On Thursday 22 May 2008 22:30:29 Joseph L. Casale wrote: > I have a dual homed server in an install for someone who is very cost > sensitive. This server originally is being setup as an Asterisk server, but > now the simplest thing for me to do is also set it up to provide internet > access for the small shop as well. > > So it will have one external, WAN facing nic that needs all incoming ports > except UDP 5060 and 10000 -> 60000 blocked for all but two ips. > > The internal, LAN facing NIC will need all ports except voip/dns/http > blocked to it, and need to provide masquerading. > > I have limited experience with iptables and would love some guidelines. Any > pointers would be greatly appreciated! Hi JLC, There are 2 ways to implement firewall: negative list and positive list. Looks like you want a very strict one that is positive list. Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please mind the word wrap): #Clear all rules and policies first: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -t nat -F #Give access for localhost: iptables -I INPUT -i lo -j ACCEPT iptables -I OUTPUT -o lo -j ACCEPT #To make life easier: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Allowing needed ports: iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s ipthatyouwantallow -j ACCEPT iptables -A INPUT -i eth1 -m multiport -p udp --dport 53,80,5060,10000:60000 -j ACCEPT iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s ipthatyouallow -j ACCEPT iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT #For masquerading: iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE #For logging (troubleshooting): iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP ** ' iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP ** ' iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP ** ' #Finally dropping all other traffic (positive list firewall): iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Don't forget to save it: service iptables save I might make some mistakes up there, so the logging is very important. You can just monitor the log file: tail -f /var/log/messages and look for any miss ports and open them. If for some reason you want to clear the iptables, run this command: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -t nat -F service iptables save Goodluck, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 22:03:54 up 2:37, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20080523/331aba71/attachment-0005.sig>