Limiting SIP/IAX connections to Asterisk with IPTables

WARNING: be very careful when editing IPTables firewall rules. It is relatively easy to completely disable access to your machine.

All Sysadminman VPSs come with IPTables enabled. However to allow for VOIP traffic both SIP and IAX ports are opened.

If you know that your VOIP providers and all extensions are on fixed IP addresses then it is possible to limit connections to just those addresses.


First let’s list all the VOIP traffic rules that are set up –

iptables -L --line-numbers

Chain INPUT (policy DROP)
num  target     prot opt source               destination

10   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sip
11   ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip
13   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sip-tls
14   ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip-tls
15   ACCEPT     udp  --  anywhere             anywhere            udp dpt:iax

The extract above just show’s the sip, sip-tls and iax2 rules.

Now let’s delete those rules. Warning! All SIP/IAX2 traffic will be blocked as soon as you run this! Note that your line numbers may be different. Make sure that you delete them in reverse number order or the numbers will change as you delete them.

iptables -D INPUT 15
iptables -D INPUT 14
iptables -D INPUT 13
iptables -D INPUT 11
iptables -D INPUT 10

Don’t delete this rule if you use SIP as it is what opens the high port numbers for the actual voice/media stream –

12   ACCEPT     udp  --  anywhere             anywhere            udp dpts:ndmp:dnp

Now, let’s assume that our SIP provider is at 1.1.1.1 and our extensions are at 2.2.2.2. Let’s allow access from those numbers for SIP.
All lines are inserted at rule 10 and get shuffled up –

iptables -I INPUT 10 -p tcp --dport 5060 -s 1.1.1.1 -j ACCEPT
iptables -I INPUT 10 -p udp --dport 5060 -s 1.1.1.1 -j ACCEPT
iptables -I INPUT 10 -p tcp --dport 5060 -s 2.2.2.2 -j ACCEPT
iptables -I INPUT 10 -p udp --dport 5060 -s 2.2.2.2 -j ACCEPT

Let’s check that those rules look OK (again, only listed here are the VOIP traffic rules) –

iptables -L --line-numbers

Chain INPUT (policy DROP)
num  target     prot opt source               destination
10   ACCEPT     tcp  --  2.2.2.2              anywhere            tcp dpt:sip
11   ACCEPT     udp  --  2.2.2.2              anywhere            udp dpt:sip
12   ACCEPT     udp  --  1.1.1.1              anywhere            udp dpt:sip
13   ACCEPT     tcp  --  1.1.1.1              anywhere            tcp dpt:sip
14   ACCEPT     udp  --  anywhere             anywhere            udp dpts:ndmp:dnp

Now test that everything is working as you expect. If it is you can save the rules so that they are loaded next time you reboot –

service iptables stop
iptables-save > /etc/sysconfig/iptables
service iptables start

If you make a mistake while editing the rules then just restart iptables to restore your old rules. Note that you can only do this before you save your new rules!

service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: mangle filter nat         [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]