I’ve been trying to set up a remote site with Asterisk and link up with the Cisco CallManager box at our store via a VPN. Initially, I was using FreeBSD 7.1 and I got everything was working as it should on my LAN, but was unable to get the vpnc client to connect to our Cisco VPN 3000 concentrator.
I then downloaded and installed AsteriskNow, but am having what I believe are firewall troubles. I used to use Linux all the time, but have since learned more about BSD and learned to hate iptables in favor of pf. However, there is no pf in Linux. There is a pf4lin port, but it appears to be abandoned because the site referenced by google and other pages cannot be found. When I was running Asterisk on FreeBSD, I had lots of security inbound from the internet and yet there were no problems with that part of it. (I figured I’d have several hours of tweaking rules, but it was almost plug-and-go.)
Basically, I’m going to have a machine with two NICs. One is going to be connected to the Internet and therefore needs a good security policy. However, this is also the link through which the VPN runs, so it needs to allow access through for incoming/outgoing calls and voice traffic. The other is going to be connected to a switch and a few IP phones and computers at the remote site. This doesn’t require nearly as much security, but will need to forward traffic out the other to the internet and our network.
I dug up an old firewall script that’s in use to provide masquerading on our corporate network. I built it back in 2003 and used many variables so that I could change it quickly and easily to accommodate different network segments, IPs, extra NICs, forwarded ports, etc, all by simply changing variables and not having to delve into the rules themselves. (Not that I detested writing the rules to begin with… ) I added some rules I found when searching, but they have had no effect on the problems I’m experiencing.
I’d like some assistance with this if possible. Currently, I have the phones registering with Asterisk and able to call extensions, but extensions are not able to call in. Further, when I call an extension, there’s only audio one-way - audio going from the store phone to the asterisk phone is silence. Lastly, I do not believe the firewall on the external interface to be all that secure - as you can see below, virtually everything is ACCEPTed.
In this list, I’ve replaced my public IP with 126.96.36.199. The local segment is 192.168.175.1/24.
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:sip ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp ACCEPT all -- localhost.localdomain anywhere state NEW ACCEPT all -- 188.8.131.52/24 anywhere state NEW ACCEPT all -- 192.168.175.0/24 anywhere state NEW ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 184.108.40.206/24 anywhere ACCEPT all -- 192.168.175.0/24 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 220.127.116.11/24 anywhere ACCEPT all -- 192.168.175.0/24 anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable all -- !192.168.175.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
I started a thread about the vpnc problem on FreeBSD, but have been unable to find a solution. If somebody has ideas on how to make that work instead, I’d be happy to explore them. (I’ve got a second hard drive with BSD still installed on.) It really doesn’t matter to me whether I use BSD or Linux, even though I prefer BSD, as long as the system works as I want it to.
Our first off-site sale of the year is coming up in a couple weeks and I need to get a system functional, but it seems like every time I solve one problem, I run into a brick wall with something I never considered.