If you’ve installed Asterisk and FreePBX, or you’re using one of the preconfigured distributions such as Trixbox or Elastix, a good idea is to have the linux firewall, iptables, running on your system. Here’s an example of how you could set this up.
First thing to note is that it’s pretty easy to lock your self out of your server when playing around with iptables! It’s best to take a couple of simple precautions in case this happens.
These instructions should apply to CentOS/Redhat/Fedora.
1. First stop iptables automatically starting at boot by running –
2. Take a copy of your current iptables rules with –
3. Now edit /etc/sysconfig/iptables and replace the contents with –
The settings above makes the following assumptions. Hopefully you can see what to change if any are wrong for your system.
4. Write the rules away with iptables-save to makes sure everything is in the correct format –
5. Now (re)start iptables (do not enable the service at boot yet!) with –
* If you do get locked out at this point for some reason at least you only have to get your server rebooted. iptables will not start automatically on reboot. It can get a lot more complicated to fix if iptables is set to auto start!
6. Test everything is working ok. You can see your iptables rules by running –
7. Once you’re happy you can enable iptables at start up with –
I should stress again that you do this at your own risk. If you don’t have console access to the server it might be worth checking with your provider what the procedure is if you lock youself out (and if it will cost you anything to get them to fix it!)
Also, iptables is already installed on sysadminman VPSs – you do not need to install it yourself
15 comments. Leave new
error on :
iptables-save > /etc/sysconfig/iptables
should be :
iptables-save < /etc/sysconfig/iptables
Are you sure? I don’t think so. It’s just redirecting the rules back out to the iptables service config file. No real need to do that bit really I guess as you just updated the file directly anyway.
Hi, I don’t have a lot of experience with iptables but I think I understand the script very well. I just don’t understand where the numbers between the [] come from like :OUTPUT ACCEPT [46823:2584014]. I have read a lot of iptables tutorials to see if I can find the answer myself but I have not been able to. The only thing I found is that they are packet count and byte count. Would you mind explaining it?
Hi Henry,
It’s true that the numbers in the brackets are packet/byte counts for the rules. Editing the iptables file directly is not the ‘correct’ way to setup iptables (really it’s better to use the iptables command) but it’s a quick and easy hack.
If you’re not doing any ip traffic accounting using iptables then you can just ignore the numbers. If you are then it’s probably best not to edit the iptables file in this way.
Great little How-To. I have been using Linux, IPtables, and Elastix for years and have also utilized a config as above.
I would recommend for anyone whether your a veteran of everything *NIX or not and especially if your a novice to install and use webmin as it makes day-to-day management extremely simply and straight forward especially for IPTables config.
Good tip. Thanks. Webmin is great and very easy to install.
You’ll need to open TCP port 10000 (the default) to be able to access the Webmin interface.
iptables –list
returns:
[[email protected] ~]# iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT tcp — anywhere anywhere tcp dpt:upnotifyp
ACCEPT tcp — anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:sip
ACCEPT udp — anywhere anywhere udp dpt:sip
ACCEPT udp — anywhere anywhere udp dpts:ndmp:dnp
ACCEPT tcp — anywhere anywhere tcp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:iax
ACCEPT icmp — anywhere anywhere icmp echo-request state NEW
REJECT all — anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Would that indicate i have setup iptables correctly?
I’m setting up a VOIP telephony system at the moment and my network is as follows:
Internet Thomson TG585V7 modem (as NAT and gateway as well) Linksys WRT54GL router (as NAT and gateway as well) IP PBX server (virtual PC) and IP phones.
