service iptables restart
Stopping iptables...
net.ipv4.ip_forward = 0
Starting iptables...
net.ipv4.ip_forward = 1
pbx1 etc # iptables -L -v
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo any anywhere anywhere
29 1940 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- eth2 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere
anywhere state NEW tcp dpt:122
0 0 ACCEPT udp -- eth0 any anywhere
anywhere state NEW udp dpt:5060
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 anywhere anywhere
0 0 ACCEPT all -- eth2 eth0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 21 packets, 1996 bytes)
pkts bytes target prot opt in out source
destination
pbx1 etc # iptables -L FORWARD -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 anywhere anywhere
0 0 ACCEPT all -- eth2 eth0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
pbx1 etc #
## AstLinux Main Configuration file
## Web: http://www.astlinux.org
## Support: http://lists.kriscompanies.com
## Donate: Paypal [EMAIL PROTECTED]
## Don't uncomment any line with more than one #!
## Begin rc.conf ##
###Basic Stuff
DOMAIN=ttienterprises.org
HOSTNAME=pbx1
TZ_TIMEZONE=EST5EDT
TIMEZONE=America/New_York
###Interfaces
##VLANS
##Configure vlans here. These will be created on boot BEFORE INTIF, etc are
##brought up. You can then use these values for INTIF, EXTIF, etc.
#VLANS="eth1.110 eth1.120"
##BRIDGES
##If configured with bridge-utils AstLinux can setup layer 2 bridges for you
##Very useful for access points, small "switches" etc. You can define up to
##three total (BRIDGE0, BRIDGE1, BRIDGE2). This example creates device
"br0"
##and adds the interfaces (seperated by spaces) to the bridge. Bridges can
##include vlans as defined above.
#BRIDGE0="eth1 ap0"
#BRIDGE1="ap1 eth0"
#BRIDGE2="ath0 eth1"
##External Interface
EXTIF=eth0
EXTIP="24.73.215.62"
EXTNM="255.255.255.248"
EXTGW="24.73.215.61"
DNS="65.32.1.70 65.32.1.65"
##If you do not define the INTIF, I will also not start the following
services:
##dnsmasq iptables astshape (PBX only mode)
##For Computers and LAN
INTIF=eth1
INTIP=192.168.0.191
INTNM=255.255.255.0
##Additional "Internal" interfaces
## FOR Phones and VoIP
INT2IF=eth2
INT2IP=10.10.10.10
INT2NM=255.255.255.0
##DMZ Support
##Uncomment the following to utilize a DMZ network. The DMZ network by
##default is only allowed to access the internet (via EXTIF). It is not
##able to access services on the AstLinux machine, or any of the machines
##on INTIF. To allow access to services on the AstLinux machine
##(Asterisk, etc.) set DMZTYPE=extme
DMZTYPE=extme
#DMZIF="eth2"
#DMZIP="192.168.102.1"
#DMZNM="255.255.255.0"
### Firewall support. Two firewall scripts are now available. Set that
variable
### here. Values are astfw or arno. If not set, defaults to astfw.
### Settings for Arno's firewall should be made by copying the config
file from
### /stat/etc/arno-iptables-firewall.conf to /mnt/kd. REBOOT or restart
iptables
### If using Arno's firewall, the firewall settings in rc.conf are
presently ignored.
FWVERS="astfw"
### astfw Firewall (iptables)
##Default "deny action" - you want either DROP or REJECT (returns with
icmp filtered)
DENYACT="DROP"
##EXTOPEN
##A list of ports (with protocol) that will be opened on the external
#interface to the AstLinux machine. Here you can add access to IAX
##SIP, etc.
##t= tcp u= udp
EXTOPEN="t122 u5060"
##Master NTP server. This is the NTP server that AstLinux will sync against
##upon bootup. It is also the server that the running ntpd process will use
##to maintain that time sync.
NTPSERV="128.105.39.11"
###Traffic Shaping (AstShape)
##This is typical for a lot of cable ISPs (at least for RR here in
Wisconsin...)
##Please change it after some testing, and make sure that it is %90 of
your tested
##link speed. This prevents queing that destroys latency - very
important for VOIP.
##Disabled by default. Uncomment EXTUP & EXTDOWN to enable...
#EXTUP=300
#EXTDOWN=2000
##Traffic from asterisk is moved into the top Q because I set tos=0x18
##which is automatically given highest priority by astshape. Perfect, huh?
##low priority OUTGOING traffic - you can leave this blank if you want
##low priority source netmasks
NOPRIOHOSTSRC=
##low priority destination netmasks
NOPRIOHOSTDST=
##low priority source ports
NOPRIOPORTSRC=
##low priority destination ports
NOPRIOPORTDST=
###Upgrade Config
##This is a list of pathnames to exclude in an upgrade attempt. #
##The update script will not touch/replace/look in any directory
##specified below. For help you should look at the rsync man pages
##or "rsync --help".
