?
Solved

client wont register if i enable iptables

Posted on 2010-08-30
9
Medium Priority
?
578 Views
Last Modified: 2012-05-10
Im new to iptables, im hardening a little bit my asterisk security by installing fail2an and enabling iptables.
the problem is when i enable iptables, softphones will not register, which entries should i do and how should i add those entries in iptables?

0
Comment
Question by:manolocruz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33566123
cat /etc/sysconfig/iptables

what protocol (tcp or udp) and what port do the phones need to connect to on the asterisk service?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33566131
I suggest you to look at which packets/ports are blocked for the IPphones. Then open/allow these ports/protocols in your iptables configuration.
The trick on the following links may help
http://jackhammer.org/node/18
http://codeidol.com/unix/linux-troubleshooting/Firewall-Troubleshooting/Troubleshooting-iptables/ 
0
 

Author Comment

by:manolocruz
ID: 33566516
Jesper, we need TCP 5060 UDP 5060 UDP 10000-20000
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:manolocruz
ID: 33566519
Abahar, im checking the links, hit you back in a few minutes.
0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 1000 total points
ID: 33566637
IPtables setup for Asterisk
# SIP port 5060
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX - IAX v2
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1000 total points
ID: 33566755
affirmative with abahar's example (start iptables before adding the rules).

verify the name of your "input" chain and if using unnumbered list (my "input" chain is 'RH-Firewall-1-INPUT') with an explicit deny at the end:

   iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
   iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


if you're using a redhat release (rhel, fedora, centos):

   iptables-save
   service iptables save
0
 

Author Comment

by:manolocruz
ID: 33567032
here is my /etc/sysconfig/iptables file.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33567148
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

You can copy and paste everything above this sentence.
0
 

Author Comment

by:manolocruz
ID: 33567232
right now system is in production, i will do that in about 3 hours...
and test it, after that will install fail2ban...
Any other recommendation to make my server safer?
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question