The IP addressing of this network is as below:
Internet
||
|| WAN1 (Public IP 10.10.20.20)
Thomson Modem
|| LAN1 (192.168.1.1/24)
||
|| WAN2 (192.168.1.2)
Linksys Router
|| LAN2 (192.168.100.1/24)
||
||
Asterisk IP PBX Server with FreePBX (192.168.100.10)
||
\/
IPphone1(Extension 100)(192.168.100.11)
IPphone2(Extension 101)(192.168.100.12)
– In the modem, I did NAT UDP & TCP port 5060-5060 and TCP port 10000-20000 to 192.168.1.2
– In router, I did NAT UDP & TCP port 5060-5060 and TCP port 10000-20000 to 192.168.100.10
– Ext 100 and 101 can be communicated as normal
But when calling an inbound DID number (forwarded to IPphone1 through the extensions_custom.conf file in the IP PBX server), the caller can hear the callee, but the callee can’t hear the caller. This is called one-way audio problem in a double NAT setup.
From the tshark output got from the IP PBX server (192.168.100.10), there is the below output:
7.222488 81.201.84.140 -> 192.168.100.10 ICMP Destination unreachable (Port unreachable)
The 81.201.84.140 is the IP of the POP IP of the DID service provider and the IP 192.168.100.10 is the IP PBX server in my end.
From this tshark output, it looks like that the port forwarding setup in the Linksys NAT router didn’t do the job properly. The ports specified there haven’t opened and forwarded when necessary, and this may be the root cause of the one-way audio problem in this double NAT setup.
I know in one of the dd-wrt web config pages, can save some custom iptable firewall rules there through command shell. Is it necessary and possible to save some custom iptables firewall rules there to solve the problem, i.e. the problem that the port forwarding setup doesn’t do the job. If it is necessary, how to do this? Can you give some examples?
By the way, if removing the Linksys NAT router and directly connect the IP PBX sever and the IP phones to the modem, then can get two-way audio. There is no one-way audio in a single NAT setup in this case.
another place to look at is the firewall rules setup in the IP PBX server (192.168.100.10). I refer to the example in http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772
*mangle
:PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:60]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 4445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 443 -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 4569 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [164:6544]
:POSTROUTING ACCEPT [148:8939]
:OUTPUT ACCEPT [148:8939]
COMMIT
and put them in /etc/sysconfig/iptables, but the “7.222488 81.201.84.140 -> 192.168.100.10 ICMP Destination unreachable (Port unreachable)” still shown in the tshark output file in IP PBX server. do you think this is the firewall rules not setup appropriately?
there is something I’m not quite understand in this example – how do you generate this file? how do you generate these information :PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014] and what do they mean? for the last one “:POSTROUTING ACCEPT [46823:2584014]”, why not “[42121:24014]”, while “[46823:2584014]”?
it is much appreciated if you can reply me to my email.
[…] to sysadminman who originally wrote the guideline, I’m just here trying to reimplement and spread out his […]
I have a question: in each install I’ve made, there has been no /etc/sysconfig/iptables file. There has always been a /etc/sysconfig/iptables-config file. When I create the file /etc/sysconfig/iptables, and then run the command iptables-save > /etc/sysconfig/iptables, my changes have NEVER be taken. What am I doing wrong? Please advise. Thanks as always!
Hi Krystyna,
The file is empty initially because there are no filewall rules.
What ‘service iptables save’ does is write the active firewall rules to that file.
If you’re editing the file manually anyway you want to be doing –
service iptables restart
service iptables save
afterwards.
Cheers, Matt
Hi Matt!
Yes, the instructions you gave in the commect worked.. somewhat. I did the other tutorial on fail2ban, but I don’t see the fail2ban entries (here is the tutorial http://sysadminman.net/blog/2010/blocking-asterisk-hackingscanning-attempts-with-fail2ban-1392)
Did the config get overwritten? I manually updated the file, however, I didn’t erase the Fail2Ban entries that were found.
Cheers as always!
You probably want to ..
service fail2ban restart
after doing …
service iptables restart
Hi Matt! How would I setup a log file where I can see which IP have been blocked by Fail2ban? Would I need to edit my IPtables config or my fail2ban config? Please advise (here is the tutorial http://sysadminman.net/blog/2010/blocking-asterisk-hackingscanning-attempts-with-fail2ban-1392)
I think the default log is /var/log/fail2bam.log, which shows you everything it’s doing.
You can also get it to e-mail you when an IP is blocked. Have a look in /etc/fail2ban/jail.conf