Solved

client wont register if i enable iptables

Posted on 2010-08-30
9
568 Views
Last Modified: 2012-05-10
Im new to iptables, im hardening a little bit my asterisk security by installing fail2an and enabling iptables.
the problem is when i enable iptables, softphones will not register, which entries should i do and how should i add those entries in iptables?

0
Comment
Question by:manolocruz
  • 4
  • 3
  • 2
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33566123
cat /etc/sysconfig/iptables

what protocol (tcp or udp) and what port do the phones need to connect to on the asterisk service?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33566131
I suggest you to look at which packets/ports are blocked for the IPphones. Then open/allow these ports/protocols in your iptables configuration.
The trick on the following links may help
http://jackhammer.org/node/18
http://codeidol.com/unix/linux-troubleshooting/Firewall-Troubleshooting/Troubleshooting-iptables/ 
0
 

Author Comment

by:manolocruz
ID: 33566516
Jesper, we need TCP 5060 UDP 5060 UDP 10000-20000
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:manolocruz
ID: 33566519
Abahar, im checking the links, hit you back in a few minutes.
0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 250 total points
ID: 33566637
IPtables setup for Asterisk
# SIP port 5060
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX - IAX v2
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 33566755
affirmative with abahar's example (start iptables before adding the rules).

verify the name of your "input" chain and if using unnumbered list (my "input" chain is 'RH-Firewall-1-INPUT') with an explicit deny at the end:

   iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
   iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


if you're using a redhat release (rhel, fedora, centos):

   iptables-save
   service iptables save
0
 

Author Comment

by:manolocruz
ID: 33567032
here is my /etc/sysconfig/iptables file.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33567148
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

You can copy and paste everything above this sentence.
0
 

Author Comment

by:manolocruz
ID: 33567232
right now system is in production, i will do that in about 3 hours...
and test it, after that will install fail2ban...
Any other recommendation to make my server safer?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 91
VOIP on Smartphones 5 70
Scammer phone call - detect IP based on the phone number? 13 84
Ubuntu/Asterisk after upgrade Wav issue 19 63
I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now