[Asterisk-Users] Shorewall firewall rules

[Paul Hardacre]

Remco Barende wrote:

> Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is 
> giving me a headache. It seems that the stateless firewall is not able 
> to handle SIP. I'm using shorewall as my firewall with these rules:
>
> ACCEPT  net    fw    udp     4569
> ACCEPT  fw     net   udp     4569,5060,10000:20000

IAX2 will work fine, because you have allowed it in both directions.

> Whenever I make a call I get these messages:
>
> Apr  2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1 
> SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF 
> PROTO=UDP SPT=17798 DPT=7356 LEN=180
>
> Apr  2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT= 
> SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53 ID=859  
> PROTO=UDP SPT=7356 DPT=17798 LEN=180
>
> So it seems that the %&*$*&$^&!!!! server is still trying to out out 
> via a port lower than the range set in rtp.conf

Not exactly, asterisk is using port 17798. It's the other end that's 
using 7356, unfortunately you don't really have any control over the 
remote end's RTP port.

You could try specifying the source ports on the outgoing rules with 
something like:

ACCEPT    fw   net   udp   -   10000:20000

This would allow any packets from the firewall to the internet 
originating from ports 10000:20000.

You should probably also allow incoming connections to port 5060 and 
10000:20000 otherwise you may find that you can't receive inbound calls.

ACCEPT   net   fw   udp   5060,10000:20000

should cater for that.

I'm using shorewall on our asterisk box at work and it works just fine. 
I allow all traffic out from the firewall to the net and only allow a 
very limited amount of incoming ports.

> What is port 7356 for and what should I open to get it to work? I 
> looked through the wiki but the low level iptables rules posted there 
> do not make any sense to me.

Port 7356 is the remote end's RTP port.

I hope that helps,

Paul