iptables for asterisk

If you’re running Asterisk on a VPS or a dedicated server then setting up your iptables firewall can be a tricky.

I thought I’d post my firewall script to help get you started. I save this script as /usr/local/bin/firewall.sh and then add a line to run it from /etc/rc.local

It allows SSH’ing to the machine plus rules required for SIP connections (you will need other rules if you use IAX) plus some basic “bad stuff” filtering.

I’ve commented it so, hopefully, you’ll be able to figure out and chages you need.

#!/bin/bash
EXIF="eth0"

# Clear any existing firewall stuff before we start
/sbin/iptables --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Accept all incoming traffic associated with an established connection, or a "related" connection
/sbin/iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Check new packets are SYN packets for syn-flood protection
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Drop fragmented packets
/sbin/iptables -A INPUT -f -j DROP

# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop null packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Allow connections to port 22 - ssh. You can add other ports you need in here
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 22 -m state --state NEW -j ACCEPT

# Allow connections from my machines
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 100.101.5.182 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 200.123.88.196 -j ACCEPT

# Allow SIP connections
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 5060 -m udp -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 5060 -m tcp -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 10000:20000 -m udp -j ACCEPT

# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# Log then drop any packets that are not allowed. You will probably want to turn off the logging
#/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

7 thoughts on “iptables for asterisk

  1. matt Post author

    What port do you use for ssh? Is it the standard 22? If not you’d have to open the port you do use.

  2. zlotowinfo

    standard 22
    i changed only:
    1. EXIF=”eth0″ to EXIF=”venet0″

    2. to my ip
    sbin/iptables -A INPUT -p tcp -i $EXIF -m state –state NEW -s 100.101.5.182 -j ACCEPT

    server totally disconnect all users, stop responding ping, cant connect ssh

  3. zlotowinfo

    server trixbox (centos), forgot to tell its vps, not standard server, i using too fail2ban

    but someone leach my transfer, fail2ban not blocking this

  4. matt Post author

    Try changing this line –

    /sbin/iptables –policy INPUT DROP

    to ACCEPT temporarily. This is the ‘block everything’ rule. Then you can start the firewall and see what’s happening, but without being blocked.

  5. zlotowinfo

    im totally newbie on linux, trixbox: venet0 receive: 57.49 KB/s – venet0 transmit: 3.28 KB/s
    2 days ago when no body calls, was 0/0,
    now more, leach transfer can disable my server in some day in moth

    i don know how check where i loose transfer tried rules at bottom, but its block my server, cant use it
    dont know what can i doo, tried iptraf, but there see only 2-3KB/s & dont see trafic by ip
    even when i find atacker, cant stop him, because iptables like rules at bottom freeze server connections

  6. matt Post author

    If you think that your VPS has been compromised I would definitely recommend getting a management company to have a look at it. Ideally raise a ticket with your VPS provider.

Comments are closed.