Up to Discussions in OpenSBC

This Question is Not Answered

1 "correct" answer available (5 pts) 2 "helpful" answers available (1 pts)
2 Replies Last post: Feb 15, 2010 11:41 PM by mparadis  
Click to view mparadis's profile  
mparadis
95 posts since
Oct 2, 2009

Nov 24, 2009 10:29 AM

OpenSBC on Centos; iptables problem

I have built a centos server with opensbc on it. Now I need to set up iptables to do the interface routing and protection of the server. I don't need anything but sip/rtp and ssh from inside the lan to the server. I have the following iptables portion but cannot get it to run on centos. Is there someone here who might know iptables well enough to help me complete this into a functional config. Public side is on eth1 while private side is on eth0.

Thanks very much.

iptables --flush
iptables -F FORWARD
iptables -F nat
  1. EXTIF is my WAN-facing interface of the NAT ( eth1 ).
  2. INTIF0 is my LAN-facing interface of the NAT ( eth0 ).
export EXTIF=eth1
export INTIF0=eth0
  1. my sipx proxy server and sipxbridge run here.
export SIPXADDR=192.168.5.75
export PORTRANGE=10000:20000
iptables -A FORWARD -i $EXTIF -o $INTIF0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF0 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $EXTIF --dport $PORTRANGE -j DNAT --to-destination $SIPXADDR
iptables -A FORWARD -i $EXTIF -o $INTIF0 -d $SIPXADDR -p udp --dport $PORTRANGE -j ACCEPT
iptables -t nat -A PREROUTING -i eth3 -p udp --dport 5060 -j DNAT --to-destination $SIPXADDR:5060
iptables -A FORWARD -i $EXTIF -o eth0 -d $SIPXADDR -p udp --dport 5060 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $EXTIF -j MASQUERADE
Click to view mparadis's profile  
mparadis
95 posts since
Oct 2, 2009
1. Feb 15, 2010 11:37 PM in response to: mparadis
Re: OpenSBC on Centos; iptables problem
Guess I forgot to update this;

The following is the iptables config I am now testing on a centos/opensbc setup;


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-I INPUT -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT
-I INPUT -p tcp --dport 9999 -s 192.168.0.0/16 -j ACCEPT
-I INPUT -p tcp --dport 5060 -m state --state NEW -j ACCEPT
-I INPUT -p udp --dport 5060 -m state --state NEW -j ACCEPT
-I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

Probably needs fine tuning. Sure would appreciate input if anyone notices anything obvious.


Thanks.

Click to view mparadis's profile  
mparadis
95 posts since
Oct 2, 2009
2. Feb 15, 2010 11:41 PM in response to: mparadis
Re: OpenSBC on Centos; iptables problem
Idealy, what I would very much love to see would be two configs on the same server. One for sipx and one for asterisk.

Actions

More Like This