[Asterisk-Users] Asterisk iptables rules
Goran Tornqvist
goran at goran.aleborg.se
Wed Nov 2 00:16:11 MST 2005
The simple solution was that I was missing:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Which caused replies to outgoing traffic to be stopped in the firewall...
So problem wasnt really related to asterisk at all...doh!!!!
----- Original Message -----
From: "Goran Tornqvist" <goran at goran.aleborg.se>
To: "Asterisk Users Mailing List - Non-Commercial Discussion"
<asterisk-users at lists.digium.com>
Sent: Friday, October 28, 2005 9:52 AM
Subject: Re: [Asterisk-Users] Asterisk iptables rules
> Hello,
> After further checking I found that when activating the firewall no
> traffic is allowed OUT from the box.
> Nameresolving, http, nothing accept ICMP works, even though I added:
>
> iptables -A OUTPUT -p all -j ACCEPT
>
> So I think its not related to asterisk at all, rather some iptables config
> problem...
> I'll see if I can fix that problem first...thats maybe the reason why it
> doesnt work.
>
> Thanks for your help anyway...
>
> Best Regards
> Goran
>
> ----- Original Message -----
> From: "Steve Davies" <davies147 at gmail.com>
> To: "Asterisk Users Mailing List - Non-Commercial Discussion"
> <asterisk-users at lists.digium.com>
> Sent: Thursday, October 27, 2005 12:10 PM
> Subject: Re: [Asterisk-Users] Asterisk iptables rules
>
>
> I would suggest that you are missing something like:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
>
> This will mean that if a UDP packet is sent by * from sport:2345,
> dport:5060, then the response (sport:5060, dport:2345) will be allowed
> in, whereas at present that is not the case. I cannot say whether this
> type of packet will ever be sent, but I always include the rule for
> completeness.
>
> Alternatively, add a "LOG" rule, just before the DROP rule, and see
> what is being dropped...
>
> Regards,
> Steve
>
> On 10/27/05, Goran Tornqvist <goran at goran.aleborg.se> wrote:
>>
>> One last check...won't ask again, promise :)
>> Does someone know a solution to my problem below?
>>
>> Best Regards
>> Goran
>>
>> ----- Original Message -----
>> From: Goran Tornqvist
>> To: asterisk-users at lists.digium.com
>> Sent: Wednesday, October 26, 2005 10:33 AM
>> Subject: Asterisk iptables rules
>>
>>
>> Hello,
>> I have trouble getting asterisk to work with my new firewall script (see
>> below).
>> I used this info as base:
>> 'http://www.voip-info.org/wiki-Asterisk+firewall+rules
>> And then modified it to suit my needs.
>>
>> I use only SIP and the problem is that the calls get in to asterisk when
>> the
>> firewall is activated.
>> But my agents/phones cant register or receive any calls. So all calls get
>> stuck in queue on asterisk.
>> So I believe Im missing some rule perhaps?
>>
>> Can anyone help me sort this out?
>>
>> Thanks...
>>
>> Best Regards
>> Goran
>>
>> /etc/init.d/firewall
>> ======================================
>>
>> #IPTables firewall configuration for X
>>
>> export PATH=$PATH:/sbin
>>
>> case "$1" in
>> start)
>>
>> echo "Starting iptables firewall..."
>>
>> iptables --flush
>> iptables --delete-chain
>>
>> iptables -A INPUT -p icmp -i eth0 -j ACCEPT
>>
>> # START OPEN PORTS
>> #=================
>>
>> #SSH (22)
>> iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
>>
>> #SAMBA: netbios (139) , microsoft-ds (445)
>> iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
>> iptables -A INPUT -p tcp -i eth0 --dport 445 -j ACCEPT
>>
>> #ASTERISK
>>
>> # SIP (UDP 5060)
>> iptables -A INPUT -p tcp -m tcp -i eth0 --dport 5060 -j ACCEPT
>> iptables -A INPUT -p udp -m udp -i eth0 --dport 5060 -j ACCEPT
>>
>> # IAX2/IAX
>> iptables -A INPUT -p udp -m udp -i eth0 --dport 4569 -j ACCEPT
>> iptables -A INPUT -p udp -m udp -i eth0 --dport 5036 -j ACCEPT
>>
>> # RTP - the media stream
>> iptables -A INPUT -p udp -m udp -i eth0 --dport 10000:20000 -j
>> ACCEPT
>>
>> # MGCP - if you use media gateway control protocol in your
>> configuration
>> iptables -A INPUT -p udp -m udp -i eth0 --dport 2727 -j ACCEPT
>>
>> #END ASTERISK
>>
>> #MySQL (3306)
>> iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT
>> iptables -A INPUT -p udp -i eth0 --dport 3306 -j ACCEPT
>>
>> #SNMP (161) - Allow from cacti server
>> iptables -A INPUT -p tcp -i eth0 --dport 161 --source x.x.x.x -j
>> ACCEPT
>> iptables -A INPUT -p udp -i eth0 --dport 161 --source x.x.x.x -j
>> ACCEPT
>>
>> #Ftp / Passive ports
>> iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
>> iptables -A INPUT -p tcp -i eth0 --dport 64785:64799 -j ACCEPT
>>
>> #Http / Web
>> iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
>>
>> #Webmin (10000)
>> iptables -A INPUT -p tcp -i eth0 --dport 10000 -j ACCEPT
>>
>> # END OPEN PORTS
>> #=================
>>
>> #Deny everything else
>> iptables -A INPUT -p all -i eth0 -j DROP
>>
>> exit 0;
>> ;;
>>
>> stop)
>>
>> echo "Stopping iptables firewall..."
>> iptables --flush
>> iptables --delete-chain
>>
>> exit 0;
>> ;;
>>
>> *)
>> echo "Valid switches: firewall start , firewall stop";
>>
>> esac;
>>
>> _______________________________________________
>> --Bandwidth and Colocation sponsored by Easynews.com --
>>
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> To UNSUBSCRIBE or update options visit:
>>
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
> _______________________________________________
> --Bandwidth and Colocation sponsored by Easynews.com --
>
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
> _______________________________________________
> --Bandwidth and Colocation sponsored by Easynews.com --
>
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
More information about the asterisk-users
mailing list