I have a Linux Box running CentOS 5.3 Final, installed with the AsteriskNow install CD. I'm (obviously) running Asterisk on it. I have it interfaced to my Cisco Call Manager over our VPN. This will allow me to use 4-digit dialing from IP phones using the Asterisk system at our tent sale to our building as well as the reverse. There are two network cards in the Asterisk box, and I need to provide data connections to our store as well. Everything is working right now, however I'm very uneasy about the security of the system.
The reason for this is that this machine will be directly exposed to the internet and basically EVERYTHING is accepted by iptables. I know how to use pf in BSD and love the simplicity and elegance of it, but I haven't used iptables for the past five or more years. Quite honestly, I don't remember much about it, other than it was a royal pain to get it to act like I wanted.
Basically, I need the firewall to do the following:
Provide a trusted NAT segment with static IPs on eth1.
Allow all connections from eth1 and forward them out either eth0 or the VPN tunnel as appropriate. (Which packets go to the VPN and which go directly out appears to be handled transparently by the Cisco VPN client software. I have everything forwarded out eth0 and it appears to allow me to access the store via the VPN.)
Allow traffic coming in on eth0 related to connections established by boxes on eth1 through.
Allow connections on specific ports/port ranges using specific protocols on the VPN interface from specific IPs/IP ranges.
Drop everything else.
I know I must be making this harder than it is. BSD's pf will do exactly what I want in about 20 lines. So far, I've got about 4 pages of iptables rules and all it really does is forward everything from eth1 out eth0. Doing port scans from eth0 shows there to be no security on it at a firewall level. I've read documentation on iptables and it's given me a massive headache, but I don't see where it can be made simpler; I'll need several more pages of rules to accomplish what I want and even then I'm not 100% that it'll work the way I want to.
I did find reference to a port of pf to linux
via google, but it appears the project is abandoned, as the page was last updated in 2004 and the machine name where the source code resides cannot be resolved.
Could somebody please help me with the rule-set I need to accomplish the above goal?