[Asterisk-Users] Asterisk iptables rules

Goran Tornqvist goran at goran.aleborg.se
Fri Oct 28 01:52:47 MST 2005


Hello,
After further checking I found that when activating the firewall no traffic 
is allowed OUT from the box.
Nameresolving, http, nothing accept ICMP works, even though I added:

iptables -A OUTPUT -p all -j ACCEPT

So I think its not related to asterisk at all, rather some iptables config 
problem...
I'll see if I can fix that problem first...thats maybe the reason why it 
doesnt work.

Thanks for your help anyway...

Best Regards
Goran

----- Original Message ----- 
From: "Steve Davies" <davies147 at gmail.com>
To: "Asterisk Users Mailing List - Non-Commercial Discussion" 
<asterisk-users at lists.digium.com>
Sent: Thursday, October 27, 2005 12:10 PM
Subject: Re: [Asterisk-Users] Asterisk iptables rules


I would suggest that you are missing something like:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

This will mean that if a UDP packet is sent by * from sport:2345,
dport:5060, then the response (sport:5060, dport:2345) will be allowed
in, whereas at present that is not the case. I cannot say whether this
type of packet will ever be sent, but I always include the rule for
completeness.

Alternatively, add a "LOG" rule, just before the DROP rule, and see
what is being dropped...

Regards,
Steve

On 10/27/05, Goran Tornqvist <goran at goran.aleborg.se> wrote:
>
> One last check...won't ask again, promise :)
> Does someone know a solution to my problem below?
>
> Best Regards
> Goran
>
> ----- Original Message -----
> From: Goran Tornqvist
> To: asterisk-users at lists.digium.com
> Sent: Wednesday, October 26, 2005 10:33 AM
> Subject: Asterisk iptables rules
>
>
> Hello,
> I have trouble getting asterisk to work with my new firewall script (see
> below).
> I used this info as base:
> 'http://www.voip-info.org/wiki-Asterisk+firewall+rules
> And then modified it to suit my needs.
>
> I use only SIP and the problem is that the calls get in to asterisk when 
> the
> firewall is activated.
> But my agents/phones cant register or receive any calls. So all calls get
> stuck in queue on asterisk.
> So I believe Im missing some rule perhaps?
>
> Can anyone help me sort this out?
>
> Thanks...
>
> Best Regards
> Goran
>
> /etc/init.d/firewall
> ======================================
>
> #IPTables firewall configuration for X
>
> export PATH=$PATH:/sbin
>
> case "$1" in
>   start)
>
>     echo "Starting iptables firewall..."
>
>     iptables --flush
>     iptables --delete-chain
>
>     iptables -A INPUT -p icmp -i eth0 -j ACCEPT
>
>     # START OPEN PORTS
>     #=================
>
>     #SSH (22)
>     iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
>
>     #SAMBA: netbios (139) , microsoft-ds (445)
>     iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
>     iptables -A INPUT -p tcp -i eth0 --dport 445 -j ACCEPT
>
>     #ASTERISK
>
>       # SIP (UDP 5060)
>       iptables -A INPUT -p tcp -m tcp -i eth0 --dport 5060 -j ACCEPT
>       iptables -A INPUT -p udp -m udp -i eth0 --dport 5060 -j ACCEPT
>
>       # IAX2/IAX
>       iptables -A INPUT -p udp -m udp -i eth0 --dport 4569 -j ACCEPT
>       iptables -A INPUT -p udp -m udp -i eth0 --dport 5036 -j ACCEPT
>
>       # RTP - the media stream
>       iptables -A INPUT -p udp -m udp -i eth0 --dport 10000:20000 -j 
> ACCEPT
>
>       # MGCP - if you use media gateway control protocol in your
> configuration
>       iptables -A INPUT -p udp -m udp -i eth0 --dport 2727 -j ACCEPT
>
>     #END ASTERISK
>
>     #MySQL (3306)
>     iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT
>     iptables -A INPUT -p udp -i eth0 --dport 3306 -j ACCEPT
>
>     #SNMP (161) - Allow from cacti server
>     iptables -A INPUT -p tcp -i eth0 --dport 161 --source x.x.x.x -j 
> ACCEPT
>     iptables -A INPUT -p udp -i eth0 --dport 161 --source x.x.x.x -j 
> ACCEPT
>
>     #Ftp / Passive ports
>     iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
>     iptables -A INPUT -p tcp -i eth0 --dport 64785:64799 -j ACCEPT
>
>     #Http / Web
>     iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
>
>     #Webmin (10000)
>     iptables -A INPUT -p tcp -i eth0 --dport 10000 -j ACCEPT
>
>     # END OPEN PORTS
>     #=================
>
>     #Deny everything else
>     iptables -A INPUT -p all -i eth0 -j DROP
>
>     exit 0;
>     ;;
>
>   stop)
>
>     echo "Stopping iptables firewall..."
>     iptables --flush
>     iptables --delete-chain
>
>     exit 0;
>     ;;
>
>   *)
>     echo "Valid switches: firewall start , firewall stop";
>
> esac;
>
> _______________________________________________
> --Bandwidth and Colocation sponsored by Easynews.com --
>
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
_______________________________________________
--Bandwidth and Colocation sponsored by Easynews.com --

Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users






More information about the asterisk-users mailing list