Here's what I have.
Dual homed FreePBX box. Everything works like a champ. eth0 is external. eth1 is internal. SIP provider is at 216.234.x.x.
I'm trying to configure iptables to allow everything from eth1 and lo. But only allow traffic from 216.234.x.x
Here are the current iptables rules I've added.
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 216.234.x.x/32 -j ACCEPT
-A OUTPUT -j ACCEPT
As soon as I hit enter on...
iptables -A INPUT -i eth0 - j DROP
Inbound audio stops working.
Then when I delete that rule it works again. I'm at a loss.
Thanks,
Sounds like a good candidate for adding a LOG rule before your DROP, see if you're able to spot some necessary traffic being dropped unexpectedly.
What you need is stateful firewalling - allowing packets only in one direction is obviously useless.
Fortunately, conntrack is smart so you don't have to be.
Ensure that the first rule is
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTand worry no more - the SIP helper will hopefully catch the issue of the differing IP.You would also do well to read the iptables manpage regarding the exact arguments that the conntrack match accepts, so you can better use it in the future.
Also bear in mind that automatic setup of connection helpers will eventually be disposed of, so whilst you can currently just apply RELATED to everything, a kernel in the not-so-distant future will likely break it.