Firewall trouble?

I’ve been trying to set up a remote site with Asterisk and link up with the Cisco CallManager box at our store via a VPN. Initially, I was using FreeBSD 7.1 and I got everything was working as it should on my LAN, but was unable to get the vpnc client to connect to our Cisco VPN 3000 concentrator.

I then downloaded and installed AsteriskNow, but am having what I believe are firewall troubles. I used to use Linux all the time, but have since learned more about BSD and learned to hate iptables in favor of pf. However, there is no pf in Linux. There is a pf4lin port, but it appears to be abandoned because the site referenced by google and other pages cannot be found. When I was running Asterisk on FreeBSD, I had lots of security inbound from the internet and yet there were no problems with that part of it. (I figured I’d have several hours of tweaking rules, but it was almost plug-and-go.)

Basically, I’m going to have a machine with two NICs. One is going to be connected to the Internet and therefore needs a good security policy. However, this is also the link through which the VPN runs, so it needs to allow access through for incoming/outgoing calls and voice traffic. The other is going to be connected to a switch and a few IP phones and computers at the remote site. This doesn’t require nearly as much security, but will need to forward traffic out the other to the internet and our network.

I dug up an old firewall script that’s in use to provide masquerading on our corporate network. I built it back in 2003 and used many variables so that I could change it quickly and easily to accommodate different network segments, IPs, extra NICs, forwarded ports, etc, all by simply changing variables and not having to delve into the rules themselves. (Not that I detested writing the rules to begin with… ) I added some rules I found when searching, but they have had no effect on the problems I’m experiencing.

I’d like some assistance with this if possible. Currently, I have the phones registering with Asterisk and able to call extensions, but extensions are not able to call in. Further, when I call an extension, there’s only audio one-way - audio going from the store phone to the asterisk phone is silence. Lastly, I do not believe the firewall on the external interface to be all that secure - as you can see below, virtually everything is ACCEPTed.

In this list, I’ve replaced my public IP with 123.123.123.123. The local segment is 192.168.175.1/24.

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip
ACCEPT     udp  --  anywhere             anywhere            udp dpts:ndmp:dnp
ACCEPT     all  --  localhost.localdomain  anywhere          state NEW
ACCEPT     all  --  123.123.123.0/24     anywhere            state NEW
ACCEPT     all  --  192.168.175.0/24     anywhere            state NEW
ACCEPT     all  --  localhost.localdomain  anywhere
ACCEPT     all  --  123.123.123.0/24     anywhere
ACCEPT     all  --  192.168.175.0/24     anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  localhost.localdomain  anywhere
ACCEPT     all  --  123.123.123.0/24     anywhere
ACCEPT     all  --  192.168.175.0/24     anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
           all  -- !192.168.175.0/24     anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source              destination

I started a thread about the vpnc problem on FreeBSD, but have been unable to find a solution. If somebody has ideas on how to make that work instead, I’d be happy to explore them. (I’ve got a second hard drive with BSD still installed on.) It really doesn’t matter to me whether I use BSD or Linux, even though I prefer BSD, as long as the system works as I want it to.

Our first off-site sale of the year is coming up in a couple weeks and I need to get a system functional, but it seems like every time I solve one problem, I run into a brick wall with something I never considered.

Now I’m not so sure it’s a firewall problem… I disabled iptables and still have the same symptoms - I can dial from Asterisk to Cisco without a problem but cannot get from Cisco to Asterisk. Likewise, audio is able to get from Asterisk to Cisco, but not from Cisco to Asterisk.

I’m as certain as I can be that the Cisco box is working as it should in regards to the uplink between the two; it works perfectly running under FreeBSD and has not been changed since. (Only difference is that I’m running Asterisk installed from AsteriskNow instead of from the FreeBSD ports system.)

I’m honestly at a loss to explain it… anybody else ever experience something like this or have ideas of what I could try?

This is interesting… with iptables disabled completely, I ran a port scan of the Asterisk box. Port 5060 (sip) is not open! That would probably explain why I’m unable to place a call to the asterisk phones and why there’s one-way audio.

I used a default install of AsteriskNow and simply added the items to extensions.conf and sip.conf for the IP phone and Call Manager. Why would it not be listening on 5060 for incoming SIP connections?

Figured the problem out, sort of. I shut down, swapped drives, copied the extensions.conf and sip.conf from my FreeBSD install onto a thumb drive, shut down, swapped drives back, overwrote extensions.conf and sip.conf on AsteriskNow with the ones from the thumb drive, and the problems are gone. I can dial from Cisco phones to Asterisk phones and have two-way audio. Dunno what the problem was, but I’m not going to argue with it.

I’m now going to try to build a descent firewall and then run things through the VPN… wish me luck!