Asterisk server firewall script allows 2-way audio from incoming calls, but not on outgoing?
- by cappie
I'm running an Asterisk PBX on a virtual machine directly connected to the Internet and I really want to prevent script kiddies, l33t h4x0rz and actual hackers access to my server. The basic way I protect my calling-bill now is by using 32 character passwords, but I would much rather have a way to protect
The firewall script I'm currently using is stated below, however, without the established connection firewall rule (mentioned rule #1), I cannot receive incoming audio from the target during outgoing calls:
#!/bin/bash
# first, clean up!
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP # we're not a router
iptables -P OUTPUT ACCEPT
# don't allow invalid connections
iptables -A INPUT -m state --state INVALID -j DROP
# always allow connections that are already set up (MENTIONED RULE #1)
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# always accept ICMP
iptables -A INPUT -p icmp -j ACCEPT
# always accept traffic on these ports
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# always allow DNS traffic
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# allow return traffic to the PBX
iptables -A INPUT -p udp -m udp --dport 50000:65536 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp --destination-port 5060:5061 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5060:5061 -j ACCEPT
iptables -A INPUT -m multiport -p udp --dports 10000:20000
iptables -A INPUT -m multiport -p tcp --dports 10000:20000
# IP addresses of the office
iptables -A INPUT -s 95.XXX.XXX.XXX/32 -j ACCEPT
# accept everything from the trunk IP's
iptables -A INPUT -s 195.XXX.XXX.XXX/32 -j ACCEPT
iptables -A INPUT -s 195.XXX.XXX.XXX/32 -j ACCEPT
# accept everything on localhost
iptables -A INPUT -i lo -j ACCEPT
# accept all outgoing traffic
iptables -A OUTPUT -j ACCEPT
# DROP everything else
#iptables -A INPUT -j DROP
I would like to know what firewall rule I'm missing for this all to work.. There is so little documentation on which ports (incoming and outgoing) asterisk actually needs.. (return ports included).
Are there any firewall/iptables specialists here that see major problems with this firewall script?
It's so frustrating not being able to find a simple firewall solution that enabled me to have a PBX running somewhere on the Internet which is firewalled in such a way that it can ONLY allows connections from and to the office, the DNS servers and the trunk(s) (and only support SSH (port 22) and ICMP traffic for the outside world).
Hopefully, using this question, we can solve this problem once and for all.