Asterisk firewall rules

Business PBX Solution
Provider Solution Details
Bicom VoIP Become an ITSP Now!
  • Become a serious competitor in VoIP Immediately
  • FULL Consultancy, Installation, Training & Support
  • Sell Hosted IP PBXs, Biz Lines, Call Centre
  • Turnkey Provisioning at your data center
 Details

Sample Asterisk Firewall Rules

IPTables

This is an example on how to configure a Linux IPTables firewall for Asterisk:



 # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
 iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

 # IAX2- the IAX protocol
 iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

 # IAX - most have switched to IAX v2, or ought to
 iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

 # RTP - the media stream
 # (related to the port range in /etc/asterisk/rtp.conf) 
 iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
 

 # MGCP - if you use media gateway control protocol in your configuration
 iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT



More security:
Block access for account scanners like 'User-Agent: friendly-scanner'
NOTICE: The rules must inserted into the chain at the front to make them work
properly.
(If you want to merge the rules into you ruleset make sure they are chained before
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT )



 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --set --name VOIP --rsource 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource -j DROP 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m recent --set --name VOIPINV --rsource 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource -j DROP 
 iptables -I INPUT -p udp -m hashlimit --hashlimit 6/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -m udp --dport 5060 -j ACCEPT 
 iptables -I INPUT -p udp -m udp --dport 5060 -j DROP


Tested with Debian/Linux Kernel 2.6.32-5-686


Bleeding edge and even more security:
(link is dead)

Get this one http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-sip-conntrack-nat and follow the docs :)




PF (Packet Filter)

This is an example on how to configure a OpenBSD/FreeBSD 5 PF firewall for Asterisk:

pf.conf

  1. Your inet interface
ext = rl0

  1. SIP (TCP)
voip_tcp = "5060"
  1. SIP, IAX2, IAX, RTP, MGCP (UDP)
voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}"

pf pass in on $ext inet proto tcp from any to any port $voip_tcp flags S/SA keep state
pf pass out on $ext inet proto tcp all flags S/SA keep state
pf pass in on $ext inet proto udp from any to any port $voip_udp keep state
pf pass out on $ext proto udp all keep state


pf.conf on gateway router/asterisk box with QoS

        1. macros ####
ext_if="xl0" # 172.16.0.2
int_if="xl1" # 10.0.0.1
lan_net = "10.0.0.0/24"
table <blocked> persist
table <routed> persist
    1. machines
ext_ip = "172.16.0.2"
siphost = "172.16.0.3"
voip = "10.0.0.4"
        1. options ####
set skip on lo0
set optimization conservative
set block-policy drop
set loginterface $ext_if
scrub in all
        1. QoS stuff #######
altq on $ext_if priq bandwidth 520Kb queue { q_pri, q_def, q_bulk, q_crap }
queue q_pri priority 7
queue q_def priority 5 priq(default)
queue q_bulk priority 1
queue q_crap priority 0
          1. NAT ####
nat on $ext_if from <routed> -> $ext_ip

          1. rules ####
block drop out quick on $ext_if proto { udp, icmp, tcp } from any to <blocked>
block drop in quick on $ext_if proto { udp, icmp, tcp } from <blocked> to any
block drop in on $ext_if from any to any
pass in on $ext_if from $lan_net to any

    1. basic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $int_if proto icmp all keep state

    1. asterisk
pass in from any to $siphost
pass in quick proto udp from any to any port 4569 \
keep state queue (q_pri)
pass out quick proto udp from any to any port 4569 \
keep state queue (q_pri)

    1. default
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_def, q_pri)


IPFW

This is an example on how to configure a FreeBSD IPFW firewall for Asterisk:

rc.firewall

  1. Firewall comand
fwcmd="/sbin/ipfw -q"

  1. Interface setup
  2. Outside interface
oip="<your external ip address>"

  1. * pbx ip
pbxip="<your * internal ip>"

  1. VoIP Traffic - SIP & IAX
${fwcmd} add pass tcp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass tcp from ${pbxip} to any 5060 keep-state out
${fwcmd} add pass udp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 4569 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 2727 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 9999-20001 keep-state in
${fwcmd} add pass udp from ${pbxip} to any keep-state out



rc.conf

  1. Your NAT & Firewall section should have this line
natd_flags="-redirect_address <your * internal ip> <your external ip address>"


ISA Server

To configure an ISA Server firewall for Windows, to permit Asterisk (win32 version) to run on the same box as the ISA Server:

SIPPF.VBS

Follow these steps:
  • Download the SPIPF.VBS script from www.generationd.com
  • Copy to any directory on the ISA Server.
  • Edit the file with any text editor - if you want to modify the log file parameters, etc.
  • Run the script by double clicking it
  • Wait and relax while the ports are opened. Be warned - it can take a while!



See also


Created by: oej, Last modification: Mon 31 of Oct, 2011 (07:43 UTC) by ruehlchr


Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+

Page Changes | Comments

 

Featured -

Search: