Hi, I have a problem with asterisks on Linux. Looks like it is a iptables problem. My external client (eyebeam, on a different computer) cannot register to the asterisk server, but the asterisk server itself *looks* working. If I dial one of the incoming phone numbers for the server, I can see the call arriving in Asterisk (using asterisk -r). I tried nmap on my server, and this is the result: PORT STATE SERVICE 4569/tcp filtered unknown 5036/tcp filtered unknown 5060/tcp closed sip 10000/tcp filtered snet-sensor-mgmt Seems bad to have 5060 closed, because it should be the port for sip comunications. Other outputs: netstat -a | grep 5060 udp 0 0 *:5060 *:* This is my iptables scripts: set -e echo 0 > /proc/sys/net/ipv4/ip_forward ([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop)>/dev/null 2>&1 || true(rmmod ipchains) >/dev/null 2>&1 || true /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -m state --state INVALID -j DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -m state --state INVALID -j DROP /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT /sbin/iptables -t mangle -F /sbin/iptables -t mangle -X /sbin/iptables -t mangle -Z /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -P INPUT ACCEPT /sbin/iptables -t mangle -P FORWARD ACCEPT /sbin/iptables -t mangle -P POSTROUTING ACCEPT /sbin/iptables -t nat -F /sbin/iptables -t nat -X /sbin/iptables -t nat -Z /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -A INPUT -p tcp --dport 783 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 3000 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 2000 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 2727 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 4520 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 4569 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 5060 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 5060 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 23 -s [safeip] -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 23 -s [safeip] -j ACCEPT /sbin/iptables -A INPUT -p udp -s [safeip] -j ACCEPT /sbin/iptables -A INPUT -p tcp -s [safeip] -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP /sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP /sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP /sbin/iptables -A INPUT -p udp --dport 137 -j DROP /sbin/iptables -A INPUT -p udp --dport 138 -j DROP /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP /sbin/iptables -A INPUT -j DROP /sbin/iptables -A OUTPUT -p tcp --dport 783 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 3000 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -d 86.132.220.168 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -d 86.132.220.168 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -j ACCEPT /sbin/iptables -A FORWARD -p tcp --dport 5060 -j ACCEPT /sbin/iptables -A FORWARD -p udp --dport 5060 -j ACCEPT /sbin/iptables -A FORWARD -p udp --dport 10000:20000 -j ACCEPT /sbin/iptables -A FORWARD -j DROP echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active Any suggestions? Thanks in advance, Andres
Why don't you use shorewall for your firewall instead. Works for me. --- Andres Baravalle <andres.baravalle@gmail.com> wrote:> Hi, > I have a problem with asterisks on Linux. > > Looks like it is a iptables problem. My external > client (eyebeam, on a > different computer) cannot register to the asterisk > server, but the > asterisk server itself *looks* working. > > If I dial one of the incoming phone numbers for the > server, I can see > the call arriving in Asterisk (using asterisk -r). > > I tried nmap on my server, and this is the result: > > PORT STATE SERVICE > 4569/tcp filtered unknown > 5036/tcp filtered unknown > 5060/tcp closed sip > 10000/tcp filtered snet-sensor-mgmt > > Seems bad to have 5060 closed, because it should be > the port for sip > comunications. > > Other outputs: > netstat -a | grep 5060 > udp 0 0 *:5060 *:* > > This is my iptables scripts: > > set -e > > echo 0 > /proc/sys/net/ipv4/ip_forward > ([ -f /var/lock/subsys/ipchains ] && > /etc/init.d/ipchains stop) > >/dev/null 2>&1 || true > (rmmod ipchains) >/dev/null 2>&1 || true > /sbin/iptables -F > /sbin/iptables -X > /sbin/iptables -Z > /sbin/iptables -P INPUT DROP > /sbin/iptables -A INPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT > --reject-with tcp-reset > /sbin/iptables -A INPUT -m state --state INVALID -j > DROP > /sbin/iptables -P OUTPUT DROP > /sbin/iptables -A OUTPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT > --reject-with tcp-reset > /sbin/iptables -A OUTPUT -m state --state INVALID -j > DROP > /sbin/iptables -P FORWARD DROP > /sbin/iptables -A FORWARD -m state --state > ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT > --reject-with tcp-reset > /sbin/iptables -A FORWARD -m state --state INVALID > -j DROP > /sbin/iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -o lo -j ACCEPT > /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT > /sbin/iptables -t mangle -F > /sbin/iptables -t mangle -X > /sbin/iptables -t mangle -Z > /sbin/iptables -t mangle -P PREROUTING ACCEPT > /sbin/iptables -t mangle -P OUTPUT ACCEPT > /sbin/iptables -t mangle -P INPUT ACCEPT > /sbin/iptables -t mangle -P FORWARD ACCEPT > /sbin/iptables -t mangle -P POSTROUTING ACCEPT > /sbin/iptables -t nat -F > /sbin/iptables -t nat -X > /sbin/iptables -t nat -Z > /sbin/iptables -t nat -P PREROUTING ACCEPT > /sbin/iptables -t nat -P OUTPUT ACCEPT > /sbin/iptables -t nat -P POSTROUTING ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 783 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 3000 -j > ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 2000 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 2727 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 4520 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 4569 -j > ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 5060 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 5060 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 10000:20000 > -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 23 -s > [safeip] -j ACCEPT > /sbin/iptables -A INPUT -p udp --dport 23 -s > [safeip] -j ACCEPT > > /sbin/iptables -A INPUT -p udp -s [safeip] -j ACCEPT > /sbin/iptables -A INPUT -p tcp -s [safeip] -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 8443 -j > ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 106 -s > 127.0.0.1 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 3306 -s > 127.0.0.1 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 5432 -s > 127.0.0.1 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP > /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP > > /sbin/iptables -A INPUT -p udp --dport 137 -j DROP > /sbin/iptables -A INPUT -p udp --dport 138 -j DROP > /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP > /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP > > /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP > > /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT > > /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j > DROP > > /sbin/iptables -A INPUT -j DROP > > /sbin/iptables -A OUTPUT -p tcp --dport 783 -j > ACCEPT > /sbin/iptables -A OUTPUT -p tcp --dport 3000 -j > ACCEPT > > /sbin/iptables -A OUTPUT -p udp -d 86.132.220.168 -j > ACCEPT > /sbin/iptables -A OUTPUT -p tcp -d 86.132.220.168 -j > ACCEPT > > /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT > > /sbin/iptables -A OUTPUT -j ACCEPT > > /sbin/iptables -A FORWARD -p tcp --dport 5060 -j > ACCEPT > /sbin/iptables -A FORWARD -p udp --dport 5060 -j > ACCEPT > /sbin/iptables -A FORWARD -p udp --dport 10000:20000 > -j ACCEPT > > /sbin/iptables -A FORWARD -j DROP > > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > >/usr/local/psa/var/modules/firewall/ip_forward.active> chmod 644 >/usr/local/psa/var/modules/firewall/ip_forward.active> > Any suggestions? > > Thanks in advance, > Andres > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com > -- > > Asterisk-Users mailing list > To UNSUBSCRIBE or update options visit: > >http://lists.digium.com/mailman/listinfo/asterisk-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
looks like your nmap only scanned for tcp connections. Try the -u switch. netstat shows that udp 5060 is accepting connections. Your iptables ruleset gives me a headache to look at and is quite redundant. Wouldn't it be better to just disallow all packets at the beginning and then open the ports tht you want. I noticed you started to do this and then repeated it again later in the ruleset, i.e. /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP /sbin/iptables -A INPUT -p udp --dport 137 -j DROP /sbin/iptables -A INPUT -p udp --dport 138 -j DROP /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP also it would be much easier to allow your localhost to have access regardless at the beginning of the ruleset, thus having to avoid adding these rules. /sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP or /sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP or /sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP I'll have to give you an "A" for effort thought. In the world of netfilter less is more and to be honest it probably took me close to six months before I was able to really understand what was happening. Obviously you are one of those hardheads like I am and prefer the 'do-it-yourself' method. I've never been fond of GUI-based firewall programs so may I recomend that you give the firewall script generator called 'quicktables' a try. Its available at http://qtables.radom.org/ I've been using it for years and it should do just what you need. Regards, Steve Cayona p.s. whay are you wanting to mangle packets?