Networking :: Iptables Script Is Blocking Voip Asterisk?
Jun 5, 2010
I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5. Routes on the fws are ok and when iptables is stoped the servers are see each other, all good. But when I run iptables script in any fw, one server (not always the same) goes unreachable. I verify this with asterisk -r, then show sip trunk, and status becomes UNREACHABLE.
Iptables scripts is generated by fwbuilder. The weird part is I put only one rule to de script and it looks like Source=any, Destination=any, Service=any, Interface=any, Direction (Inbound,Outbound)=any, Time=Any, Action=ACCEPT. So as you can see I tried something like "Do not do anything at all". But anyway I run the script in any fw and one server becomes UNREACHABLE. I think the script does something wrong after all or maybe I have some missconfiguration in my asterisk conf files. The point is I am not so expert in iptables or shell scripting so I can't see anything in the iptables script. I have look for some issues like iptables blocking because of ip_conntrack table full, or "dont fragment" bit set in kernel problem, but nothing seems to be the right problem at all.
I was just wondering if you know of any site/forum that is informative about Asterisk. I have just configured an Atcom IP04 in which Asterisk is embedded. I need to know how to configure the IP-PABX to receive fax and come up with a Skype Gateway to receive/call out on Skype.
I am encountering a strange problem on my VOIP setup Basically, I have a asterisk appliance IP04. I have setup all the extensions and everything. I use a Linksys PAP2T as an ATA remotely. Now, my problem is the ATA sometimes is okay can call SIP and PSTN but sometimes I just can't hear anything. I thought it was my ISP blocking the VOIP packets but I have tried both the SIP softphone and IAX2 softphone on my PC. For IAX2, it works perfectly however in the SIP, I can hear the other end but they cannot hear me.
These are the ports I have opened on my router 1.) UDP 5060 - SIP Port 2.) UDP 10000 - 20000 - RTP Port 3.) UDP 4569 - IAX2
Do I need to open both TCP/UDP for these ports or UDP should be enough? These are the test cases:
1.) Using my WiFi Connection and a analog phone connected to ATA --> Sometimes working sometimes not and sometimes you can call SIP but the other end cannot hear you 2.) Using IAX2 in WiFi connection --> This one works perfectly 3.) Using a mobile phone connected to WiFi Network --> The same...but you can call and go out on PSTN but the other end cannot hear you 4.) Using a mobile phone connected via 3G --> Works perfectly but as expected it is quite slow and voice quality is awful
I want to use SIP rather than IAX2 because it is widely used and since my ATA doesn't support IAX2. Are there other ports I need to open or configure?
Today my boss come to me and ask me to get a cote to upgrade our old "Cisco call manager" (2004) now "Cisco Unified Communications Manager". So I was wondering, instead of doing a costly upgrade (over 35 000�), maybe it's time to change... Does anyone of you got some insight with Asterisk in an enterprise environment? Is it reliable? Following you own judgement, what are the + and - ? If Asterix worth it, what argument (apart of the price) could I use to help the management turning on my side? Will the Cisco 7921 VOIP phone will be able to connect to it? (as we do have over 35 of them)
Enterprise environment:
- 3 sites (VPN interconnected) - ~35 VOIP phones and ~10 landlines phones
I want to block all the outgoing ssh form my machine, i.e my machine will not be able to ssh to any outside machine using iptables. The distro is RHEL, I added the following entry in the iptables but unfortunately it didnt worked, -A OUTPUT -p tcp -m tcp --dport 22 -j DROP
i used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.
I compiled and installed the Asterisk ztdummy package because there is no rpm for it, unfortunately, and i even reinstalled asterisk, but i still get the "No application 'Meetme' for extension..." error when trying to conference. I do a "module show", and it lists other modules that were compiled with the zt source, but not ztdummy.Does anyone know how to fix this? This is more than a passing interest or hobby, because i need to conference about 3 to 5 people to help me test a new Website Content Management System and User Forums Management System i am about to launch as a service.