##This does not work and has been replaced by a static /etc/astup.ex
(for now)
#ASTUPEX="/dev/* /proc/* /mnt/kd/* /tmp/* /stat/* /var/*"
###Upgrade Config
##This is a list of pathnames to exclude in an upgrade attempt. #
##The update script will not touch/replace/look in any directory
##specified below. For help you should look at the rsync man pages
##or "rsync --help".
##This does not work and has been replaced by a static /etc/astup.ex
(for now)
#ASTUPEX="/dev/* /proc/* /mnt/kd/* /tmp/* /stat/* /var/*"
###Hardware
##Autoload Modules
##If /etc/rc.modules does not exist, then I will load these modules upon
##system startup.
AUTOMODS="rtc 3c59x typhoon tulip eepro100 natsemi forcedeth
8139cp 8139too via-rhine pcnet32 acenic e1000 ns83820 r8169 tg3"
##LMSensors Modules
##List your hardware modules, seperated by spaces
##You will also need to create a sensors.conf
#SENSEMODS="vt1211"
##Zaptel hardware support (NOT Sangoma - use "wancfg")
##These are the modules that will get loaded\unloaded by the Zaptel ##
##Init script. Please move the zaptel modules from /etc/rc.modules ##
##or AUTOMODS to here. If you don't have any zap hardware, leave ##
##this undefined and ztdummy will be loaded automatically. ##
#ZAPMODS="wctdm"
##Configure watchdog
##The first is the kernel module to load
##Next is the timeout period
#WDMODULE=scx200_wdt
#WDTIME=60
##ISDN Configuration
##If this variable exists I will try to load the proper modules, but you
##need to tell me how you want to setup your card.
##Documentation can be found at:
http://www.beronet.com/download/card_installation_guide_en.pdf
##More can be found at:
http://home.foni.net/~jolly1/download/PBX4Linux-2.5.html
##Don't forget to edit misdn.conf and modules.conf in /etc/asterisk.
##Examples:
#ISDN_MODPROBE="hfcpci protocol=0x2 layermask=0xf"
#ISDN_MODPROBE="hfcmulti type=0x08
protocol=0x12,0x12,0x12,0x12,0x2,0x2,0x2,0x2
layermask=0x3,0x3,0x3,0x3,0xf,0xf,0xf,0xf"
#ISDN_MODPROBE="hfcmulti type=0x04 protocol=0x12,0x12,0x2,0x2
layermask=0x3,0x3,0xf,0xf"
#ISDN_MODPROBE="avmfritz protocol=0x2 layermask=0xf debug=0x0"
##IDE Drive configuration
##From 0.2.5.6 onwards, DMA is disabled on the GRUB command line.
##I was having too many problems with motherboards detecting CF's
##as capable of DMA. Now I turn DMA off for eveything except the
##devices listed below.
#DMA_DEV="/dev/hdc"
##Blinkenlights
##I have a simple script to make the lights on Soekris/WRAP boards blink.
##It supports a few options. LED_NUM is the number to blink.
##WRAP supports 1 (power), 2 (error), or 3 (extra) - default
##Soekris supports 1 (error)
##LED_TIME is the number of seconds to wait between blinking cycles. 1
is the default.
LED_NUM=3
LED_TIME=1
###Misc. AstLinux
##AstBack Configuration
ASTBACK_PATHS="/etc/asterisk/* /var/spool/asterisk/voicemail/*
/mnt/kd/rc.conf"
##If you use the web interface for backup you CANNOT change the following
ASTBACK_FILE="/tmp/backup.tar.gz"
##Custom tmpfs sizes
##here is where you can increase or decrease the size of the various
##tmpfs filesystems. If you set these too large, it is possible for
##the system to use all available RAM, in which case the Linux kernel
##will start randomly killing processes to free up memory. You have
##been warned!
#VAR_SIZE="25000k"
#TMP_SIZE="10000k"
###Daemons
##FTP support
##vsftpd no longer starts by default. To start it from inetd, set
##inetd. For standalone mode, set vsftpd
#FTPD=inetd
##Configure TFTPD support
##Works the same as FTPD above.
#TFTPD=inetd
##TFTP Server options (flags to pass to TFTP)
##This only works in standalone TFTP server mode
#TFTPDOPTIONS="-l -s /tftpboot"
##FTP Server options (flags to pass to vsftpd)
## This only works in standalone vsftpd server mode
#FTPDOPTIONS="/etc/vsftpd.conf"
##Secondary HTTP only server
##If you set HTTPDIR, I will startup another instance of mini_httpd to
##serve files from that directory. HTTPUSER is the user the server will
##run as.
HTTPDIR="/tftpboot"
HTTPUSER="nobody"
HTTPCGI="no" # yes|no to enable CGI (just like for HTTPS)
##HTTPS Variables
HTTPSDIR="/stat/var/www" # Define the location to serve HTTPS from
HTTPSCGI="yes" # Whether to enable CGI in the above path
HTTPSCERT="/etc/ssl/mini_httpd.pem" # Path to the https certificate
HTTPSUSER="root" #user to run HTTPS under
##NTPD Variables
#Enable NTP broadcasts to local LAN(s). Use with something like
#Tardis (win32) or ntpd (listen mode).
