Solved

client wont register if i enable iptables

Posted on 2010-08-30
9
569 Views
Last Modified: 2012-05-10
Im new to iptables, im hardening a little bit my asterisk security by installing fail2an and enabling iptables.
the problem is when i enable iptables, softphones will not register, which entries should i do and how should i add those entries in iptables?

0
Comment
Question by:manolocruz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33566123
cat /etc/sysconfig/iptables

what protocol (tcp or udp) and what port do the phones need to connect to on the asterisk service?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33566131
I suggest you to look at which packets/ports are blocked for the IPphones. Then open/allow these ports/protocols in your iptables configuration.
The trick on the following links may help
http://jackhammer.org/node/18
http://codeidol.com/unix/linux-troubleshooting/Firewall-Troubleshooting/Troubleshooting-iptables/ 
0
 

Author Comment

by:manolocruz
ID: 33566516
Jesper, we need TCP 5060 UDP 5060 UDP 10000-20000
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:manolocruz
ID: 33566519
Abahar, im checking the links, hit you back in a few minutes.
0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 250 total points
ID: 33566637
IPtables setup for Asterisk
# SIP port 5060
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX - IAX v2
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 33566755
affirmative with abahar's example (start iptables before adding the rules).

verify the name of your "input" chain and if using unnumbered list (my "input" chain is 'RH-Firewall-1-INPUT') with an explicit deny at the end:

   iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
   iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


if you're using a redhat release (rhel, fedora, centos):

   iptables-save
   service iptables save
0
 

Author Comment

by:manolocruz
ID: 33567032
here is my /etc/sysconfig/iptables file.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33567148
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

You can copy and paste everything above this sentence.
0
 

Author Comment

by:manolocruz
ID: 33567232
right now system is in production, i will do that in about 3 hours...
and test it, after that will install fail2ban...
Any other recommendation to make my server safer?
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Fine Tune your automatic Updates for Ubuntu / Debian
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question