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP ... $IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
I have a fiberoptic broadband 20MB synchronous pipe at my home. Over summer at my place of employment its pretty much dead for 3 months so when I'm not busy I play around on my home server. I have my 20mb pipe going directly into my wrt54gl, from there I have a wired connection going to my server (Centos 5.3 recently upgraded to 5.5 through updates.) It serves as a file server(Samba, SSH). My wrt54gl handles natting port 22 to my server. I have my wireless AP setup to hand out leases from .2-.20 and my server has a static of .100. Dyndns.org handles my name resolution via their free account method.
I have a Mac Pro, iMac, Macbook, and a Toshiba Laptop with 64bit 7 running off wireless along with our cell phones, and my XBOX 360 also is wired directly for the gaming speed. I use all of the computers around my home to access the samba shares via unc path for file sharing and or working on projects. I had originally planned to upgrade the wrt54gl with a cisco e3200 or an e3000 but unfortunately I've come to find out dyndns and the e lines of cisco wireless AP's dont work with dyndns and get banned. So I would have to install the daemon on my server and put it as a directly connected server to my WAN link and install a second ethernet card and pass traffic through my server for the rest of my home which I am not going to do.
All of the previous sentence because it would update dyndns with a 192.168.x.x address since its not directly connected. I use a combination of putty.exe and vnc viewer to tunnel 5900 through port 22 to my server. So from anywhere I am at I can access my screen securely and then rdp or vnc to the desktop of my local LAN computers. This allows me to only have port 22 open. I've been looking at my ssh logs and noticed I have been getting hit alot with ssh scans. I want to implement an iptables firewall on my linux machine just for the purpose of further securing port 22. I dont necessarily need natting on the iptables firewall but all I need is ssh in and out, web in, and samba out to local ip's only.
For SSH this is what I want. I want to allow SSH from any IP but if it tries to login more than 3 times in one minute I want to block that IP for a full minute before it can try 3 more attempts. I also would like log to a file but have been having issues getting that to work as well. That way when I review logs and I see that an ip tries three times and then waits a minute and tries three more, etc... I can permanently block that ip or range of ip's by adding it to the iptables script. Here is my current iptables script and it doesnt seem to be working for me. I have played with this and read for almost two weeks and still cannot get it to work correctly.
Code: #!/bin/bash # In order to use this iptables firewall script you must have iptables installed. You also must be using a 2.4.x series Kernel, with iptables suppport compiled into it, which is standard for most newer linux distributions. # If you need help compiling iptables into your kernel, please see our kernel Compile/Upgrade Guide located at [URL] # Once the script has been edited with all your relevant information (IP's Network Interfaces, etc..) simply make the script executable and run it as root. # chmod 700 fw_rules.sh # ./fw_rules.sh .....
# Our final trap. Everything on INPUT goes to the dropwall # So we don't get silent drops. $IPT -A INPUT -j dropwall
I am currently running Debian 6. I would like to know if there is a way and how i would go about blocking a certain IP range from connecting to my server within a certain port range. Say for example.
i want to block ip range 123.123.123.* from connecting to my server on the ports 33000 - 43000. But, i want to allow them to connect on any other port range, and i want to be able to allow connections from my server to the blocked ip range on those same ports. so, blocking incoming only on the above port range.
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email. Presently for port 25 RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type: IMAP pop.server.com smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines -s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
My home networking consists of a slackware box, running iptables with a dual NIC. That's the firewall. I have a Netgear FSM 7352S, which is a level 3 switch, which I am currently just using as a switch. Clients are numerous PCs and a couple of networked printers.
The "firewall" machine is also a file server.
Here are the issues I could use some pointers on:
I'd like to assure that the VOIP adapters get priority, assuring QOS, particularly voice quality.
I'd like to provide reasonable priority for video streaming, such as hulu and other sources, that the kids use.
I'd like bulk data transfers (like backing up partitions) to the file server that runs iptables, and acts as the firewall/gateway for a cable internet connection. It would be good to be able to do this without impacting VOIP and video streaming.
I just setup a linux machine that act as a gateway along with squid running in transparent mode. Now I have one asterisk server which is behind that gateway I mean on my local subnet which pass through my linux gateway. Voip server having 4mb up n 4 mb down limit. Clients having 512kbps and upload 2mb.
Linux gateway : controlling band width of each clients Squid acl forNAT issue with voip sites
Now my question is regarding skype calling. Since skype uses port 80, does it mean that it passes its request via proxy or direct and for safe side I've changed skype incoming port to 443 which squid does not see it. How much and width does skype use for calling in that case. Some one told me that it using squid to pass its request which I don't agree.
