On Saturday 24 May 2008 21:55:57 Robert Spangler wrote: First of all, thank you Robert for pointing some points. For the sake of discussion, may I say something too? > Since you believe that he wants a very strict firewall why are you setting > the default policy's to ACCEPT? Security 101, strict firewall drops > everything from the start. Then you open the access you require, not the > other way around. This is my mistake I think. It's because I was assuming the setting of the firewall is done from another machine (ssh). Those rules are to prevent unaware lockout. > > #Allowing needed ports: > > iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 > > -s ipthatyouwantallow -j ACCEPT > > iptables -A INPUT -i eth1 -m multiport -p udp --dport > > 53,80,5060,10000:60000 -j ACCEPT > > iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT > > iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s > > ipthatyouallow -j ACCEPT > > iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT > > First question you need to ask yourself is there any hosting services on > this box that will require a connection form the WAN side. If not then you > should change your input statements to allow only the LAN. You do not > require the INPUT statements for packets that pass through the box as the > FORWARD will handle all traffic passing through. The OP said that it's an Asterisk box. So it surely needs some open ports, doesn't it? > Second question is if you are using ESTABLISHED,RELATED why are you not > using NEW in the above rules? It depends on the context and level of details needed. Pls CMIIW, if we allow NEW in the above rules, then ALL traffic will be matched, and thus rendering all subsequent rules useless. Again pls CMIIW :) > Third question is have you enables connection tracking? If you are using > ESTABLISHED,RELATED then the system needs a way to keep track of the > connection. I believe Centos has them enabled and it will automatically loaded when the rules are fired up. Pls CMIIW. > If you want a 100% secure firewall then you will not allow any INPUT. All > modification would have to be done from the box using a keyboard. If this > is not an option then you can allow access from a trusted IP only and setup > other security options. Yes, this is my mistake assuming wrongly. Worth noted for the OP and everyone. > > #For masquerading: > > iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE > > If the WAN port is connected directly to the Internet then you should MASQ > all out going traffic and anything that is heading to 192.168.0.0/24 should > be dropped. You mean it should be: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ? > > #Finally dropping all other traffic (positive list firewall): > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > iptables -P FORWARD DROP > > This should be at the top for the firewall not the ACCEPT you have there > now. > For your reading enjoyment. > http://iptables.rlworkman.net/chunkyhtml/index.html Yes, the Oscar's tutorial seems to be the most popular one. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 07:46:18 up 45 min, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20080526/23d3cd3e/attachment-0005.sig>