Firewall IPtables rules for Asterisk

i have setup an standalone asterisk with succesfully SIP and IAX2 connection to different VOIP providers. However after iptables setup and start, the registration is not working anymore. Could someone help me telling which point i am missing with my iptables commands? (command sip show registry and iax show registry just tell me unregistered trunks that work before.)

DROP as default

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

loopback definitions

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

DNS definitions

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT

SIP IAX and RTP definitions

SIP- the SIP protocol

iptables -A INPUT -p udp -m udp --dport 5004:5082 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 5004:5082 -j ACCEPT

IAX2- the IAX protocol

iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4569 -j ACCEPT

IAX - most have switched to IAX v2, or ought to

iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 5036 -j ACCEPT

RTP - the media stream

iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

Web server definitions

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

final closing drop definitions

iptables -A INPUT -p tcp --dport 1:1024 -j DROP
iptables -A INPUT -p udp --dport 1:1024 -j DROP
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp --dport 10000 -j DROP

Thanks and regards



I am not along far enough to know what ports should be open where, but a handy tool I have found helps me debug IPTABLES issues.

watch iptables -nvL

It will throw up a screen in the terminal viewer, and refresh every two seconds with statistics on what rules were applied to what packets. Very powerful.


thanks for the update and the information, i will try it.

i 've just solved the problem. the rules i have change were those related DNS. Here are the last ones :

DNS definitions

iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT

all the rest are ok.

I have to say that i learned a lot from a tutorial that wrote Pello Xabier Altadill (in spanish), also a very useful tool that he recommends works for me too. (IPTRAF)

the iptraf command allows you generate outputs with -B and -L flags that create simple log files. So you can create a log with your iptables definitions active and another with the firewall open. Then just compare both of them a find which additional rules you need.


Jorge Rivera