Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: tag on June 06, 2005, 08:43:33 PM
-
Hi guys,
I've been running my little sme/asterisk box as server-only, however I would now like to have it run as a gateway as well. Now, as you probably know, SIP needs to have a lot of ports open in the 10000-20000 region. The idea of using portopen to individually open 10000 ports desn't really appeal to me so I need a bit of advice/guidance from a firewall maestro. The rules for asterisk are as follows:-
# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# IAX - most have switched to IAX v2, or ought to
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
Having looked at the generated MASQ output in init.d I am way out of my depth here. Question... What is the best way to implement these rules? Where in MASQ (if at all) should I put them?
Thanks in advance for your help
Tag.
-
Hi guys,
I've been running my little sme/asterisk box as server-only, however I would now like to have it run as a gateway as well. Now, as you probably know, SIP needs to have a lot of ports open in the 10000-20000 region.
Tag.
I used to have asterisk running on my SME in server/gateway mode and i never opened any ports.
I now use Asterisk@Home which is an "SME style" PBX server, really cool.....
Per
-
You might be able to pop them in /etc/rc.d/rc.local
-
Thanks Guys
Psoren - I tried to run without opening ports and I couldn't receive incoming SIP/IAX calls
Duncan - I'll give it a whirl and let you know the outcome.
Best
Tag
-
Thanks Guys
Psoren - I tried to run without opening ports and I couldn't receive incoming SIP/IAX calls
Tag
Hmmm.. it's been a while since i had it running myself, so i'm not sure what i did. But i didn't open all those 10- to 20000 ports. Try just to open 5060 for the SIP and the correspondig AIX port (don't know which it is)
Per
-
Its 4569 (IAX2). I will give it a go.
I'll let you know what happens.... :-D
Thanks again
Tag
-
Hi guys,
Here's what I found...
First off - I found a lot of posts expressing frustration and doubt as to whether Port open actually works or not (it does but...).
Also, having looked at the code I could see no reason why portopen wouldn't accept a range (i.e. 10000-20000). It does and you can track it through to the code in /etc/rc.d/init.d/masq, where you can see your port range being ACCEPT'ed in the generated iptable code.
However, I can find no easy way to stop and restart the firewall (and its iptables) in-flight, as you can with most other SME features. However, once you do a reboot then your ports will be open.
My system is now happily accepting SIP calls.
Tag
:pint: