[asterisk-users] (Newbie)How to reduce security risks in opening IAX & Sip Ports

Raj Jain rj2807 at gmail.com
Tue May 20 06:37:08 CDT 2008


On Tue, May 20, 2008 at 7:11 AM, Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:
>
> On Tue, May 20, 2008 at 06:46:49AM -0400, Raj Jain wrote:
> > One way to make the system more secure would be by not opening these ports
> > statically in Linux iptables. I have not tested this, but Linux iptables
> > have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel
> > version 2.6.18. With these modules, Linux iptables will act as a SIP-aware
> > NAT that opens the ports dynamically depending on what's exchanged in the
> > signaling.
>
> Err... and if you want to allow someone to connect to UDP port 5060 of
> your boxm what iptables trick should you use?

My comment was about RTP/RTCP ports (I should have been clearer). SIP
signaling ports will have to be opened statically. Although, for added
security you could open the port as symmetric if you know the ip/port
of "someone" that wants to connect to you as opposed to opening it in
a full-cone way. Also, I'm curious as to what experience others have
had with ip_nat_sip and ip_conntrack_sip modules. Do they really work?

--
Raj Jain



More information about the asterisk-users mailing list