asterisk users - Apr 2010 - iptables miss up phone calls if not used properly

Hi Guys,
i wanted to share this with u and ask for little help at the same time:
i used iptables to secure my server, so i wnet ahead and blocked avery thing
except a couple of domain protocols and UDP ports of SIP, IAX2 and that
range 15000 to 20000, tested it and OK. when in production, the calls were
taking a huge time 7s to be established and somtimes after call setup people
cannot hear ech other (but not all the time which weird), so iptables can
miss up performance if not set correctly (even if it's working, stuff like
this can happen). so if any body have some lines of iptables that secure
server and don't cause performence trouble to phone calls please share with
me (i am using Centos 5.3 asterisk 1.4.24).
Thanks!

-- 
Abdullah
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100413/9f07bd95/attachment.htm

On Tue, 13 Apr 2010, khalid touati wrote:
> Hi Guys,
> i wanted to share this with u and ask for little help at the same time:
> i used iptables to secure my server, so i wnet ahead and blocked avery
thing
> except a couple of domain protocols and UDP ports of SIP, IAX2 and that
> range 15000 to 20000, tested it and OK. when in production, the calls were
> taking a huge time 7s to be established and somtimes after call setup
people
> cannot hear ech other (but not all the time which weird), so iptables can
> miss up performance if not set correctly (even if it's working, stuff
like
> this can happen). so if any body have some lines of iptables that secure
> server and don't cause performence trouble to phone calls please share
with
> me (i am using Centos 5.3 asterisk 1.4.24).
You've probably blocks too much and it's stopping DNS working properly.

Gordon

On Tue, Apr 13, 2010 at 11:17 AM, khalid touati <khalidtouati at
gmail.com> wrote:
> Hi Guys,
> i wanted to share this with u and ask for little help at the same time:
> i used iptables to secure my server, so i wnet ahead and blocked avery
thing
> except a couple of domain protocols and UDP ports of SIP, IAX2 and that
> range 15000 to 20000, tested it and OK. when in production, the calls were
> taking a huge time 7s to be established and somtimes after call setup
people
> cannot hear ech other (but not all the time which weird), so iptables can
> miss up performance if not set correctly (even if it's working, stuff
like
> this can happen). so if any body have some lines of iptables that secure
> server and don't cause performence trouble to phone calls please share
with
> me (i am using Centos 5.3 asterisk 1.4.24).
You don't need to open up all of the UDP ports like that if you enable
connection tracking for sip.  Of course you don't say how many ongoing
sessions you are using, but I haven't had any issues with connection
tracking for SIP.  All of this is based on INBOUND connections to the
server, but make sure you are allowing OUTBOUND connections too.

Here are some changes for an example that is NOT complete and you can
use AT YOUR OWN RISK.  Make sure you have something like this in the
following files.  Notice that this does not restrict who can talk to
your server either, and only covers IAX/SIP.  This is based on CentOS
5.4.

/etc/sysconfig/iptables:

# Anything we already know about
-A Fwall-IN -m state --state ESTABLISHED,RELATED -j ACCEPT

# IAX
-A Fwall-IN -m state --state NEW -m udp -p udp --dport 4569 -j ACCEPT

# SIP
-A Fwall-IN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
-A Fwall-IN -m state --state NEW -m tcp -p tcp --dport 5060 -j ACCEPT



/etc/sysconfig/iptables-config:

IPTABLES_MODULES="ip_conntrack_sip"


If you need more specifics, you will have to post your iptables
configuration for some more advise.

-Jonathan