Using the AsteriskNOW 1.7 distribution as the starting point for the gateway we needed to get the right stuff into iptables.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | # Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011*mangle:PREROUTING ACCEPT [527652:250920735]:INPUT ACCEPT [83766:27202814]:FORWARD ACCEPT [443523:223508833]:OUTPUT ACCEPT [81940:39515916]:POSTROUTING ACCEPT [525477:263026885]COMMIT# Completed on Sun Aug 7 00:35:02 2011# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011*filter:FORWARD DROP [0:0]:INPUT DROP [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -i eth1 -j ACCEPT-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT-A INPUT -p gre -j ACCEPT-A INPUT -i ppp1 -j ACCEPT-A INPUT -p tcp -m tcp -i ppp+ --dport 0:1023 -j DROP-A INPUT -p udp -m udp -i ppp+ --dport 0:1023 -j DROP-A INPUT -p tcp -m tcp -i ppp+ --tcp-flags FIN,SYN,RST,ACK SYN -j DROP-A INPUT -p icmp -m icmp -i ppp+ --icmp-type 8 -j DROP-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth1 -j ACCEPT-A FORWARD -i ppp1 -j ACCEPT-A FORWARD -p tcp -m tcp -s 192.168.5.0/255.255.255.0 -i ppp0 --dport 1723 -j ACCEPT-A FORWARD -p gre -s 192.168.5.0/255.255.255.0 -i ppp0 -j ACCEPT-A INPUT -i lo -j ACCEPTCOMMIT# Completed on Sun Aug 7 00:35:02 2011# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011*nat:PREROUTING ACCEPT [14513:1101990]:POSTROUTING ACCEPT [18:2069]:OUTPUT ACCEPT [2186:142852]-A POSTROUTING -o ppp+ -j MASQUERADECOMMIT# Completed on Sun Aug 7 00:35:02 2011 |
Most of the actual creation was done via the webmin interface. The basics are:
- For FORWARD we DENY by default and only allow specific traffic.
- For INPUT we DENY by default and only allow certain traffic.
- For OUTPUT we ACCEPT by default and do nothing to change that.
- For the nat table we MASQUERADE ppp0.
- miniupnpd will be used.