In this article I will give an example of IPTables rules for Accel-ppp.
Suppose the default “iptables -P INPUT ACCEPT” for all connections (and if DROP, which is very desirable, then we do not use all the DROP rules below, we only execute ACCEPT):
We allow access to DHCP only local networks (the 0.0.0.0 address is required for the L2 network, since the client without the IP address sends DHCPDISCOVER from the IP address 0.0.0.0 to 255.255.255.255):
/sbin/iptables -A INPUT -s 0.0.0.0 -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s 10.0.0.0/8 -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 67 -j DROP
Allow access to accel-cmd only to billing and the server on which accel-cmd is running:
/sbin/iptables -A INPUT -s 192.168.2.2/32 -p tcp --dport 2001 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.2.1/32 -p tcp --dport 2001 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 2001 -j DROP
Let accel-ppp accept CoA / PoD only from billing:
/sbin/iptables -A INPUT -s 192.168.2.2/32 -p tcp --dport 3799 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.2.2/32 -p udp --dport 3799 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3799 -j DROP
/sbin/iptables -A INPUT -p udp --dport 3799 -j DROP
See also my other Accel-ppp articles