Facebook
Twitter
LinkedIn
YouTube
SysAdminMan
  • Blog
  • Contact

iptables for Asterisk and FreePBX

1 July 2009MattAsterisk

If you’ve installed Asterisk and FreePBX, or you’re using one of the preconfigured distributions such as Trixbox or Elastix, a good idea is to have the linux firewall, iptables, running on your system. Here’s an example of how you could set this up.

First thing to note is that it’s pretty easy to lock your self out of your server when playing around with iptables! It’s best to take a couple of simple precautions in case this happens.

These instructions should apply to CentOS/Redhat/Fedora.

1. First stop iptables automatically starting at boot by running –

# chkconfig iptables off

2. Take a copy of your current iptables rules with –

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig

3. Now edit /etc/sysconfig/iptables and replace the contents with –

*mangle
:PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:60]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [164:6544]
:POSTROUTING ACCEPT [148:8939]
:OUTPUT ACCEPT [148:8939]
COMMIT

The settings above makes the following assumptions. Hopefully you can see what to change if any are wrong for your system.

  • SSH is listening on port 22. This is the default but people do run sshd on different ports. Make sure this is correct for your system or you are likely to lock yourself out
  • You need access to the Flash Operator Panel. If you don’t then you can remove the line for port 4445
  • You are only using HTTPS (port 443) to access FreePBX on your server. If you are using regular HTTP duplicate the line for port 443 but change the port number to 80
  • You are using ports 5060/5061 for SIP traffic
  • You are using the standard port, 4569, for IAX2 traffic
  • Your external interface is eth0. If this is not the case change all occurrences of this to the correct value. If you are doing this on an OpenVZ VPS you can change all the occurrences of ‘eth0’ to ‘venet0’

4. Write the rules away with iptables-save to makes sure everything is in the correct format –

# iptables-save > /etc/sysconfig/iptables

5. Now (re)start iptables (do not enable the service at boot yet!) with –

# service iptables restart

* If you do get locked out at this point for some reason at least you only have to get your server rebooted. iptables will not start automatically on reboot. It can get a lot more complicated to fix if iptables is set to auto start!

6. Test everything is working ok. You can see your iptables rules by running –

# iptables --list

7. Once you’re happy you can enable iptables at start up with –

# chkconfig iptables on

I should stress again that you do this at your own risk. If you don’t have console access to the server it might be worth checking with your provider what the procedure is if you lock youself out (and if it will cost you anything to get them to fix it!)

Also, iptables is already installed on sysadminman VPSs – you do not need to install it yourself


Related posts:
  1. iptables for asterisk
  2. Limiting SIP/IAX connections to Asterisk with IPTables
  3. Restricting web interface access with iptables
  4. Limit SMTP connections for OpenVZ VPS
Tags: asterisk, CentOS, fedora, firewall iptables, freepbx, iax2, iptables, linux firewall, ports, redhat, sip, tcp, udp
Previous post Trixbox 2.6 passwords – Changing on a Sysadminman VPS Next post Installing Digium g.729 codec for Asterisk on an OpenVZ VPS

Related Articles

Monitoring your Peers (Asterisk extensions) and Trunks

25 February 2015Jon

Using Android with FreePBX – CSipSimple extension

7 May 2013Matt

Glossary

10 April 2013Jo

15 comments. Leave new

areski
6 August 2009 5:01 pm

error on :
iptables-save > /etc/sysconfig/iptables

should be :
iptables-save < /etc/sysconfig/iptables

matt
6 August 2009 5:13 pm

Are you sure? I don’t think so. It’s just redirecting the rules back out to the iptables service config file. No real need to do that bit really I guess as you just updated the file directly anyway.

Henry
9 November 2009 4:01 am

Hi, I don’t have a lot of experience with iptables but I think I understand the script very well. I just don’t understand where the numbers between the [] come from like :OUTPUT ACCEPT [46823:2584014]. I have read a lot of iptables tutorials to see if I can find the answer myself but I have not been able to. The only thing I found is that they are packet count and byte count. Would you mind explaining it?

matt
9 November 2009 7:21 pm

Hi Henry,

It’s true that the numbers in the brackets are packet/byte counts for the rules. Editing the iptables file directly is not the ‘correct’ way to setup iptables (really it’s better to use the iptables command) but it’s a quick and easy hack.

If you’re not doing any ip traffic accounting using iptables then you can just ignore the numbers. If you are then it’s probably best not to edit the iptables file in this way.

VortexRotor
6 February 2010 5:57 pm

Great little How-To. I have been using Linux, IPtables, and Elastix for years and have also utilized a config as above.

I would recommend for anyone whether your a veteran of everything *NIX or not and especially if your a novice to install and use webmin as it makes day-to-day management extremely simply and straight forward especially for IPTables config.

matt
6 February 2010 6:03 pm

Good tip. Thanks. Webmin is great and very easy to install.

You’ll need to open TCP port 10000 (the default) to be able to access the Webmin interface.

Dan
9 January 2011 9:09 pm

iptables –list

returns:

[[email protected] ~]# iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT tcp — anywhere anywhere tcp dpt:upnotifyp
ACCEPT tcp — anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:sip
ACCEPT udp — anywhere anywhere udp dpt:sip
ACCEPT udp — anywhere anywhere udp dpts:ndmp:dnp
ACCEPT tcp — anywhere anywhere tcp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:iax
ACCEPT icmp — anywhere anywhere icmp echo-request state NEW
REJECT all — anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Would that indicate i have setup iptables correctly?

david su
30 August 2012 2:41 am

I’m setting up a VOIP telephony system at the moment and my network is as follows:

Internet Thomson TG585V7 modem (as NAT and gateway as well) Linksys WRT54GL router (as NAT and gateway as well) IP PBX server (virtual PC) and IP phones.

