IPTABLES and Forwarding

metallica1973 · 04-24-2007, 10:39 AM

When you add a forwarding rule to a script like:

PHP Code:


			
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT

I should be able to see the port open when I perform an external port scan correct? Everytime I attempt to run an external port scan from the web it always says that it is filtered, so does that mean that it is open and that it will only allow requests from udp 5050:5065?

I am trying to setup a Asterisk VOIP Server and I cannot recieve any incomming calls. so help?

phsythax · 04-24-2007, 01:51 PM

Quote:

Originally Posted by metallica1973

When you add a forwarding rule to a script like:

PHP Code:


			
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT

I should be able to see the port open when I perform an external port scan correct? Everytime I attempt to run an external port scan from the web it always says that it is filtered, so does that mean that it is open and that it will only allow requests from udp 5050:5065?

I am trying to setup a Asterisk VOIP Server and I cannot recieve any incomming calls. so help?

If a port appears to be in the state called filtered, it means that the port is in use, but not open to anyone. Try turning your firewall off, and then try do a portscan again from your external computer. If it appears that it is the firewall, then try to simplify your firewall rules so that you may easier see threw it. That line you posted has variables which are not shown here. you need to post more if you want to receive better help. However; exposing firewall rules on the world wide web is a bad thing to do if this should appear in the hands of a hacker, so only post what you have ATM, and only the parts which you think is relevant for us to help you.

win32sux · 04-24-2007, 03:04 PM

Quote:

Originally Posted by metallica1973

When you add a forwarding rule to a script like:

PHP Code:


			
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT

I should be able to see the port open when I perform an external port scan correct?

it depends on whether you actually have something listening on the port or not... the port shouldn't be reported as "open" unless something is listening on it...

Quote:

Everytime I attempt to run an external port scan from the web it always says that it is filtered, so does that mean that it is open and that it will only allow requests from udp 5050:5065?

it means that the packets the scanner is sending aren't generating any response... this could be an issue with your iptables rules (check your PRE/POSTROUTING chains in the NAT table)... the rule you posted won't care what port requests are coming from, as long as they go *to* ports 5050:5065...

Quote:

I am trying to setup a Asterisk VOIP Server and I cannot recieve any incomming calls. so help?

Moved: This thread is more suitable in Linux - Networking and has been moved accordingly to help your thread/question get the exposure it deserves.

metallica1973 · 04-24-2007, 05:22 PM

Things are fine and that the state of filtered means it is open to certain packets to pass through the firewall. I had a unique setup at my office and realized that my firewall rule set is ok. After I made some hardware changes around in my network , my voip server was able to recieve calls. It appears that a VOIP ATA that was setup in front of a firewall was causing false/positives. Many thanks