I assume that we are talking about a PBX with only one network interface or conected right to th public ip trough one..
for denny all connection just need set the POLICY to DROP into iptables typing this iptables -P INPUT DROP to do thius, you must be logged into local temrinal on the box that is runnig asterisk becasue this denny any access !!!! AFTER denny all, you need enables access for ip desidered.. iptables -I INPUT -s w.x.y.z ( good ip ) - j ACCEPT aslo can use domain too iptables -I INPUT -s my.sip.friend.domain.com ( good domain.) - j ACCEPT this rule resolves ip addres using dns query qhen the rule is loaded , so if this ip change after that ( ie the remote user has a service that assign to him dynamic ip and must reconenect you pc while use a DDNS service ) , then iptables must be reloaded iptables so get the new ip. if you have more than one interface , you must tell to iptables on which one must accept conections iptables -I INPUT -i ethX -s w.x.y.z ( good ip ) - j ACCEPT ( ethX is the name of the intreface that conect PBX to Internet) also must repaet for each interface that will accept conections. simple, isn't it?? whe you finish , you NEED to SAVE the rules that works fine to reload them all times that you want . to save your config just type iptables-save > /folder-where-you-want-to-save-the-conf/my-config for load the saved configuration at any time that you need iptables-restore < /folder-where-you-has-save-the-conf/my-config then , for exceute this any time that you restart the computer you must to include in rc.local ( placed into /etc/rc.d folder ) THIS SENTENCE iptables-restore < /folder-where-you-has-save/my-config OR also may include the original command for insertion rules into iptables inside rc.local file iptables -P INPUT DROP to denny any aacces iptables -I INPUT -s w.x.y.z - j ACCEPT iptables -I INPUT -s my.sip.friend.domain.com - j ACCEPT important note: if you have a box with more than one network interface AFTER set the POLICY to DENNY ( DROP) you must also include a rule to accept conection from your lan iptables -I INPUT -i ethX -s m.l.n.o - j ACCEPT wehre m.l.n.o es the ip formany station that must access to PBX from inside. or m.l.n.o/24 to accept from all network with 24 bits netmask ( 255.255.255.0) to allow connection from the network insde ...... be aware from this.... ie for accept all host form network 192.168.2.0 in your lan conenct via eth1 iptables -I INPUT -i eth1 -s 192.168.2.0/24 - j ACCEPT I hope that can help this... feel free to contact of the list,,, so we avoid to trasnform in an " iptables list" .. Have good results!!! Marcos [email protected] _________________________________________________________________ ¿Tenés poco tiempo? Accedé a Hotmail mucho más rápido. Ver más http://www.descubrehotmail.com/velocidad.asp
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
