iptables for Asterisk and FreePBX
If you’ve installed Asterisk and FreePBX, or you’re using one of the preconfigured distributions such as Trixbox or Elastix, a good idea is to have the linux firewall, iptables, running on your system. Here’s an example of how you could set this up.
First thing to note is that it’s pretty easy to lock your self out of your server when playing around with iptables! It’s best to take a couple of simple precautions in case this happens.
These instructions should apply to CentOS/Redhat/Fedora.
1. First stop iptables automatically starting at boot by running -
2. Take a copy of your current iptables rules with -
3. Now edit /etc/sysconfig/iptables and replace the contents with -
:PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:60]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [164:6544]
:POSTROUTING ACCEPT [148:8939]
:OUTPUT ACCEPT [148:8939]
COMMIT
The settings above makes the following assumptions. Hopefully you can see what to change if any are wrong for your system.
- SSH is listening on port 22. This is the default but people do run sshd on different ports. Make sure this is correct for your system or you are likely to lock yourself out
- You need access to the Flash Operator Panel. If you don’t then you can remove the line for port 4445
- You are only using HTTPS (port 443) to access FreePBX on your server. If you are using regular HTTP duplicate the line for port 443 but change the port number to 80
- You are using ports 5060/5061 for SIP traffic
- You are using the standard port, 4569, for IAX2 traffic
- Your external interface is eth0. If this is not the case change all occurrences of this to the correct value. If you are doing this on an OpenVZ VPS you can change all the occurrences of ‘eth0′ to ‘venet0′
4. Write the rules away with iptables-save to makes sure everything is in the correct format -
5. Now (re)start iptables (do not enable the service at boot yet!) with -
* If you do get locked out at this point for some reason at least you only have to get your server rebooted. iptables will not start automatically on reboot. It can get a lot more complicated to fix if iptables is set to auto start!
6. Test everything is working ok. You can see your iptables rules by running -
7. Once you’re happy you can enable iptables at start up with -
I should stress again that you do this at your own risk. If you don’t have console access to the server it might be worth checking with your provider what the procedure is if you lock youself out (and if it will cost you anything to get them to fix it!)
Also, iptables is already installed on sysadminman VPSs – you do not need to install it yourself
Last updated by .
Related posts:
- iptables for asterisk
- Limiting SIP/IAX connections to Asterisk with IPTables
- Limit SMTP connections for OpenVZ VPS
Avaialble systems include FreePBX, PBX-in-a-Flash, Elastix, A2Billing and FusionPBX.
More details and prices can be found at sysadminman.net
areski:
error on :
iptables-save > /etc/sysconfig/iptables
should be :
6 August 2009, 5:01 pmiptables-save < /etc/sysconfig/iptables
matt:
Are you sure? I don’t think so. It’s just redirecting the rules back out to the iptables service config file. No real need to do that bit really I guess as you just updated the file directly anyway.
6 August 2009, 5:13 pmHenry:
Hi, I don’t have a lot of experience with iptables but I think I understand the script very well. I just don’t understand where the numbers between the [] come from like :OUTPUT ACCEPT [46823:2584014]. I have read a lot of iptables tutorials to see if I can find the answer myself but I have not been able to. The only thing I found is that they are packet count and byte count. Would you mind explaining it?
9 November 2009, 4:01 ammatt:
Hi Henry,
It’s true that the numbers in the brackets are packet/byte counts for the rules. Editing the iptables file directly is not the ‘correct’ way to setup iptables (really it’s better to use the iptables command) but it’s a quick and easy hack.
If you’re not doing any ip traffic accounting using iptables then you can just ignore the numbers. If you are then it’s probably best not to edit the iptables file in this way.
9 November 2009, 7:21 pmVortexRotor:
Great little How-To. I have been using Linux, IPtables, and Elastix for years and have also utilized a config as above.
I would recommend for anyone whether your a veteran of everything *NIX or not and especially if your a novice to install and use webmin as it makes day-to-day management extremely simply and straight forward especially for IPTables config.
6 February 2010, 5:57 pmmatt:
Good tip. Thanks. Webmin is great and very easy to install.
You’ll need to open TCP port 10000 (the default) to be able to access the Webmin interface.
6 February 2010, 6:03 pmDan:
iptables –list
returns:
[root@localhost ~]# iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT tcp — anywhere anywhere tcp dpt:upnotifyp
ACCEPT tcp — anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:sip
ACCEPT udp — anywhere anywhere udp dpt:sip
ACCEPT udp — anywhere anywhere udp dpts:ndmp:dnp
ACCEPT tcp — anywhere anywhere tcp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:iax
ACCEPT icmp — anywhere anywhere icmp echo-request state NEW
REJECT all — anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Would that indicate i have setup iptables correctly?
9 January 2011, 9:09 pm