Solved

client wont register if i enable iptables

Posted on 2010-08-30
9
572 Views
Last Modified: 2012-05-10
Im new to iptables, im hardening a little bit my asterisk security by installing fail2an and enabling iptables.
the problem is when i enable iptables, softphones will not register, which entries should i do and how should i add those entries in iptables?

0
Comment
Question by:manolocruz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33566123
cat /etc/sysconfig/iptables

what protocol (tcp or udp) and what port do the phones need to connect to on the asterisk service?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33566131
I suggest you to look at which packets/ports are blocked for the IPphones. Then open/allow these ports/protocols in your iptables configuration.
The trick on the following links may help
http://jackhammer.org/node/18
http://codeidol.com/unix/linux-troubleshooting/Firewall-Troubleshooting/Troubleshooting-iptables/ 
0
 

Author Comment

by:manolocruz
ID: 33566516
Jesper, we need TCP 5060 UDP 5060 UDP 10000-20000
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:manolocruz
ID: 33566519
Abahar, im checking the links, hit you back in a few minutes.
0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 250 total points
ID: 33566637
IPtables setup for Asterisk
# SIP port 5060
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX - IAX v2
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 33566755
affirmative with abahar's example (start iptables before adding the rules).

verify the name of your "input" chain and if using unnumbered list (my "input" chain is 'RH-Firewall-1-INPUT') with an explicit deny at the end:

   iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
   iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


if you're using a redhat release (rhel, fedora, centos):

   iptables-save
   service iptables save
0
 

Author Comment

by:manolocruz
ID: 33567032
here is my /etc/sysconfig/iptables file.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33567148
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

You can copy and paste everything above this sentence.
0
 

Author Comment

by:manolocruz
ID: 33567232
right now system is in production, i will do that in about 3 hours...
and test it, after that will install fail2ban...
Any other recommendation to make my server safer?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question