Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

client wont register if i enable iptables

Posted on 2010-08-30
9
Medium Priority
?
586 Views
Last Modified: 2012-05-10
Im new to iptables, im hardening a little bit my asterisk security by installing fail2an and enabling iptables.
the problem is when i enable iptables, softphones will not register, which entries should i do and how should i add those entries in iptables?

0
Comment
Question by:manolocruz
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33566123
cat /etc/sysconfig/iptables

what protocol (tcp or udp) and what port do the phones need to connect to on the asterisk service?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33566131
I suggest you to look at which packets/ports are blocked for the IPphones. Then open/allow these ports/protocols in your iptables configuration.
The trick on the following links may help
http://jackhammer.org/node/18
http://codeidol.com/unix/linux-troubleshooting/Firewall-Troubleshooting/Troubleshooting-iptables/ 
0
 

Author Comment

by:manolocruz
ID: 33566516
Jesper, we need TCP 5060 UDP 5060 UDP 10000-20000
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:manolocruz
ID: 33566519
Abahar, im checking the links, hit you back in a few minutes.
0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 1000 total points
ID: 33566637
IPtables setup for Asterisk
# SIP port 5060
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT

# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX - IAX v2
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1000 total points
ID: 33566755
affirmative with abahar's example (start iptables before adding the rules).

verify the name of your "input" chain and if using unnumbered list (my "input" chain is 'RH-Firewall-1-INPUT') with an explicit deny at the end:

   iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
   iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


if you're using a redhat release (rhel, fedora, centos):

   iptables-save
   service iptables save
0
 

Author Comment

by:manolocruz
ID: 33567032
here is my /etc/sysconfig/iptables file.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33567148
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

You can copy and paste everything above this sentence.
0
 

Author Comment

by:manolocruz
ID: 33567232
right now system is in production, i will do that in about 3 hours...
and test it, after that will install fail2ban...
Any other recommendation to make my server safer?
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although VoiceOver IP has been around for a while, internet connections have only recently become fast enough to provide good call quality. Now, VoIP has become a real option for businesses looking at ways to improve their business model. In this ar…
Every year the snow affects people and businesses. According to the Federation of Small Businesses (FSB), in 2009, UK businesses lost an estimated £1.2bn (http://news.bbc.co.uk/1/hi/business/7864804.stm) because of bad weather. This article was c…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question