asterisk users - Mar 2006 - asterisk and iptables

Hi,
I have a problem with asterisks on Linux.

Looks like it is a iptables problem. My external client (eyebeam, on a
different computer) cannot register to the asterisk server, but the
asterisk server itself *looks* working.

If I dial one of the incoming phone numbers for the server, I can see
the call arriving in Asterisk  (using asterisk -r).

I tried nmap on my server, and this is the result:

PORT      STATE    SERVICE
4569/tcp  filtered unknown
5036/tcp  filtered unknown
5060/tcp  closed   sip
10000/tcp filtered snet-sensor-mgmt

Seems bad to have 5060 closed, because it should be the port for sip
comunications.

Other outputs:
netstat -a | grep 5060
udp        0      0 *:5060                      *:*

This is my iptables scripts:

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains
stop)
>/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 783 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3000 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 2000 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 2727 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4520 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4569 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 23 -s [safeip] -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 23 -s [safeip] -j ACCEPT

/sbin/iptables -A INPUT -p udp -s [safeip] -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s [safeip] -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

/sbin/iptables -A INPUT -p udp --dport 137 -j DROP
/sbin/iptables -A INPUT -p udp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

/sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

/sbin/iptables -A INPUT -j DROP

/sbin/iptables -A OUTPUT -p tcp --dport 783 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3000 -j ACCEPT

/sbin/iptables -A OUTPUT -p udp -d 86.132.220.168 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 86.132.220.168 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

/sbin/iptables -A OUTPUT -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 5060 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --dport 5060 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --dport 10000:20000 -j ACCEPT

/sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active

Any suggestions?

Thanks in advance,
   Andres

Why don't you use shorewall for your firewall instead.
Works for me.

