On Sat, 2011-05-14 at 19:51 -0400, Bruce B wrote: > Hi everyone, > > > I want to issue the command: > > > iptables -F > > > and then rebuild everything from the beginning with a very limited > scope and then without locking myself block all other traffic. Can you > suggest what I should put in the shell that would get me this: > > > Allow traffic from subnet 172.16.0.0/24 (my VPN tunnels) - All > traffic including those of Asterisk and HTTP - I trust this network > Allow traffic from subnet 192.168.1.0/24 (other side of VPN > network) - All traffic including those of Asterisk and HTTP - I trust > this network > Allow traffic from single IP of DID provider - 5060 TCP/UDP and > 10000-10200 UDP > Allow VPN access on port 1194 UDP --- I have that figured out to be > (iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT) works for > this. > > > BLOCK all other traffic <----- Important most of all > > > Please note that from the subnets I want to allow every single port > possible and all traffic. I specially have problems with getting a > whole subnet be able to access everything. > > > Thanks
It's a bit more complicated.... Firstly you have to set the default rules FIRST $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT And then do the flusing, not the otherway round After that you can add rules to accept trafic after the last rules, it is handy to put: $iptables -A INPUT -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; INC " iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG --log-prefix " EXT; OUT " iptables -A FORWARD -i $EXTERNAL_DEV -j LOG --log-prefix " EXT; FWD " So can can see in the syslog what you are missing ;-) I'll guess, you would also like to accepts ntp,dhcp, domain-dns from your isp-provider. Perhaps also http, https, pop, pops, imap, imaps. And probably some more, depending on your need So'll see them soon enough in your logfiles hw -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users