Asterisk with iptables

I begin with asterisk, I think I need help from the formers. I’ve install a Asterisk 1.8.13.1~dfsg1-3+deb7u6 version on a separate VLAN. To be exact my asterisk server belongs to 192.168.10.0/24 and my clients asterisk to the VLAN 10.204.1.0/24. I have iptables rules between the 2 VLANs. But when I try to register a client it fails. I realized that clients are constinually asking for register, but the server don’t response(tcpdump on the firewall shows: 14:31:29.820932 IP 10.204.1.76.sip > voip.td.auf.sip: SIP: PUBLISH sip:koye.dansaibo@192.168.10.122 SIP/2.0
14:31:30.902822 IP 10.204.1.177.sip > voip.td.auf.sip: SIP: REGISTER sip:192.168.10.122 SIP/2.0
14:31:33.413412 IP 10.204.1.177.sip > voip.td.auf.sip: SIP: REGISTER sip:192.168.10.122 SIP/2.0
14:31:33.914940 IP 10.204.1.177.sip > voip.td.auf.sip: SIP: REGISTER sip:192.168.10.122 SIP/2.0).
My iptables follows:
_####BEGIN _
_##IAX & SIP clients to server asterisk _
_#iptables -t filter -I FORWARD -s 10.204.1.0/24 -d 192.168.10.0/24 -p udp --dport 4569 -m state --state NEW -j ACCEPT _
#iptables -t filter -I FORWARD -s 10.204.1.0/24 -d 192.168.10.0/24 -p udp -m multiport --dport 5060,61001:62000 -m state --state NEW -j ACCEPT
## IAX & SIP server to clients asterisk
#iptables -t filter -I FORWARD -s 192.168.10.0/24 -d 10.204.1.0/24 -p udp -sport 4569 -m state --state NEW -j ACCEPT
#iptables -t filter -I FORWARD -s 192.168.10.0/24 -d 10.204.1.0/24 -p udp -m multiport --sport 5060,61001:62000 -m state --state NEW -j ACCEPT
###END

Note that I already a -m state ETABLISH, RELATED in a separate file.

SOS

That version of Asterisk is more than 2 years beyond end of life, and I think it isn’t even the most up to date sub-version.

I’d suggest setting a log action on your iptables, to see which packets it is rejecting.

Here is the iptables -t filter -A FORWARD -j LOG output : [10072.307973] IN=eth0.40 OUT=eth0.4 MAC=00:14:0b:44:30:50:70:54:d2:83:24:0a:08:00 SRC=192.168.40.106 DST=172.217.22.138 LEN=1378 TOS=0x00 PREC=0x00 TTL=126 ID=0 DF PROTO=UDP SPT=33381 DPT=443 LEN=1358
[10072.444547] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.61.33 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=11416 PROTO=UDP SPT=60066 DPT=53 LEN=51
[10072.841684] IN=eth0.2 OUT=eth0.4 MAC=00:14:0b:44:30:50:68:f7:28:d4:3a:15:08:00 SRC=10.204.1.129 DST=8.8.8.8 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=7145 DF PROTO=UDP SPT=33747 DPT=53 LEN=50
[10072.959367] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.24.145 LEN=83 TOS=0x00 PREC=0x00 TTL=127 ID=11417 PROTO=UDP SPT=63056 DPT=53 LEN=63
[10072.959414] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.61.33 LEN=83 TOS=0x00 PREC=0x00 TTL=127 ID=11418 PROTO=UDP SPT=63056 DPT=53 LEN=63
[10073.509625] IN=eth0.40 OUT=eth0.4 MAC=00:14:0b:44:30:50:70:54:d2:83:24:0a:08:00 SRC=192.168.40.106 DST=172.217.22.138 LEN=1378 TOS=0x00 PREC=0x00 TTL=126 ID=0 DF PROTO=UDP SPT=33381 DPT=443 LEN=1358
[10074.457378] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.24.145 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=11419 PROTO=UDP SPT=60066 DPT=53 LEN=51
[10074.457426] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.61.33 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=11420 PROTO=UDP SPT=60066 DPT=53 LEN=51
[10075.255722] IN=eth0.40 OUT=eth0.4 MAC=00:14:0b:44:30:50:70:54:d2:83:24:0a:08:00 SRC=192.168.40.106 DST=172.217.22.138 LEN=96 TOS=0x00 PREC=0x00 TTL=126 ID=0 DF PROTO=UDP SPT=33381 DPT=443 LEN=76
[10075.907901] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.24.145 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=11421 PROTO=UDP SPT=56385 DPT=53 LEN=42
[10075.907949] IN=eth0.20 OUT=eth0.4 MAC=00:14:0b:44:30:50:00:22:64:66:a7:f7:08:00 SRC=192.168.20.46 DST=83.229.61.33 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=11422 PROTO=UDP SPT=56385 DPT=53 LEN=42

Everything is likely to be normal

Is IP forwarding enabled in the kernel?

grep net.ipv4.ip_forward /etc/sysctl.conf