iptables for Asterisk and FreePBX

If you’ve installed Asterisk and FreePBX, or you’re using one of the preconfigured distributions such as Trixbox or Elastix, a good idea is to have the linux firewall, iptables, running on your system. Here’s an example of how you could set this up.

First thing to note is that it’s pretty easy to lock your self out of your server when playing around with iptables! It’s best to take a couple of simple precautions in case this happens.

These instructions should apply to CentOS/Redhat/Fedora.

1. First stop iptables automatically starting at boot by running –

# chkconfig iptables off

2. Take a copy of your current iptables rules with –

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig

3. Now edit /etc/sysconfig/iptables and replace the contents with –

*mangle
:PREROUTING ACCEPT [83145:120824770]
:INPUT ACCEPT [83145:120824770]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46823:2584014]
:POSTROUTING ACCEPT [46823:2584014]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:60]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [164:6544]
:POSTROUTING ACCEPT [148:8939]
:OUTPUT ACCEPT [148:8939]
COMMIT

The settings above makes the following assumptions. Hopefully you can see what to change if any are wrong for your system.

  • SSH is listening on port 22. This is the default but people do run sshd on different ports. Make sure this is correct for your system or you are likely to lock yourself out
  • You need access to the Flash Operator Panel. If you don’t then you can remove the line for port 4445
  • You are only using HTTPS (port 443) to access FreePBX on your server. If you are using regular HTTP duplicate the line for port 443 but change the port number to 80
  • You are using ports 5060/5061 for SIP traffic
  • You are using the standard port, 4569, for IAX2 traffic
  • Your external interface is eth0. If this is not the case change all occurrences of this to the correct value. If you are doing this on an OpenVZ VPS you can change all the occurrences of ‘eth0’ to ‘venet0’

4. Write the rules away with iptables-save to makes sure everything is in the correct format –

# iptables-save > /etc/sysconfig/iptables

5. Now (re)start iptables (do not enable the service at boot yet!) with –

# service iptables restart

* If you do get locked out at this point for some reason at least you only have to get your server rebooted. iptables will not start automatically on reboot. It can get a lot more complicated to fix if iptables is set to auto start!

6. Test everything is working ok. You can see your iptables rules by running –

# iptables --list

7. Once you’re happy you can enable iptables at start up with –

# chkconfig iptables on

I should stress again that you do this at your own risk. If you don’t have console access to the server it might be worth checking with your provider what the procedure is if you lock youself out (and if it will cost you anything to get them to fix it!)

Also, iptables is already installed on sysadminman VPSs – you do not need to install it yourself

Related posts:
  1. iptables for asterisk
  2. Limiting SIP/IAX connections to Asterisk with IPTables
  3. Restricting web interface access with iptables
  4. Limit SMTP connections for OpenVZ VPS

15 thoughts on “iptables for Asterisk and FreePBX

  1. areski

    error on :
    iptables-save > /etc/sysconfig/iptables

    should be :
    iptables-save < /etc/sysconfig/iptables

  2. matt Post author

    Are you sure? I don’t think so. It’s just redirecting the rules back out to the iptables service config file. No real need to do that bit really I guess as you just updated the file directly anyway.

  3. Henry

    Hi, I don’t have a lot of experience with iptables but I think I understand the script very well. I just don’t understand where the numbers between the [] come from like :OUTPUT ACCEPT [46823:2584014]. I have read a lot of iptables tutorials to see if I can find the answer myself but I have not been able to. The only thing I found is that they are packet count and byte count. Would you mind explaining it?

  4. matt Post author

    Hi Henry,

    It’s true that the numbers in the brackets are packet/byte counts for the rules. Editing the iptables file directly is not the ‘correct’ way to setup iptables (really it’s better to use the iptables command) but it’s a quick and easy hack.

    If you’re not doing any ip traffic accounting using iptables then you can just ignore the numbers. If you are then it’s probably best not to edit the iptables file in this way.

  5. VortexRotor

    Great little How-To. I have been using Linux, IPtables, and Elastix for years and have also utilized a config as above.

    I would recommend for anyone whether your a veteran of everything *NIX or not and especially if your a novice to install and use webmin as it makes day-to-day management extremely simply and straight forward especially for IPTables config.

  6. matt Post author

    Good tip. Thanks. Webmin is great and very easy to install.

    You’ll need to open TCP port 10000 (the default) to be able to access the Webmin interface.

  7. Dan

    iptables –list

    returns:

    [[email protected] ~]# iptables –list
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP all -f anywhere anywhere
    DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    DROP all -f anywhere anywhere
    DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
    DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    ACCEPT all — anywhere anywhere
    ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
    DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    DROP all -f anywhere anywhere
    DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
    DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    ACCEPT tcp — anywhere anywhere tcp dpt:upnotifyp
    ACCEPT tcp — anywhere anywhere tcp dpt:ssh state NEW
    ACCEPT tcp — anywhere anywhere tcp dpt:https state NEW
    ACCEPT tcp — anywhere anywhere tcp dpt:http state NEW
    ACCEPT tcp — anywhere anywhere tcp dpt:sip
    ACCEPT udp — anywhere anywhere udp dpt:sip
    ACCEPT udp — anywhere anywhere udp dpts:ndmp:dnp
    ACCEPT tcp — anywhere anywhere tcp dpt:sip-tls
    ACCEPT udp — anywhere anywhere udp dpt:sip-tls
    ACCEPT udp — anywhere anywhere udp dpt:iax
    ACCEPT icmp — anywhere anywhere icmp echo-request state NEW
    REJECT all — anywhere anywhere reject-with icmp-port-unreachable

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Would that indicate i have setup iptables correctly?

