[Asterisk-Users] RE: No subject by Steve M

Thomas Hutton pres at nicheware.com
Sun Sep 12 22:22:17 MST 2004


Just responding in case this may be of help to somebody with firewalling
issues.  Not sure if this is off on a tangent to the original
question...


Here are three different forms of common firewall scripts and ways of
getting SIP to work behind them.  The third one has some additional
stuff beyond just SIP although I can't remember why I wrote it that way.

I've been having no fun using sip phones that try to figure things out
with third party STUN servers.  It seems better to use a good linux
firewall like it was intended.  

*******************************************************************

Redhat 9 scripts - basic firewall rules for SIP forwarding:
file: /etc/rc.d/init.d/firewall

In the Services section, add this:
SIP=your.internal.ip.here         # VIOP SIP 

Add the following code amongst the service scripts toward the bottom:

#----------------------------#
#            SIP                     #
#----------------------------#
                                                                                                              
function SIP_WAN {
   $IPT -A INPUT -p udp -i $WANIFACE --dport 5060 -j ACCEPT
   $IPT -A INPUT -p udp -i $WANIFACE --dport 5004 -j ACCEPT
}
                                                                                                              
function SIP_PORT_FORWARDING {
   $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 5060 -j DNAT
--to $SIP:5060
   $IPT -A FORWARD -i $WANIFACE -p udp --dport 5060 -j ACCEPT
   $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 5004 -j DNAT
--to $SIP:5004
   $IPT -A FORWARD -i $WANIFACE -p udp --dport 5004 -j ACCEPT
}                                                                                                              
if [ $SIP = "ON" ]; then
   SIP_WAN
else
   if [ "$SIP" != "OFF"  ]; then
      SIP_PORT_FORWARDING
   fi
fi

Note: the two lines above beginning with two dashes (--) wrapped, they
should be at the end of the lines above them.

*******************************************************************

Basic rule for SuSEfirewall2:
file: /etc/sysconfig/SuSEfirewall2
In the section for FW_FORWARD_MASQ=
insert the following two lines:
0/0,internal.sip.ip.address,udp,5060,external.ip.address.here
0/0,internal.sip.ip.address,udp,5004,external.ip.address.here

Note: quotation marks are used in this section- although only at the
beginning and the end... it's a goofy syntax for writing a config file-
so if it doesn't work, and these are the only two ports you're
forwarding, it should look like this: 

FW_FORWARD_MASQ="0/0,internal.sip.ip.address,udp,5060,external.ip.address.heree
0/0,internal.sip.ip.address,udp,5004,external.ip.address.here"

******************************************************************

Ruleset for an old reliable IPChains firewall:  
file: /etc/rc.d/init.d/firewall
This actually opens up a few more holes for some outbound streams. 
Can't remember exactly why I did it this way but it works good.
# VIOP - asterisk
# vars
$EXT_IP=your.external.ip.here
$ASTERISK_IP=your.asterisk.server.ip
#
#chains
ipmasqadm portfw -a -P udp -L $EXT_IP 5060 -R $ASTERISK_IP 5060
ipchains -A portfw -s 0/0 1024: -d $EXT_IP 5060 -p 17 -j ACCEPT
ipmasqadm portfw -a -P udp -L $EXT_IP 4569 -R $ASTERISK_IP 4569
ipchains -A portfw -s 0/0 1024: -d $EXT_IP 4569 -p 17 -j ACCEPT
ipmasqadm portfw -a -P udp -L $EXT_IP 5036 -R $ASTERISK_IP 5036
ipchains -A portfw -s 0/0 1024: -d $EXT_IP 5036 -p 17 -j ACCEPT
# loop for a bunch of ports for streams
 port2=10001
 while [ $port2 -lt 10699 ]
 do
 ipmasqadm portfw -a -P udp -L $EXT_IP $port2 -R $ASTERISK_IP  $port2
 ipchains -A portfw -s 0/0 1024: -d $EXT_IP $port2 -p 17 -j ACCEPT
 ipchains -A portfw -s 0/0 $port2 -d $EXT_IP $port2 -p 17 -j ACCEPT
 port2=$((port2+1))
 done
#

*****************************************************************

I've also been able to run sip traffic over a vpn.  My ISP here seems
like it's doing some weird stuff with delaying packets on certain ports
- so I stuff a lot of stuff through a tunnel.  Problem is that the
encryption slows it down- which I fixed by running a pptpd daemon
without encryption.

This will be out of thread, excuse me, but my mozilla is broken and
won't take mailto registry fixes.  Will need to use a different client
in future posts.

TJH




More information about the asterisk-users mailing list