I have a Linux Box running CentOS 5.3 Final, installed with the AsteriskNow install CD. I'm (obviously) running Asterisk on it. I have it interfaced to my Cisco Call Manager over our VPN. This will allow me to use 4-digit dialing from IP phones using the Asterisk system at our tent sale to our building as well as the reverse. There are two network cards in the Asterisk box, and I need to provide data connections to our store as well. Everything is working right now, however I'm very uneasy about the security of the system.

The reason for this is that this machine will be directly exposed to the internet and basically EVERYTHING is accepted by iptables. I know how to use pf in BSD and love the simplicity and elegance of it, but I haven't used iptables for the past five or more years. Quite honestly, I don't remember much about it, other than it was a royal pain to get it to act like I wanted.



Basically, I need the firewall to do the following:


Provide a trusted NAT segment with static IPs on eth1.

Allow all connections from eth1 and forward them out either eth0 or the VPN tunnel as appropriate. (Which packets go to the VPN and which go directly out appears to be handled transparently by the Cisco VPN client software. I have everything forwarded out eth0 and it appears to allow me to access the store via the VPN.)

Allow traffic coming in on eth0 related to connections established by boxes on eth1 through.

Allow connections on specific ports/port ranges using specific protocols on the VPN interface from specific IPs/IP ranges.

Drop everything else.



I know I must be making this harder than it is. BSD's pf will do exactly what I want in about 20 lines. So far, I've got about 4 pages of iptables rules and all it really does is forward everything from eth1 out eth0. Doing port scans from eth0 shows there to be no security on it at a firewall level. I've read documentation on iptables and it's given me a massive headache, but I don't see where it can be made simpler; I'll need several more pages of rules to accomplish what I want and even then I'm not 100% that it'll work the way I want to.

I did find reference to a port of pf to linux via google, but it appears the project is abandoned, as the page was last updated in 2004 and the machine name where the source code resides cannot be resolved.


Could somebody please help me with the rule-set I need to accomplish the above goal?

This is apparently a good tool to build rules with: http://firehol.sourceforge.net/

Thanks for the reply Chris. I wasn't able to get firehol working though.

I've been playing with iptables last week and pretty much all day yesterday. I've got things almost working. I start the machine, get a DHCP address from my modem, start up the VPN and let it connect, then run the firewall script I have. The windoze computer hanging off eth2 is able to ping the internet and surf. However, I'm unable to connect to anything over our VPN from this machine.


My firewall script as it stands now:
The warning block in there was put in not in reference to anybody here, but directed at one particular person in our organization who does not understand much, but thinks that he does. He likes to change random settings because "that way makes more sense", but of course he doesn't document what he does or when he does it and cannot remember what was changed when asked.

There are two interesting behaviors I observed about this:

If I run tcpdump -a -i eth2 on the console, nothing at all appears when I try to ping a machine over the VPN from my laptop. If I ping a box out on the internet, the ping and reply appear.

I can ping both the internet and corporate network from the console.



Any ideas on this? My tent sale starts tomorrow and I'd really like to have it up and running if possible. (If not, I'll have to go with the old redhat 7.3 gateway that only handles data. Interestingly enough, the firewall script from that box does not work on here either, so there must be a difference between the version of iptables shipped with the 2.4 vs 2.6 kernel or the 4.0 and 4.9 versions of the Cisco VPN client software.) I've played with the script so much that I don't really know what else to try.

Important correction to my last post. The old gateway machine runs Slackware 10.1, NOT RedHat 7.3. (Got my old machines I hardly ever use confused. ) It's got kernel 2.4.29 and Cisco VPN Client software version 4.0 installed, but again only does data.