this network
> Allow traffic from single IP of DID provider     - 5060 TCP/UDP and
> 10000-10200 UDP
> Allow VPN access on port 1194 UDP   --- I have that figured out to be
(*iptables
> -A INPUT -p udp -m udp --dport 1194 -j ACCEPT*) works for this.
>
> *BLOCK all other traffic <----- Important most of all*
>
> Please note that from the subnets I want to allow every single port
> possible and all traffic. I specially have problems with getting a whole
> subnet be able to access everything.
>
> Thanks
>
>
This question is probably better for a security or general Linux forum as it
has very little to do with Asterisk.  You have the the port numbers correct.

You could try "man iptables"

This link should also answer all of your questions, I like the second link
with fail2ban.

Please be sure to be a good community member and come back to post your
results when you are done!

Thanks,
Steve Totaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110515/d66c8d9b/attachment.htm>