[asterisk-users] iptables miss up phone calls if not used properly
Jonathan Thurman
jonathan at thurmantech.com
Tue Apr 13 15:38:22 CDT 2010
On Tue, Apr 13, 2010 at 11:17 AM, khalid touati <khalidtouati at gmail.com> wrote:
> Hi Guys,
> i wanted to share this with u and ask for little help at the same time:
> i used iptables to secure my server, so i wnet ahead and blocked avery thing
> except a couple of domain protocols and UDP ports of SIP, IAX2 and that
> range 15000 to 20000, tested it and OK. when in production, the calls were
> taking a huge time 7s to be established and somtimes after call setup people
> cannot hear ech other (but not all the time which weird), so iptables can
> miss up performance if not set correctly (even if it's working, stuff like
> this can happen). so if any body have some lines of iptables that secure
> server and don't cause performence trouble to phone calls please share with
> me (i am using Centos 5.3 asterisk 1.4.24).
You don't need to open up all of the UDP ports like that if you enable
connection tracking for sip. Of course you don't say how many ongoing
sessions you are using, but I haven't had any issues with connection
tracking for SIP. All of this is based on INBOUND connections to the
server, but make sure you are allowing OUTBOUND connections too.
Here are some changes for an example that is NOT complete and you can
use AT YOUR OWN RISK. Make sure you have something like this in the
following files. Notice that this does not restrict who can talk to
your server either, and only covers IAX/SIP. This is based on CentOS
5.4.
/etc/sysconfig/iptables:
# Anything we already know about
-A Fwall-IN -m state --state ESTABLISHED,RELATED -j ACCEPT
# IAX
-A Fwall-IN -m state --state NEW -m udp -p udp --dport 4569 -j ACCEPT
# SIP
-A Fwall-IN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
-A Fwall-IN -m state --state NEW -m tcp -p tcp --dport 5060 -j ACCEPT
/etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_sip"
If you need more specifics, you will have to post your iptables
configuration for some more advise.
-Jonathan
More information about the asterisk-users
mailing list