BreadCrumbs: Asterisk Firewall

Asterisk Firewall

From Luke Jackson

Jump to: navigation, search

Solution to Asterisk behind NAT/Firewall

our astersik server does not have to be on a public IP, DMZ, or other non-secure positions to be properly implemented. Presented here is one of the most effectively secure implementations of * behind NAT/firewall.

First make sure the linux firewall on your * server is disabled (you will have to rely on the router firewall or at least after everything is up and running you can re-enable the linux firewall and open each needed port). Then you set a static IP address on your * server. On your router NAT/firewall, forward SIP ports (UDP & TCP) 5060 - 5082 and RTP ports (UDP & TCP) 8000 - 20000 to your * server IP address (or 5000 - 31000 for both SIP and RTP).

For a dual NIC configuration, make sure you set eth0 as the NIC for the * WAN. This is usually the NIC that Linux uses to primarily run WAN with. If unsure check your router outbound log you will find the * primary NIC IP address going outbound to your ITSP, web browsing, or remote extension on port 5060 or whatever your VoIP ports are. If this is not done there will either be no audio, one way audio, or dropped calls as the RTP packets will be sent and received on the wrong NIC(s). IN OTHER WORDS, MAKE SURE YOU CONFIGURE YOUR * SERVER WAN NIC ON eth0 AND FORWARD ALL APLICABLE PORTS TO IT (eth0 IP address) and leave the default gateway field on eth1 NIC blank because it will be going online only through eth0.

Then edit the "rtpstart" value in rtp.conf - from rtpstart=10000 to rtpstart=8000 since 8000 is the default RTP port on x-lite softphones and some other phones, or you might totally change it to asterisk default values which are rtpstart=5000 and rtpend=31000, but you will have to also adjust the RTP (UDP & TCP) port forwarding (mentioned above) on your router NAT/firewall to reflect the same port range. Needless to say, if a remote * server is also behind NAT/firewall on the other end all the port ranges (TCP/UDP) mentioned above need to be opened likewise as here for bidirectionally flow of your VoIP traffic. IP phones or VoIP clients in general do not need any ports opened or forwarded to them. Also enter the same externip=xxx.xxx.xxx.xxx and localnet=xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx info from your sip.conf general settings into sip_nat.conf.

Then in sip.conf under the account authentication settings for each remote extension add nat=yes, and canreinvite=no . Make sure you save the new configurations in each edited file then run 'reload' on the asterisk CLI or stop and restart * again to comletely re-read all config files after the changes. This should get it working flawlessly, it did it for me after much research and troubleshooting. This should mark the end of NAT/firewall issues with asterisk. I would like to see confirmation postings from those that do implement this. Thanx.


NOTE: For other protocols such as H.323, SCCP(Skiiny), MGCP, etc you just have to make sure on your router firewall/NAT you have their port numbers forwarded to your * server WAN interface and make sure the RTP ports (which carries the actual audio packets) in your rtp.conf is 5000 - 31000 (TCP/UDP) and also forwarded to * WAN interface as well.

Your WAN or externip address from your ISP is usually not permanent so in the case where it changes you will have to edit the "externip=" value in sip.conf general settings and sip_nat.conf to the new value or better yet you can have it automatically renewed by registering with dynamic DNS (dyndns) through your router (I know Linksys and some other routers have DynDNS in them) to receive a constantly updated domain name that will always resolve to whatever IP address is issued by your ISP to your network. Or another option for those with routers without inbuilt DynDNS is to use your dynamic IP address with no-ip.com; you set it just like DynDNS and download a dynamic update client (for windows, apple or linux) that you can install on your * or any box (that is always on) on your local network in general to update the no-ip.com pointer every 30 minutes or however often you want it. So all you need to do is use the domain name you get from no-ip.com or dyndns.org as your externip= on * so that it resolves that domain name to whatever dynamic IP address your ISP assigns to you at anytime.

For other protocols such as IAX, (IAX2 port is 4569. IAX port is 5036) on your router NAT/firewall you should forward ports (UDP & TCP) 4569 and/or 5036 to your asterisk server IP address.

Bottom line remains to make note of the needed and appropriate ports in your config files and have them forwarded on/by your router NAT/firewall to your * server IP address.

And to add, experiments performed just proved Fedora Core to be most compatible with * , as supported by Digium. So in order to cut down on problems and troubleshooting time there is always an option to try FC. REMEMBER, ALL PORT FORWARDINGS TO * SHOULD BE TO THE * SERVER WAN INTERFACE (THE * NIC PRIMARILY ASSIGNED TO WAN COMMUNICATION) AND THIS BY DEFAULT IS/SHOULD BE eth0. IN OTHER WORDS, MAKE SURE TO ASSIGN eth0 AS YOUR * WAN INTERFACE AND FORWARD ALL PORTS TO ITS IP ADDRESS AND LEAVE THE DEFAULT GATEWAY FIELD ON ETH1 BLANK BECAUSE IT WILL BE GOING ONLINE ONLY THROUGH ETH0.

Iptables

-A RH-Firewall-1-INPUT -s 10.1.0.0/255.255.0.0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 2223 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5060:5082 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 5060:5082 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8000:20000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 8000:20000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1:1024 -j DROP
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1:1024 -j DROP

Sources

Personal tools