Asterisk firewall rules Sample Asterisk Firewall Rules

IPTables
This is an example on how to configure a Linux IPTables firewall for Asterisk:

# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT # IAX2- the IAX protocol iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT # IAX - most have switched to IAX v2, or ought to iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT # RTP - the media stream iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT # MGCP - if you use media gateway control protocol in your configuration iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT

More security: BEWARE: these rules opened the firewall completely for me! Test them.

# iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT # iptables -A INPUT -p tcp --syn -j DROP

Bleeding edge and even more security: (link is dead)

Get this one http://www.netfilter.org/patch -o-matic/pom-extra.html#pom-extrasip-conntrack-nat and follow the docs :)

PF (Packet Filter)
This is an example on how to configure a OpenBSD/FreeBSD 5 PF firewall for Asterisk: pf.conf

# Your inet interface ext = rl0 # SIP (TCP) voip_tcp = "5060" # SIP, IAX2, IAX, RTP, MGCP (UDP) voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}" pf pass in on $ext inet proto tcp from any to any port $voip_tcp flags S/SA ke ep state pf pass out on $ext inet proto tcp all flags S/SA keep state

pf pass in on $ext inet proto udp from any to any port $voip_udp keep state pf pass out on $ext proto udp all keep state

pf.conf on gateway router/asterisk box with QoS

#### macros #### ext_if="xl0" # 172.16.0.2 int_if="xl1" # 10.0.0.1 lan_net = "10.0.0.0/24" table <blocked> persist table <routed> persist ##machines ext_ip = "172.16.0.2" siphost = "172.16.0.3" voip = "10.0.0.4" #### options #### set skip on lo0 set optimization conservative set block-policy drop set loginterface $ext_if scrub in all #### QoS stuff ####### altq on $ext_if priq bandwidth 520Kb queue { q_pri, q_def, q_bulk, q_crap } queue q_pri priority 7 queue q_def priority 5 priq(default) queue q_bulk priority 1 queue q_crap priority 0 ##### NAT #### nat on $ext_if from <routed> -> $ext_ip ##### rules #### block drop out quick on $ext_if proto { udp, icmp, tcp } from any to <blocked> block drop in quick on $ext_if proto { udp, icmp, tcp } from <blocked> to any block drop in on $ext_if from any to any pass in on $ext_if from $lan_net to any ## basic pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass in on $int_if proto icmp all keep state ## asterisk pass in from any to $siphost pass in quick proto udp from any to any port 4569 \ keep state queue (q_pri) pass out quick proto udp from any to any port 4569 \ keep state queue (q_pri) ## default pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ keep state queue (q_def, q_pri) pass in on $ext_if proto tcp from any to $ext_if flags S/SA \ keep state queue (q_def, q_pri)

IPFW
This is an example on how to configure a FreeBSD IPFW firewall for Asterisk: rc.firewall

# Firewall comand

fwcmd="/sbin/ipfw -q" # Interface setup # Outside interface oip="<your external ip address>" # * pbx ip pbxip="<your * internal ip>" # VoIP Traffic - SIP & IAX ${fwcmd} add pass tcp from ${fwcmd} add pass tcp from ${fwcmd} add pass udp from ${fwcmd} add pass udp from ${fwcmd} add pass udp from ${fwcmd} add pass udp from ${fwcmd} add pass udp from ${oip} to ${pbxip} 5060 keep-state in ${pbxip} to any 5060 keep-state out ${oip} to ${pbxip} 5060 keep-state in ${oip} to ${pbxip} 4569 keep-state in ${oip} to ${pbxip} 2727 keep-state in ${oip} to ${pbxip} 9999-20001 keep-state in ${pbxip} to any keep-state out

rc.conf

# Your NAT & Firewall section should have this line natd_flags="-redirect_address <your * internal ip> <your external ip address>"

ISA Server
To configure an ISA Server firewall for Windows, to permit Asterisk (win32 version) to run on the same box as the ISA Server: SIPPF.VBS Follow these steps:

y y y y y

Download the SPIPF.VBS script from www.generationd.com Copy to any directory on the ISA Server. Edit the file with any text editor - if you want to modify the log file parameters, etc. Run the script by double clicking it Wait and relax while the ports are opened. Be warned - it can take a while!