asterisk and masq

tag

asterisk and masq

« on: June 06, 2005, 08:43:33 PM »

Hi guys,

I've been running my little sme/asterisk box as server-only, however I would now like to have it run as a gateway as well. Now, as you probably know, SIP needs to have a lot of ports open in the 10000-20000 region. The idea of using portopen to individually open 10000 ports desn't really appeal to me so I need a bit of advice/guidance from a firewall maestro. The rules for asterisk are as follows:-

# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# IAX - most have switched to IAX v2, or ought to
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

Having looked at the generated MASQ output in init.d I am way out of my depth here. Question... What is the best way to implement these rules? Where in MASQ (if at all) should I put them?

Thanks in advance for your help

Tag.

Logged

psoren

371
+0/-0

Re: asterisk and masq

« Reply #1 on: June 07, 2005, 10:29:53 PM »

Quote from: "tag"

Hi guys,

I've been running my little sme/asterisk box as server-only, however I would now like to have it run as a gateway as well. Now, as you probably know, SIP needs to have a lot of ports open in the 10000-20000 region.
Tag.

I used to have asterisk running on my SME in server/gateway mode and i never opened any ports.
I now use Asterisk@Home which is an "SME style" PBX server, really cool.....

Per

Logged

duncan

asterisk and masq

« Reply #2 on: June 08, 2005, 08:35:19 AM »

You might be able to pop them in /etc/rc.d/rc.local

Logged

tag

asterisk and masq

« Reply #3 on: June 08, 2005, 10:37:45 AM »

Thanks Guys

Psoren - I tried to run without opening ports and I couldn't receive incoming SIP/IAX calls

Duncan - I'll give it a whirl and let you know the outcome.

Best

Tag

Logged

psoren

371
+0/-0

asterisk and masq

« Reply #4 on: June 08, 2005, 02:24:11 PM »

Quote from: "tag"

Thanks Guys

Psoren - I tried to run without opening ports and I couldn't receive incoming SIP/IAX calls

Tag

Hmmm.. it's been a while since i had it running myself, so i'm not sure what i did. But i didn't open all those 10- to 20000 ports. Try just to open 5060 for the SIP and the correspondig AIX port (don't know which it is)

Per

Logged

tag

asterisk and masq

« Reply #5 on: June 08, 2005, 10:29:38 PM »

Its 4569 (IAX2). I will give it a go.

I'll let you know what happens....

Thanks again

Tag

Logged

tag

asterisk and masq

« Reply #6 on: June 20, 2005, 07:06:45 AM »

Hi guys,

Here's what I found...

First off - I found a lot of posts expressing frustration and doubt as to whether Port open actually works or not (it does but...).

Also, having looked at the code I could see no reason why portopen wouldn't accept a range (i.e. 10000-20000). It does and you can track it through to the code in /etc/rc.d/init.d/masq, where you can see your port range being ACCEPT'ed in the generated iptable code.

However, I can find no easy way to stop and restart the firewall (and its iptables) in-flight, as you can with most other SME features. However, once you do a reboot then your ports will be open.

My system is now happily accepting SIP calls.

Tag

Logged