[Asterisk-Users] Shorewall firewall rules

Mikael Magnusson mikaelmagnusson at glocalnet.net
Sat Apr 2 02:27:42 MST 2005


On Sat, Apr 02, 2005 at 11:10:28AM +0200, Remco Barende wrote:
> I'm trying to get firewalling working but I am clueless as to which ports 
> I need to open, I keep opening more ports and it's not working :(
> 
> Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving 
> me a headache. It seems that the stateless firewall is not able to handle 
> SIP. I'm using shorewall as my firewall with these rules:
> 
> ACCEPT  net    fw    udp     4569
> ACCEPT  fw     net   udp     4569,5060,10000:20000
> 
> My rtp.conf says this:
> rtpstart=10000
> rtpend=20000
> 
> 
> Whenever I make a call I get these messages:
> 
> Apr  2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1 
> SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF 
> PROTO=UDP SPT=17798 DPT=7356 LEN=180
> 
> Apr  2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT= 
> SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53 
> ID=859  PROTO=UDP SPT=7356 DPT=17798 LEN=180
> 
> 
> So it seems that the %&*$*&$^&!!!! server is still trying to out out via a 
> port lower than the range set in rtp.conf
> 
> What is port 7356 for and what should I open to get it to work? I looked 
> through the wiki but the low level iptables rules posted there do not make 
> any sense to me.
> 

Port 7356 is used by the called site to receive rtp packets. I don't
think you can have any influence to which port it chooses to use. You
will need to allow outgoing udp packets to all ports between 1024 and 65535.

For example:

  ACCEPT  net    fw    udp     4569,5060,10000:20000
  ACCEPT  fw     net   udp     1025:65536

/Mikael Magnusson




More information about the asterisk-users mailing list