#NTPBROADCAST=no
##Static hosts for local resolver + DNSMasq
##This should be a space-seperated list of hostname and IP
##address pairs seperated by colons. Configure as many
##as you wish
#STATHOSTS="server1:192.168.1.11 server2:192.168.1.12"
##Remote Syslog Config
##The machine below will receive all logging messages from this machine via
##syslog's remote logging features.
#SYSLOGHOST=""
##Persistent Logs
##If this variable is defined, logs are saved to the keydisk instead of RAM
#PERSISTLOG=yes
##NFSROOTPATH
##For diskless clients, the path to use for a root filesystem.
#NFSROOTPATH="$INTIP:/mnt/kd/nfsroot"
##NFS Server support (read only exports)
#NFS_EXPORTS_RO="/tftpboot"
##Read/write
#NFS_EXPORTS_RW="/home"
##BOOTPFILE
##For diskless clients, the image to use for booting.
#BOOTPFILE="/pxelinux.0"
###Mail Config
##This is the SMTP server that all mail from cron, etc. on this
##system will be sent through. This includes Asterisk VM notifications.
SMTP_SERVER="mail.ttienterprises.org"
SMTP_DOMAIN="ttienterprises.org"
SMTP_HOSTNAME="pbx"
#SMTP_TLS=YES
#SMTP_CA=/stat/etc/ca.crt # some file
##The username and password for communicating with the SMTP server.
#SMTP_USER=username
#SMTP_PASS=password
SMTP_AUTH=plain
##SSHD Config
##Allow sshd root logins? Yes or no are acceptable.
SSHDPORT=122
SSHDROOT=yes
###VPN Support
##AstLinux currently supports two types of VPN - racoon/KAME and
##openvpn. Set your type here, more to come... You need opt for this
#VPN=openvpn
##OpenVPN specific options
##All certs must be created manually.
##Suggest using the "easy-rsa" scripts that come with OpenVPN
##Perhaps on different machine, then copy the appropriate files
##Hopefully these can be created with a web interface in the future.
##VPN above must be openvpn
#OVPN_DEV="tun"
#OVPN_PROTOCOL="udp"
#OVPN_CA="/etc/openvpn/easy-rsa/keys/ca.crt"
#OVPN_CERT="/etc/openvpn/easy-rsa/keys/server.crt"
#OVPN_KEY="/etc/openvpn/easy-rsa/keys/server.key"
#OVPN_DH="/etc/openvpn/easy-rsa/keys/dh1024.pem"
#OVPN_SERVER="192.168.15.0 255.255.255.0"
#OVPN_VERBOSITY="1"
#OVPN_PUSH1="route 192.168.0.0 255.255.255.0"
#OVPN_PUSH2=""
#OVPN_PUSH3=""
##Stunnel support. If your AstLinux build has been built with
##Stunnel, you can setup local stunnel connections here like so:
## "astlinux listening port:remote server:remote port"
##Seperate multiple tunnels with spaces
##Don't forget to open the external port with EXTOPEN!
#STUNNELSERVS="8443:192.168.111.11:80 993:mailserver:143"
##Custom stunnel cert. By default we use the same cert as
##mini_httpd.
#STUNNELCERT="/mnt/kd/stunnel.pem"
##Stunnel user/group id. By default we will run stunnel as nobody
##this is fine unless you need to run as some other user because
##you need to bind to a port > 1023, etc. You will also need to
##have a group by the same name.
#STUNNELUSER="nobody"
###Vendor Tweaks
##ISSUE is what is presented on running gettys (console)
ISSUE="This is \n\ (\s \m \r) \t"
##/etc/issue.net is used by SSHD, more to come
NETISSUE="WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials."
##Upgrade URL
##Make it easier to do your own build by specifying your own upgrade URL
##here. Astup will use this server instead of the default.
#ASTUPURL="http://mirror.astlinux.org/runnix";
##Runnix Device
##For now, you need to specify the flash device that runnix is installed on
#RUNDEV=/dev/hda1
##AstLinux Extensions
##If you wish, you can enable some add-on extensions. These may be
##commercial products that require a license. You shouldn't touch
##this unless you know what you are doing, or have been told to.
#EXTENSIONS="pbxware"
## End rc.conf ##
pbx1 etc #
No I haven't changed anything I just add those because I know iptables
Kristian Kielhofner wrote:
> Barry,
>
> Unless you specifically changed the iptables configuration (or have
> your interface mis configured), traffic for any of the internal
> interfaces should always be allowed. Please do "service iptables
> restart" and send me the output of the following:
>
> iptables -L -v
> iptables -L FORWARD -v
>
> cat /etc/rc.conf
>
> --
> Kristian Kielhofner
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> http://lists.kriscompanies.com/mailman/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to [EMAIL
> PROTECTED]
>
>
>
_______________________________________________
Astlinux-users mailing list
[email protected]
http://lists.kriscompanies.com/mailman/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to [EMAIL
PROTECTED]
