Using the AsteriskNOW 1.7 distribution as the starting point for the gateway we needed to get the right stuff into iptables.
# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011 *mangle :PREROUTING ACCEPT [527652:250920735] :INPUT ACCEPT [83766:27202814] :FORWARD ACCEPT [443523:223508833] :OUTPUT ACCEPT [81940:39515916] :POSTROUTING ACCEPT [525477:263026885] COMMIT # Completed on Sun Aug 7 00:35:02 2011 # Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011 *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -i ppp1 -j ACCEPT -A INPUT -p tcp -m tcp -i ppp+ --dport 0:1023 -j DROP -A INPUT -p udp -m udp -i ppp+ --dport 0:1023 -j DROP -A INPUT -p tcp -m tcp -i ppp+ --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -p icmp -m icmp -i ppp+ --icmp-type 8 -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -i ppp1 -j ACCEPT -A FORWARD -p tcp -m tcp -s 192.168.5.0/255.255.255.0 -i ppp0 --dport 1723 -j ACCEPT -A FORWARD -p gre -s 192.168.5.0/255.255.255.0 -i ppp0 -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT # Completed on Sun Aug 7 00:35:02 2011 # Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011 *nat :PREROUTING ACCEPT [14513:1101990] :POSTROUTING ACCEPT [18:2069] :OUTPUT ACCEPT [2186:142852] -A POSTROUTING -o ppp+ -j MASQUERADE COMMIT # Completed on Sun Aug 7 00:35:02 2011
Most of the actual creation was done via the webmin interface. The basics are:
- For FORWARD we DENY by default and only allow specific traffic.
- For INPUT we DENY by default and only allow certain traffic.
- For OUTPUT we ACCEPT by default and do nothing to change that.
- For the nat table we MASQUERADE ppp0.
- miniupnpd will be used.