DMZ VOIP IPTABLES rules

metallica1973 · 12-09-2005, 03:06 PM

I cannot get my VOIP phone to work behind my DMZ. My VOIP phone service is saying put the VOIP phone in a DMZ and use UDP ports 5060, and 13456. Here is my firewall rules. Is my firewall setup right. I am only displaying the DMZ rules that apply. Can someone help!

### From DMZ Interface to DMZ firewall IP ######

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

##FORWARD RULES###

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 1023:1030 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 5060:5070 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 13456:13470 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 10000:20000 -j ACCEPT

$IPTABLES -A FORWARD -j DROP

####PREROUTING#####

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d DMZ_IFACE --dport 1024:1030 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d DMZ_IFACE --dport 5050:5060 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d DMZ_IFACE --dport 13456:13470 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d DMZ_IFACE --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE

########POSTROUTING########

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 192.168.2.119

metallica1973 · 12-09-2005, 04:21 PM

Here is a snippet of my firewall log when I try and call from work to my home: It seems as though my packets are looping and not reaching in destination!

DST=XXX.XX.XXX.XX (external ip for firewall)

Dec 9 15:55:28 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:b8:80:6e:ee:08:00 SRC=10.9.172.
1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=59812 PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 9 15:55:36 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=00:60:b0:69:4b:40:00:30:b8:80:6e:ee:08:00 SRC=64.109.19
9.215 DST=XX.XXX.XX.XXX LEN=908 TOS=0x00 PREC=0x00 TTL=114 ID=38022 PROTO=UDP SPT=10172 DPT=1026 LEN=888
Dec 9 16:02:10 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=00:60:b0:69:4b:40:00:30:b8:80:6e:ee:08:00 SRC=61.130.25
4.109 DST=XX.XXX.XX.XXX LEN=404 TOS=0x00 PREC=0x00 TTL=112 ID=15639 PROTO=UDP SPT=2760 DPT=1434 LEN=384

Dec 9 17:13:34 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:b8:80:6e:ee:08:00 SRC=10.9.172.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=12878 PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 9 17:13:42 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:b8:80:6e:ee:08:00 SRC=10.9.172.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=12907 PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 9 17:14:14 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:b8:80:6e:ee:08:00 SRC=10.9.172.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=13020 PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 9 17:14:18 XX-XXX-XX-XXX kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=00:60:b0:69:4b:40:00:30:b8:80:6e:ee:08:00 SRC=221.10.71.254 DST=XX.XXX.XX.XXX LEN=376 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=39051 DPT=1028 LEN=356

metallica1973 · 12-10-2005, 10:03 AM

It work , but the call quality is terrible

metallica1973 · 12-18-2005, 09:12 AM

Now whaat happens is I can call out fine but when anybody calls comming in it goes straight to voice mail. Packets are not allowed in. It has to be my firewall. Can some tell me how to know for sure whats ports are being blocked. What log file can I check to see what incomming traffic has been blocked?

win32sux · 12-19-2005, 04:57 PM

Quote:

Originally Posted by metallica1973

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 5060 -j DNAT --to-destination $DMZ_VOIP_PHONE

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 13456 -j DNAT --to-destination $DMZ_VOIP_PHONE

#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE

#$IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $DMZ_IFACE --dport 80 -j DNAT --to-destination $DMZ_VOIP_PHONE

you sure about the "-d" here?? if i understand what you are trying to do, then it would seem to me the "-d" should be the IP of the external interface, NOT the IP of the phone or the dmz interface...

metallica1973 · 12-20-2005, 05:38 PM

you are saying that the -d should be the ip address of the external interface. I have dhcp ip address on that interface. How would I right this PREROUTING rule. Please help thanks!

win32sux · 12-20-2005, 05:50 PM

Quote:

Originally Posted by metallica1973

you are saying that the -d should be the ip address of the external interface. I have dhcp ip address on that interface. How would I right this PREROUTING rule. Please help thanks!

then i'd remove the "-d" from the PREROUTING rule, kinda like this:

Code:

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE \
-d $DMZ_VOIP_PHONE --dport 13456 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE \
-d $DMZ_VOIP_PHONE --dport 5060 -m state --state NEW -j ACCEPT

$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF \
--dport 13456 -j DNAT --to-destination $DMZ_VOIP_PHONE

$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF \
--dport 5060 -j DNAT --to-destination $DMZ_VOIP_PHONE

metallica1973 · 12-21-2005, 10:49 AM

I messed up. Please reread my new posted rules in my original post. I had put up the wrong rules. sorry. thanks

One more stupid question: Will I be comprimizing any security by writing these rules in such a way. I would imagine not because of specification to go to a particular interface and network! Also do I need a rules drop rule at the end of this: like: $IPTABLES -A FORWARD -j DROP

metallica1973 · 12-21-2005, 01:24 PM

These are my new changes and I still have the same problem!

### From DMZ Interface to DMZ firewall IP ######

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

##FORWARD RULES###

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 5060:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 10000:20000 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -j DROP

####PREROUTING#####

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 1024:1030 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5060 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 13456:13470 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE

########POSTROUTING########

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 192.168.2.119
__________________

win32sux · 12-21-2005, 07:41 PM

Quote:

Originally Posted by metallica1973

I messed up. Please reread my new posted rules in my original post. I had put up the wrong rules. sorry. thanks

okay, i'll take a look...

Quote:

Will I be comprimizing any security by writing these rules in such a way.

not really...

Quote:

do I need a rules drop rule at the end of this: like: $IPTABLES -A FORWARD -j DROP

no, you just need to make sure your policy is set to DROP... that way any packet that traverses the chain without matching any of the rules will go to the DROP target...

Code:

iptables -P FORWARD DROP

this applies to the INPUT chain also, and even the OUTPUT chain although it's no so important there on most people's setups...

Code:

iptables -P INPUT DROP

win32sux · 12-21-2005, 08:26 PM

Quote:

Originally Posted by metallica1973

These are my new changes and I still have the same problem!

### From DMZ Interface to DMZ firewall IP ######

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

##FORWARD RULES###

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 5060:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 10000:20000 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -j DROP

####PREROUTING#####

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 1024:1030 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5060 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 13456:13470 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE

########POSTROUTING########

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 192.168.2.119
__________________

try executing this script instead - there's a lot of mistakes in what you posted:

Code:

#!/bin/sh

###############################################################################
### Variables
###############################################################################

# Don't forget to give these variables the *proper* values:
IPTABLES="/usr/sbin/iptables"
DMZ_IFACE="ethx"
DMZ_VOIP_PHONE="192.168.x.x"
EXTIF="ethx"


###############################################################################
### Kernel Parameters
###############################################################################

# Disable forwarding while we get set-up:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Enable some anti-spoof protection:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter


###############################################################################
### Clean-Out Chains, Set Policies
###############################################################################

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


###############################################################################
### INPUT Chain
###############################################################################

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

# This rule is not a good idea, but it's *your* box:
$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "INPUT DROP: "


###############################################################################
### FORWARD Chain
###############################################################################

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 1023:1030 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 5050:5070 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 13456:13470 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 10000:20000 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "FORWARD DROP: "


###############################################################################
### PREROUTING Chain
###############################################################################

$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 1023:1030 \
-j DNAT --to-destination $DMZ_VOIP_PHONE

$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 5050:5070 \
-j DNAT --to-destination $DMZ_VOIP_PHONE

$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 13456:13470 \
-j DNAT --to-destination $DMZ_VOIP_PHONE

$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 10000:20000 \
-j DNAT --to-destination $DMZ_VOIP_PHONE


###############################################################################
### POSTROUTING Chain
###############################################################################

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Enable forwarding now that we are finally set-up:
echo "1" > /proc/sys/net/ipv4/ip_forward

BTW1, you seem to have made a few typos with the rules... in the prerouting chain you have 5050:5060 yet in the forward chain you have 5060:5070... i made them both 5050:5070 but you'll need to check and fix them so they are the correct (and the same) port ranges... the same goes for the 1024:1030 and 1023:1030 - they need to be the same in both chains...

BTW2, you have a static IP in your postrouting chain, which is not gonna work if you have a dynamic ip via dhcp on your external interface, which is why i changed the target from snat to masquerade...

BTW3, if the script i've posted here still doesn't work for you, you're gonna have to confirm with your VOIP provider the port settings and/or take a look at your log file to see which packets are getting dropped by the firewall - that's what the LOG rules at the ends of the INPUT and FORWARD chains are for...

Code:

tail -f /var/log/syslog

good luck...

metallica1973 · 12-21-2005, 11:32 PM

I did make a lot of typos. What did you mean by this:

# This rule is not a good idea, but it's *your* box:

$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state NEW -j ACCEPT

Is this a security risk? and do I need it? I just wanted to say many thanks for taking the time and working with. You rock.

metallica1973 · 12-21-2005, 11:39 PM

My perception of a DMZ is a such:

a physical section of you network that is intended for the public to you device and access is only allowed in a oneway directions(LAN to DMZ). Is what I am setting according to my rules safe?

win32sux · 12-21-2005, 11:46 PM

Quote:

Originally Posted by metallica1973

I did make a lot of typos. What did you mean by this:

# This rule is not a good idea, but it's *your* box:
$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state NEW -j ACCEPT

Is this a security risk? and do I need it?

the thing is that rule accepts *ALL* traffic coming from the DMZ into your router/firewall... that is not a good idea because it creates more security risks... you should instead use rules which *specify* the kinda packets you want to allow in... this is the main purpose of a packet-filtering firewall, to filter all the packets you don't want/need...

what kinda access would boxes on your DMZ need to have into the router/firewall?? the answer to that question is what will provide you with the specific rules you need... if they don't need any access into the router/firewall at all, then you should comment/delete that rule...

Quote:

I just wanted to say many thanks for taking the time and working with. You rock.

you are very welcome, and thanks for the compliment...

win32sux · 12-21-2005, 11:49 PM

Quote:

Originally Posted by metallica1973

My perception of a DMZ is a such:

a physical section of you network that is intended for the public to you device and access is only allowed in a oneway directions(LAN to DMZ). Is what I am setting according to my rules safe?

check this out: http://en.wikipedia.org/wiki/Demilit...28computing%29

because of the nature of a DMZ (clients from outside can connect to hosts within the DMZ), it is unwise to allow boxes on the DMZ to connect to anything on your network - ESPECIALLY TO YOUR ROUTER/FIREWALL...