  8. david su

    I’m setting up a VOIP telephony system at the moment and my network is as follows:

    Internet Thomson TG585V7 modem (as NAT and gateway as well) Linksys WRT54GL router (as NAT and gateway as well) IP PBX server (virtual PC) and IP phones.

    The IP addressing of this network is as below:

    Internet
    ||
    || WAN1 (Public IP 10.10.20.20)
    Thomson Modem
    || LAN1 (192.168.1.1/24)
    ||
    || WAN2 (192.168.1.2)
    Linksys Router
    || LAN2 (192.168.100.1/24)
    ||
    ||
    Asterisk IP PBX Server with FreePBX (192.168.100.10)
    ||
    \/
    IPphone1(Extension 100)(192.168.100.11)
    IPphone2(Extension 101)(192.168.100.12)

    – In the modem, I did NAT UDP & TCP port 5060-5060 and TCP port 10000-20000 to 192.168.1.2
    – In router, I did NAT UDP & TCP port 5060-5060 and TCP port 10000-20000 to 192.168.100.10
    – Ext 100 and 101 can be communicated as normal

    But when calling an inbound DID number (forwarded to IPphone1 through the extensions_custom.conf file in the IP PBX server), the caller can hear the callee, but the callee can’t hear the caller. This is called one-way audio problem in a double NAT setup.

    From the tshark output got from the IP PBX server (192.168.100.10), there is the below output:

    7.222488 81.201.84.140 -> 192.168.100.10 ICMP Destination unreachable (Port unreachable)

    The 81.201.84.140 is the IP of the POP IP of the DID service provider and the IP 192.168.100.10 is the IP PBX server in my end.

    From this tshark output, it looks like that the port forwarding setup in the Linksys NAT router didn’t do the job properly. The ports specified there haven’t opened and forwarded when necessary, and this may be the root cause of the one-way audio problem in this double NAT setup.

    I know in one of the dd-wrt web config pages, can save some custom iptable firewall rules there through command shell. Is it necessary and possible to save some custom iptables firewall rules there to solve the problem, i.e. the problem that the port forwarding setup doesn’t do the job. If it is necessary, how to do this? Can you give some examples?

    By the way, if removing the Linksys NAT router and directly connect the IP PBX sever and the IP phones to the modem, then can get two-way audio. There is no one-way audio in a single NAT setup in this case.

    another place to look at is the firewall rules setup in the IP PBX server (192.168.100.10). I refer to the example in http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772

    *mangle
    :PREROUTING ACCEPT [83145:120824770]
    :INPUT ACCEPT [83145:120824770]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [46823:2584014]
    :POSTROUTING ACCEPT [46823:2584014]
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1:60]
    :RH-Firewall-1-INPUT – [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -i eth0 -p tcp -m tcp –dport 4445 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp –dport 443 -m state –state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp –dport 5060 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp –dport 5060 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp –dport 10000:20000 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp –dport 5061 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp –dport 5061 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp –dport 4569 -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT
    -A INPUT -j REJECT –reject-with icmp-port-unreachable
    COMMIT
    *nat
    :PREROUTING ACCEPT [164:6544]
    :POSTROUTING ACCEPT [148:8939]
    :OUTPUT ACCEPT [148:8939]
    COMMIT

    and put them in /etc/sysconfig/iptables, but the “7.222488 81.201.84.140 -> 192.168.100.10 ICMP Destination unreachable (Port unreachable)” still shown in the tshark output file in IP PBX server. do you think this is the firewall rules not setup appropriately?

    there is something I’m not quite understand in this example – how do you generate this file? how do you generate these information :PREROUTING ACCEPT [83145:120824770]
    :INPUT ACCEPT [83145:120824770]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [46823:2584014]
    :POSTROUTING ACCEPT [46823:2584014] and what do they mean? for the last one “:POSTROUTING ACCEPT [46823:2584014]”, why not “[42121:24014]”, while “[46823:2584014]”?

    it is much appreciated if you can reply me to my email.

  9. Pingback: Increase security level of your asterisk server if you have it with public IP! | Web Your Business Future

  10. Krystyna

    I have a question: in each install I’ve made, there has been no /etc/sysconfig/iptables file. There has always been a /etc/sysconfig/iptables-config file. When I create the file /etc/sysconfig/iptables, and then run the command iptables-save > /etc/sysconfig/iptables, my changes have NEVER be taken. What am I doing wrong? Please advise. Thanks as always!

  11. matt Post author

    Hi Krystyna,

    The file is empty initially because there are no filewall rules.

    What ‘service iptables save’ does is write the active firewall rules to that file.

    If you’re editing the file manually anyway you want to be doing –

    service iptables restart
    service iptables save

    afterwards.

    Cheers, Matt

  13. matt Post author

    You probably want to ..

    service fail2ban restart

    after doing …

    service iptables restart

  15. matt Post author

    I think the default log is /var/log/fail2bam.log, which shows you everything it’s doing.

    You can also get it to e-mail you when an IP is blocked. Have a look in /etc/fail2ban/jail.conf

Comments are closed.