[Asterisk-Users] Re: IPTABLES Firewall
CuPoTKa
cupotka at gamcall.co.il
Wed Apr 6 07:18:20 MST 2005
Matt wrote:
> I'll elaborate slightly more... the wiki says:
>
> # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
> iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
> # IAX2- the IAX protocol
> iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
> # IAX - most have switched to IAX v2, or ought to
> iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
> # RTP - the media stream
> iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
> # MGCP - if you use media gateway control protocol in your configuration
> iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
>
>
> However.. I've seen phones connect on what appears to be ports OTHER
> then 5060.. example:
> 301/301 (Unspecified) D 255.255.255.255 0
> Unmonitored
> 300/300 (Unspecified) D 255.255.255.255 0
> Unmonitored
> 204/204 65.173.xx.xx D 255.255.255.255 5060
> Unmonitored
> 203/203 (Unspecified) D 255.255.255.255 0
> Unmonitored
> 202/202 63.174.xx.xx D 255.255.255.255 5060 Unmonitored
> 201/201 65.173.xx.xx D 255.255.255.255 18515
> Unmonitored
> 200/200 (Unspecified) D 255.255.255.255 0
> Unmonitored
>
>
> So like extension 201 which is on 18515... is that going to still work?
They connect from port 18515 (or any port) to asterisk port 5060, so
this rule
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
is still OK
More information about the asterisk-users
mailing list