--- Andres Baravalle <andres.baravalle@gmail.com>
wrote:
> Hi,
> I have a problem with asterisks on Linux.
> 
> Looks like it is a iptables problem. My external
> client (eyebeam, on a
> different computer) cannot register to the asterisk
> server, but the
> asterisk server itself *looks* working.
> 
> If I dial one of the incoming phone numbers for the
> server, I can see
> the call arriving in Asterisk  (using asterisk -r).
> 
> I tried nmap on my server, and this is the result:
> 
> PORT      STATE    SERVICE
> 4569/tcp  filtered unknown
> 5036/tcp  filtered unknown
> 5060/tcp  closed   sip
> 10000/tcp filtered snet-sensor-mgmt
> 
> Seems bad to have 5060 closed, because it should be
> the port for sip
> comunications.
> 
> Other outputs:
> netstat -a | grep 5060
> udp        0      0 *:5060                      *:*
> 
> This is my iptables scripts:
> 
> set -e
> 
> echo 0 > /proc/sys/net/ipv4/ip_forward
> ([ -f /var/lock/subsys/ipchains ] &&
> /etc/init.d/ipchains stop)
> >/dev/null 2>&1 || true
> (rmmod ipchains) >/dev/null 2>&1 || true
> /sbin/iptables -F
> /sbin/iptables -X
> /sbin/iptables -Z
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -A INPUT -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT
> --reject-with tcp-reset
> /sbin/iptables -A INPUT -m state --state INVALID -j
> DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -A OUTPUT -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT
> --reject-with tcp-reset
> /sbin/iptables -A OUTPUT -m state --state INVALID -j
> DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT
> --reject-with tcp-reset
> /sbin/iptables -A FORWARD -m state --state INVALID
> -j DROP
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
> /sbin/iptables -t mangle -F
> /sbin/iptables -t mangle -X
> /sbin/iptables -t mangle -Z
> /sbin/iptables -t mangle -P PREROUTING ACCEPT
> /sbin/iptables -t mangle -P OUTPUT ACCEPT
> /sbin/iptables -t mangle -P INPUT ACCEPT
> /sbin/iptables -t mangle -P FORWARD ACCEPT
> /sbin/iptables -t mangle -P POSTROUTING ACCEPT
> /sbin/iptables -t nat -F
> /sbin/iptables -t nat -X
> /sbin/iptables -t nat -Z
> /sbin/iptables -t nat -P PREROUTING ACCEPT
> /sbin/iptables -t nat -P OUTPUT ACCEPT
> /sbin/iptables -t nat -P POSTROUTING ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 783 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 3000 -j
> ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 2000 -j
> ACCEPT
> /sbin/iptables -A INPUT -p udp --dport 2727 -j
> ACCEPT
> /sbin/iptables -A INPUT -p udp --dport 4520 -j
> ACCEPT
> /sbin/iptables -A INPUT -p udp --dport 4569 -j
> ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 5060 -j
> ACCEPT
> /sbin/iptables -A INPUT -p udp --dport 5060 -j
> ACCEPT
> /sbin/iptables -A INPUT -p udp --dport 10000:20000
> -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 23 -s
> [safeip] -j ACCEPT
> /sbin/iptables -A INPUT -p udp --dport 23 -s
> [safeip] -j ACCEPT
> 
> /sbin/iptables -A INPUT -p udp -s [safeip] -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -s [safeip] -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 8443 -j
> ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP
> 
> /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p tcp --dport 106 -s
> 127.0.0.1 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP
> 
> /sbin/iptables -A INPUT -p tcp --dport 3306 -s
> 127.0.0.1 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
> 
> /sbin/iptables -A INPUT -p tcp --dport 5432 -s
> 127.0.0.1 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
> 
> /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
> /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
> 
> /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
> /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
> /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
> /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
> 
> /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
> 
> /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
> 
> /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j
> DROP
> 
> /sbin/iptables -A INPUT -j DROP
> 
> /sbin/iptables -A OUTPUT -p tcp --dport 783 -j
> ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --dport 3000 -j
> ACCEPT
> 
> /sbin/iptables -A OUTPUT -p udp -d 86.132.220.168 -j
> ACCEPT
> /sbin/iptables -A OUTPUT -p tcp -d 86.132.220.168 -j
> ACCEPT
> 
> /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
> 
> /sbin/iptables -A OUTPUT -j ACCEPT
> 
> /sbin/iptables -A FORWARD -p tcp --dport 5060 -j
> ACCEPT
> /sbin/iptables -A FORWARD -p udp --dport 5060 -j
> ACCEPT
> /sbin/iptables -A FORWARD -p udp --dport 10000:20000
> -j ACCEPT
> 
> /sbin/iptables -A FORWARD -j DROP
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 >
>
/usr/local/psa/var/modules/firewall/ip_forward.active
> chmod 644
>
/usr/local/psa/var/modules/firewall/ip_forward.active
> 
> Any suggestions?
> 
> Thanks in advance,
>    Andres
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com
> --
> 
> Asterisk-Users mailing list
> To UNSUBSCRIBE or update options visit:
>   
>
http://lists.digium.com/mailman/listinfo/asterisk-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

looks like your nmap only scanned for tcp connections.  Try the -u switch.
netstat shows that udp 5060 is accepting connections.
Your iptables ruleset gives me a headache to look at and is quite 
redundant.  Wouldn't it be better to just disallow all packets at the 
beginning and
then open the ports tht you want.  I noticed you started to do this and 
then repeated it again later in the ruleset,  i.e.

/sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

/sbin/iptables -A INPUT -p udp --dport 137 -j DROP
/sbin/iptables -A INPUT -p udp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

/sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

also it would be much easier to allow your localhost to have access regardless
at the beginning of the ruleset,
thus having to avoid adding these rules.

/sbin/iptables -A INPUT -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

                      or

/sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

                      or

/sbin/iptables -A INPUT -p tcp --dport 106 -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

I'll have to give you an "A" for effort thought.  In the world of
netfilter less is more and to be honest it probably
took me close to six months before I was able to really understand what was
happening.  Obviously you are one of those hardheads like I am and prefer the
'do-it-yourself' method.  I've never been fond of GUI-based firewall
programs so
may I recomend that you give the firewall script generator called
'quicktables' a try.  Its available at
http://qtables.radom.org/  I've been using it for years and it should do
just what you need.

Regards,
Steve Cayona

p.s.  whay are you wanting to mangle packets?