The IP addressing of this network is as below:

Internet
||
|| WAN1 (Public IP 10.10.20.20)
Thomson Modem
|| LAN1 (192.168.1.1/24)
||
|| WAN2 (192.168.1.2)
Linksys Router
|| LAN2 (192.168.100.1/24)
||
||
Asterisk IP PBX Server with FreePBX (192.168.100.10)
||
\/
IPphone1(Extension 100)(192.168.100.11)
IPphone2(Extension 101)(192.168.100.12)

– In the modem, I did NAT UDP & TCP port 5060-5060 and TCP port 10000-20000 to 192.168.1.2
– In router, I did NAT UDP & TCP port 5060-5060 and TCP port 10000-20000 to 192.168.100.10
– Ext 100 and 101 can be communicated as normal

But when calling an inbound DID number (forwarded to IPphone1 through the extensions_custom.conf file in the IP PBX server), the caller can hear the callee, but the callee can’t hear the caller. This is called one-way audio problem in a double NAT setup.

From the tshark output got from the IP PBX server (192.168.100.10), there is the below output:

7.222488 81.201.84.140 -> 192.168.100.10 ICMP Destination unreachable (Port unreachable)

The 81.201.84.140 is the IP of the POP IP of the DID service provider and the IP 192.168.100.10 is the IP PBX server in my end.

From this tshark output, it looks like that the port forwarding setup in the Linksys NAT router didn’t do the job properly. The ports specified there haven’t opened and forwarded when necessary, and this may be the root cause of the one-way audio problem in this double NAT setup.

I know in one of the dd-wrt web config pages, can save some custom iptable firewall rules there through command shell. Is it necessary and possible to save some custom iptables firewall rules there to solve the problem, i.e. the problem that the port forwarding setup doesn’t do the job. If it is necessary, how to do this? Can you give some examples?

By the way, if removing the Linksys NAT router and directly connect the IP PBX sever and the IP phones to the modem, then can get two-way audio. There is no one-way audio in a single NAT setup in this case.

another place to look at is the firewall rules setup in the IP PBX server (192.168.100.10). I refer to the example in http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772

*mangle
:PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:60]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 4445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 443 -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 4569 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [164:6544]
:POSTROUTING ACCEPT [148:8939]
:OUTPUT ACCEPT [148:8939]
COMMIT

and put them in /etc/sysconfig/iptables, but the “7.222488 81.201.84.140 -> 192.168.100.10 ICMP Destination unreachable (Port unreachable)” still shown in the tshark output file in IP PBX server. do you think this is the firewall rules not setup appropriately?

there is something I’m not quite understand in this example – how do you generate this file? how do you generate these information :PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014] and what do they mean? for the last one “:POSTROUTING ACCEPT [46823:2584014]”, why not “[42121:24014]”, while “[46823:2584014]”?

it is much appreciated if you can reply me to my email.

Increase security level of your asterisk server if you have it with public IP! | Web Your Business Future
19 October 2012 12:30 pm

[…] to sysadminman who originally wrote the guideline, I’m just here trying to reimplement and spread out his […]

Krystyna
23 November 2012 3:26 pm

I have a question: in each install I’ve made, there has been no /etc/sysconfig/iptables file. There has always been a /etc/sysconfig/iptables-config file. When I create the file /etc/sysconfig/iptables, and then run the command iptables-save > /etc/sysconfig/iptables, my changes have NEVER be taken. What am I doing wrong? Please advise. Thanks as always!

matt
23 November 2012 3:30 pm

Hi Krystyna,

The file is empty initially because there are no filewall rules.

What ‘service iptables save’ does is write the active firewall rules to that file.

If you’re editing the file manually anyway you want to be doing –

service iptables restart
service iptables save

afterwards.

Cheers, Matt

Krystyna
23 November 2012 6:58 pm

Hi Matt!

Yes, the instructions you gave in the commect worked.. somewhat. I did the other tutorial on fail2ban, but I don’t see the fail2ban entries (here is the tutorial http://sysadminman.net/blog/2010/blocking-asterisk-hackingscanning-attempts-with-fail2ban-1392)

Did the config get overwritten? I manually updated the file, however, I didn’t erase the Fail2Ban entries that were found.

Cheers as always!

matt
23 November 2012 8:41 pm

You probably want to ..

service fail2ban restart

after doing …

service iptables restart

Krystyna
21 February 2013 1:40 am

Hi Matt! How would I setup a log file where I can see which IP have been blocked by Fail2ban? Would I need to edit my IPtables config or my fail2ban config? Please advise (here is the tutorial http://sysadminman.net/blog/2010/blocking-asterisk-hackingscanning-attempts-with-fail2ban-1392)

matt
21 February 2013 8:18 am

I think the default log is /var/log/fail2bam.log, which shows you everything it’s doing.

You can also get it to e-mail you when an IP is blocked. Have a look in /etc/fail2ban/jail.conf

Categories

A2Billing is written and maintained by Star2Billing
FreePBX® is a Registered Trademark of Schmooze Com, Inc.

© 2015 SysAdminMan Ltd
Registered in England and Wales, Company No. 7198077
The Apex, 2 Sheriffs Orchard, Coventry, England, CV1 3PP