iptables for Asterisk – Any good guides out there?

Home » Asterisk Users » iptables for Asterisk – Any good guides out there?
Asterisk Users 7 Comments

Hi everyone,

I want to issue the command:

iptables -F

and then rebuild everything from the beginning with a very limited scope and
then without locking myself block all other traffic. Can you suggest what I
should put in the shell that would get me this:

Allow traffic from subnet 172.16.0.0/24 (my VPN tunnels) – All traffic
including those of Asterisk and HTTP – I trust this network
Allow traffic from subnet 192.168.1.0/24 (other side of VPN network) –
All traffic including those of Asterisk and HTTP – I trust this network
Allow traffic from single IP of DID provider – 5060 TCP/UDP and
10000-10200 UDP
Allow VPN access on port 1194 UDP — I have that figured out to be
(*iptables
-A INPUT -p udp -m udp –dport 1194 -j ACCEPT*) works for this.

*BLOCK all other traffic < ----- Important most of all* Please note that from the subnets I want to allow every single port possible
and all traffic. I specially have problems with getting a whole subnet be
able to access everything.

Thanks

7 thoughts on - iptables for Asterisk – Any good guides out there?

  • It’s a bit more complicated….

    Firstly you have to set the default rules FIRST
    $IPT -P INPUT DROP
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    And then do the flusing, not the otherway round
    After that you can add rules to accept trafic

    after the last rules, it is handy to put:
    $iptables -A INPUT -i $EXTERNAL_DEV -j LOG –log-prefix ” EXT; INC “
    iptables -A OUTPUT -o $EXTERNAL_DEV -j LOG –log-prefix ” EXT; OUT “
    iptables -A FORWARD -i $EXTERNAL_DEV -j LOG –log-prefix ” EXT; FWD “
    So can can see in the syslog what you are missing 😉

    I’ll guess, you would also like to accepts ntp,dhcp, domain-dns from
    your isp-provider.

    Perhaps also http, https, pop, pops, imap, imaps.
    And probably some more, depending on your need
    So’ll see them soon enough in your logfiles

    hw

  • Adding a couple of lines to root’s crontab like:

    # Min hour DOM month DOW command
    # ———————————————-
    # */5 * * * * /etc/init.d/iptables stop

    make it easy to enable an ‘iptables failsafe’ (by un-commenting the last
    line) while you’re fiddling about.

  • Thanks Jeremy. But unfortunately no time to go over all this in detail.
    Maybe in future. Also because as I repeatedly said I have OpenVPN setup so I
    trust the VPN network there is no need for all this complication. Simply
    allowing all traffic out and only allowing VPN traffic in from tun0 would do
    for me.

    Thanks

    On Sat, May 14, 2011 at 9:46 PM, Jeremy Kister

  • This question is probably better for a security or general Linux forum as it
    has very little to do with Asterisk. You have the the port numbers correct.

    You could try “man iptables”

    This link should also answer all of your questions, I like the second link
    with fail2ban.

    Please be sure to be a good community member and come back to post your
    results when you are done!

    Thanks,
    Steve Totaro

  • I wish I could take credit for it 🙂

    I had a similar ‘gee, how obvious’ epiphany after having locked myself out
    of way too many hosts.