Discussion: Asterisk firewall rules

Here is My version of the iptables.
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT ## remember to change this i have multiple interfaces2w2
-A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource
-A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource
-A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource -j DROP
-A INPUT -p udp -m hashlimit --hashlimit-upto 6/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

Here is My version of the iptables.
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT ## remember to change this i have multiple interfaces2w2
-A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource
-A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource
-A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource -j DROP
-A INPUT -p udp -m hashlimit --hashlimit-upto 6/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

Somebody use VPN to solve the VoIP Blocking issue. But it seems not a good way to solve the voip blocking issue. Because VPN will take more bandwidth and will take effection on the Voice Quality

Currently I am using the VGCP, a new solution to solve the VoIP Blocking issue. Following is theirs website:
http://www.speed-voip.com/index-36.html

If any of you have interested, you may try to use it to solve your VoIP Blocking problems. Thanks.

Andy
andywong-01@hotmail.com

the rule "-A RH-Firewall-1-INPUT -p udp -m udp --dport 6001 -j ACCEPT" fixed my problem on the asterisk server connecting from iaxcomm client

For the IPFW (& natd) example, please note that the given rc.conf specification (for natd) will cause all traffic arriving at the "external" NIC to be NATted, then sent to the specific IP address ("pbxip") in question. In the event that you planned to use the connection for anything else, this may not be optimal. (And I have no clue what he stuff is with 4569/udp, 2727/udp, and 9999-20001/udp.) — dhw

( damn wiki doesn't want to set cookies with my firefox for somereason ) ...

The example given shows what you would type in bash to create the ruleset. with pf, it's much easier to create a pf.conf file, and then enable pf in your rc.conf.

The same ruleset with native pf grammer is:

voip_tcp = "5060"
voip_udp = "{ 5060, 4569, 5036, 9999:20001, 2727 }"
pass in quick on $ext_if proto udp from any port $voip_udp to 64.81.53.18 keep state
pass in quick on $ext_if proto tcp from any port $voip_tcp to 64.81.53.18 flags S/SA keep state

The last line of the IPtables rules i think should be '-m udp' instead of '-m upp':

iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT

(though i guess the whole '-m udp' bit could be left out completely as the udp match is loaded when -p udp is used):

iptables -A INPUT -p udp --dport 2727 -j ACCEPT

-kieren

To get this to work with RH FC2 on IPTables make sure to include the rules as:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 5036 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 5004 -j ACCEPT

then when your happy run:

service iptables save

Good luck and stay secure.

OK, I can completely strike the previous entry in this thread.
changing 'rtp.conf' to:
rtpstart=30000
rtpend=32000
as well as these entries in iptables:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 30000:32000 -j ACCEPT
(making sure that 30000:32000 is outside of the ephemeral port range)
We've had 100% voice success rate since getting that figured out.

connection tracking / related seems to work somewhat.
we don't allow the whole ephemeral range, rather have a rule:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
also, curious we had to allow --sport 5004 udp from our subnets as
the related/established rule didn't seem to catch that. it gets IAX and
everything else so far, seemingly though.