Why don't you use shorewall for your firewall instead. Works for me. --- Andres Baravalle <[EMAIL PROTECTED]> wrote:
> Hi, > I have a problem with asterisks on Linux. > > Looks like it is a iptables problem. My external > client (eyebeam, on a > different computer) cannot register to the asterisk > server, but the > asterisk server itself *looks* working. > > If I dial one of the incoming phone numbers for the > server, I can see > the call arriving in Asterisk (using asterisk -r). > > I tried nmap on my server, and this is the result: > > PORT STATE SERVICE > 4569/tcp filtered unknown > 5036/tcp filtered unknown > 5060/tcp closed sip > 10000/tcp filtered snet-sensor-mgmt > > Seems bad to have 5060 closed, because it should be > the port for sip > comunications. > > Other outputs: > netstat -a | grep 5060 > udp 0 0 *:5060 *:* > > This is my iptables scripts: > > set -e > > echo 0 > /proc/sys/net/ipv4/ip_forward > ([ -f /var/lock/subsys/ipchains ] && > /etc/init.d/ipchains stop) > >/dev/null 2>&1 || true > (rmmod ipchains) >/dev/null 2>&1 || true > /sbin/iptables -F > /sbin/iptables -X > /sbin/iptables -Z > /sbin/iptables -P INPUT DROP > /sbin/iptables -A INPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT > --reject-with tcp-reset > /sbin/iptables -A INPUT -m state --state INVALID -j > DROP > /sbin/iptables -P OUTPUT DROP > /sbin/iptables -A OUTPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT > --reject-with tcp-reset > /sbin/iptables -A OUTPUT -m state --state INVALID -j > DROP > /sbin/iptables -P FORWARD DROP > /sbin/iptables -A FORWARD -m state --state > ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT > --reject-with tcp-reset > /sbin/iptables -A FORWARD -m state --state INVALID > -j DROP > /sbin/iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -o lo -j ACCEPT > /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT > /sbin/iptables -t mangle -F > /sbin/iptables -t mangle -X > /sbin/iptables -t mangle -Z > /sbin/iptables -t mangle -P PREROUTING ACCEPT > /sbin/iptables -t mangle -P OUTPUT ACCEPT > /sbin/iptables -t mangle -P INPUT ACCEPT > /sbin/iptables -t mangle -P FORWARD ACCEPT > /sbin/iptables -t mangle -P POSTROUTING ACCEPT > /sbin/iptables -t nat -F > /sbin/iptables -t nat -X > /sbin/iptables -t nat -Z > /sbin/iptables -t nat -P PREROUTING ACCEPT > /sbin/iptables -t nat -P OUTPUT ACCEPT > /sbin/iptables -t nat -P POSTROUTING ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 783 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 3000 -j > ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 2000 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 2727 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 4520 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 4569 -j > ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 5060 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 5060 -j > ACCEPT > /sbin/iptables -A INPUT -p udp --dport 10000:20000 > -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 23 -s > [safeip] -j ACCEPT > /sbin/iptables -A INPUT -p udp --dport 23 -s > [safeip] -j ACCEPT > > /sbin/iptables -A INPUT -p udp -s [safeip] -j ACCEPT > /sbin/iptables -A INPUT -p tcp -s [safeip] -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 8443 -j > ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT > > /sbin/iptables -A INPUT -p tcp --dport 106 -s > 127.0.0.1 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 3306 -s > 127.0.0.1 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 5432 -s > 127.0.0.1 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP > > /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP > /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP > > /sbin/iptables -A INPUT -p udp --dport 137 -j DROP > /sbin/iptables -A INPUT -p udp --dport 138 -j DROP > /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP > /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP > > /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP > > /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT > /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT > > /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j > DROP > > /sbin/iptables -A INPUT -j DROP > > /sbin/iptables -A OUTPUT -p tcp --dport 783 -j > ACCEPT > /sbin/iptables -A OUTPUT -p tcp --dport 3000 -j > ACCEPT > > /sbin/iptables -A OUTPUT -p udp -d 86.132.220.168 -j > ACCEPT > /sbin/iptables -A OUTPUT -p tcp -d 86.132.220.168 -j > ACCEPT > > /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT > > /sbin/iptables -A OUTPUT -j ACCEPT > > /sbin/iptables -A FORWARD -p tcp --dport 5060 -j > ACCEPT > /sbin/iptables -A FORWARD -p udp --dport 5060 -j > ACCEPT > /sbin/iptables -A FORWARD -p udp --dport 10000:20000 > -j ACCEPT > > /sbin/iptables -A FORWARD -j DROP > > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > > /usr/local/psa/var/modules/firewall/ip_forward.active > chmod 644 > /usr/local/psa/var/modules/firewall/ip_forward.active > > Any suggestions? > > Thanks in advance, > Andres > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com > -- > > Asterisk-Users mailing list > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
