--- ./arno-iptables-firewall.sipnat 2008-01-22 01:10:19.000000000 -0800 +++ ./arno-iptables-firewall 1980-05-02 00:31:28.000000000 -0700 @@ -348,6 +353,14 @@ # write rules matching the state of a connection module_probe ip_conntrack_ftp # Permits active FTP; requires ip_conntrack + if [ -n "$SIP_PORTS" ]; then + ports="" + for port in $SIP_PORTS; do + $ports="$ports${ports:+,}$port" + done + module_probe ip_conntrack_sip ports="$ports" + fi + module_probe ipt_conntrack # Allows tracking for various protocols, placing entries # in the conntrack table etc. module_probe ipt_limit # Allows log limits @@ -393,6 +403,10 @@ if [ "$NAT" = "1" ]; then # module_probe iptable_nat # Implements nat table module_probe ip_nat_ftp # Permits active FTP via nat; requires ip_conntrack, iptables_nat + if [ -n "$SIP_PORTS" ]; then + module_probe ip_nat_sip + fi + module_probe ipt_MASQUERADE # Implements the MASQUERADE target fi @@ -3191,9 +3205,9 @@ # Adding UDP ports NOT to be firewalled ####################################### - if [ -n "$OPEN_UDP" ]; then + if [ -n "$OPEN_UDP" -o -n "$SIP_PORTS" ]; then echo " Allowing the whole world to connect to UDP port(s): $OPEN_UDP" - for port in $OPEN_UDP; do + for port in $OPEN_UDP $SIP_PORTS; do $IPTABLES -A EXT_INPUT_CHAIN -p udp --dport $port -j ACCEPT done fi --- ./etc/arno-iptables-firewall/firewall.conf 2007-12-17 10:30:55.000000000 -0800 +++ ./etc/arno-iptables-firewall/firewall.conf.new 2008-01-28 09:47:37.000000000 -0800 @@ -1134,3 +1134,7 @@ # should always contain a carriage-return (enter)! # ----------------------------------------------------------------------------- #BLOCK_HOSTS_FILE=/etc/arno-iptables-firewall/blocked-hosts + +# Specify UDP ports used by Asterisk registration end-points or by SIP +# phones (8 max). +#SIP_PORTS="5060 5061 5062 5063 5064"