I was given a project of installing a new Jive VOIP PBX and will be migrating it from an older Avaya PBX. I need to perform in order to migrate the DID's and extensions and etc from the old system to the new? It is something that I have never done and have been ask to perform a miracle. I have never used JIVE VOIP PBX's and am familiar with Trixbox stuff but for smaller business and nothing of this size.
I'm trying to setup QoS for my VoIP line on my debian router box. I have tested wondershaper and to me it doesn't seem to work at all, so I'm looking for a better solution. Ultimately I would like something in the lines of [URL] but I guess such nice things doesn't exist for linux. Currently I'm on an ADSL link switching to cable in a few months.
I'm using tcpdump and tcptrace to track all incoming and outgoing data packets through my network interfaces. But I fail to monitor the voip data for skype that way, although it works well with http port 80, for example.
I want to track the ip address of the data packets for skype, i.e. know the ip address of the other one speaking at the other end of skype. How can I achieve this?
I've checked the port setting in my skype and I'm sure I'm listening on the right port. But nothing is showing up while I'm in connection with skype.
I have a complex network. ADSL broadband comes into the house and connects to an Orange Livebox. An Ethernet cable then connects the Livebox to a more powerful router, a DrayTek Vigor 2710Vn. The reason for this is that the Livebox has a second line capability using Voip, but it is not powerful enough to get around my stone house. The DrayTek router has Voip capability, but as yet Orange will not connect the Voip line to it. I connect to this system with Ubuntu. Android, Windows and I-phone. I can connect to either of the routers, though I usually use the DrayTek.
Voip on the Livebox does not require a computer to run it, you just plug a normal phone into it and use it to get free calls. I actually take this line into a Panasonic telephone switch to give me a 2 line system around the house. The problem with this set-up is that after a short time something happens to the network which prevents Ubuntu computers connecting to it. Windows machines, I-phones and Android phones connect, but Ubuntu does not. If I re-boot the Livebox, or in an extreme case take it back to it's factory settings, the Ubuntu machines can connect again, but it's only temporary.
The fact that fixing Livebox sorts the problem definitely points to Ubuntu being innocent, but at the moment I can't do without the Livebox. That means, for the moment, having to stay with Windows. If I post the output log after a failed connection attempt, all it would show is the connection timing out. Why is Ubuntu so sensitive to network problems that are not of it's making. Is there anything I can do about it other than changing my ISP. I am considering that, but other factors make that difficult.
I have recently bought a IP/PABX system with one FXO and one FXS port. I intend to install this on a remote site with a public but dynamic IP (can be resolved via dyndns though) and make calls via clients that are NATTed (inside a home router). I would like to seek advice on the port opening and the recommended settings. I have been reading a lot on VOIP and I am getting feedback that SIP calls are difficult to establish on a NATTed environment.
1.) SIP port 5060 UDP? 2.) RTP ports - what range should I open for this? I see some use 10000-20000 UDP 3.) STUN server - Is this something that needs to be configured?
How can I ensure that the other party can hear the audio just like a regular telephone? Is it really impossible to do if the client is behind a router in which it is using a Private IP Address? What other network configurations needs to be done?
I have a device that is working on modbus protocol andI have written a small program(with block TCP read method ) to read its registers via modbus protocol.my program is working very well but except those times that I unplug the Ethernet cable or turning off the modbus gateway during programs work.at this time my program stops on recv system call (if it reach this system call exacly when I unplug Ethernet cable or turning off the modbus gateway during programs work).I changed my source to work in nonblock TCP method, at this time with the same situation my program does not stop/block on recv system call but after pluging back the Ethernet cable or resuming the connectivity situation back it reads data incorrectly .this is my code:Quote:
I`m using Fedora 14 and i`ve one problem, i use x-lite phone on windows and what is x-lite alternative for linux ? i`ve found x-lite phone for linux but it dont work fine . It has problems with sound card etc. What do you recommend?
I am complete new to the technical side of VOIP. I know above diagram is not technically correct. I want a setup that works like that and oh the cheaper yet not compromising the better, even ekiga or skype can do that.
