Comments on: iptables for Asterisk and FreePBX http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772 UK based Asterisk, Trixbox, FreePBX and A2Billing Servers Mon, 06 Feb 2012 16:56:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Dan http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-2362 Dan Sun, 09 Jan 2011 21:09:36 +0000 http://sysadminman.net/blog/?p=772#comment-2362 iptables --list returns: [root@localhost ~]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -f anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP all -f anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP all -f anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE ACCEPT tcp -- anywhere anywhere tcp dpt:upnotifyp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:sip ACCEPT udp -- anywhere anywhere udp dpt:sip ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp ACCEPT tcp -- anywhere anywhere tcp dpt:sip-tls ACCEPT udp -- anywhere anywhere udp dpt:sip-tls ACCEPT udp -- anywhere anywhere udp dpt:iax ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Would that indicate i have setup iptables correctly? iptables –list

returns:

[root@localhost ~]# iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
DROP tcp — anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST ,PSH,ACK,URG
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT tcp — anywhere anywhere tcp dpt:upnotifyp
ACCEPT tcp — anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp — anywhere anywhere tcp dpt:sip
ACCEPT udp — anywhere anywhere udp dpt:sip
ACCEPT udp — anywhere anywhere udp dpts:ndmp:dnp
ACCEPT tcp — anywhere anywhere tcp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:sip-tls
ACCEPT udp — anywhere anywhere udp dpt:iax
ACCEPT icmp — anywhere anywhere icmp echo-request state NEW
REJECT all — anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Would that indicate i have setup iptables correctly?

]]> By: matt http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-1503 matt Sat, 06 Feb 2010 18:03:46 +0000 http://sysadminman.net/blog/?p=772#comment-1503 Good tip. Thanks. Webmin is great and very easy to install. You'll need to open TCP port 10000 (the default) to be able to access the Webmin interface. Good tip. Thanks. Webmin is great and very easy to install.

You’ll need to open TCP port 10000 (the default) to be able to access the Webmin interface.

]]> By: VortexRotor http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-1502 VortexRotor Sat, 06 Feb 2010 17:57:50 +0000 http://sysadminman.net/blog/?p=772#comment-1502 Great little How-To. I have been using Linux, IPtables, and Elastix for years and have also utilized a config as above. I would recommend for anyone whether your a veteran of everything *NIX or not and especially if your a novice to install and use webmin as it makes day-to-day management extremely simply and straight forward especially for IPTables config. Great little How-To. I have been using Linux, IPtables, and Elastix for years and have also utilized a config as above.

I would recommend for anyone whether your a veteran of everything *NIX or not and especially if your a novice to install and use webmin as it makes day-to-day management extremely simply and straight forward especially for IPTables config.

]]> By: matt http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-1441 matt Mon, 09 Nov 2009 19:21:39 +0000 http://sysadminman.net/blog/?p=772#comment-1441 Hi Henry, It's true that the numbers in the brackets are packet/byte counts for the rules. Editing the iptables file directly is not the 'correct' way to setup iptables (really it's better to use the iptables command) but it's a quick and easy hack. If you're not doing any ip traffic accounting using iptables then you can just ignore the numbers. If you are then it's probably best not to edit the iptables file in this way. Hi Henry,

It’s true that the numbers in the brackets are packet/byte counts for the rules. Editing the iptables file directly is not the ‘correct’ way to setup iptables (really it’s better to use the iptables command) but it’s a quick and easy hack.

If you’re not doing any ip traffic accounting using iptables then you can just ignore the numbers. If you are then it’s probably best not to edit the iptables file in this way.

]]> By: Henry http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-1440 Henry Mon, 09 Nov 2009 04:01:37 +0000 http://sysadminman.net/blog/?p=772#comment-1440 Hi, I don't have a lot of experience with iptables but I think I understand the script very well. I just don't understand where the numbers between the [] come from like :OUTPUT ACCEPT [46823:2584014]. I have read a lot of iptables tutorials to see if I can find the answer myself but I have not been able to. The only thing I found is that they are packet count and byte count. Would you mind explaining it? Hi, I don’t have a lot of experience with iptables but I think I understand the script very well. I just don’t understand where the numbers between the [] come from like :OUTPUT ACCEPT [46823:2584014]. I have read a lot of iptables tutorials to see if I can find the answer myself but I have not been able to. The only thing I found is that they are packet count and byte count. Would you mind explaining it?

]]> By: matt http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-1343 matt Thu, 06 Aug 2009 16:13:27 +0000 http://sysadminman.net/blog/?p=772#comment-1343 Are you sure? I don't think so. It's just redirecting the rules back out to the iptables service config file. No real need to do that bit really I guess as you just updated the file directly anyway. Are you sure? I don’t think so. It’s just redirecting the rules back out to the iptables service config file. No real need to do that bit really I guess as you just updated the file directly anyway.

]]> By: areski http://sysadminman.net/blog/2009/iptables-for-asterisk-and-freepbx-772#comment-1342 areski Thu, 06 Aug 2009 16:01:54 +0000 http://sysadminman.net/blog/?p=772#comment-1342 error on : iptables-save > /etc/sysconfig/iptables should be : iptables-save < /etc/sysconfig/iptables error on :
iptables-save > /etc/sysconfig/iptables

should be :
iptables-save < /etc/sysconfig/iptables

]]>