[SOLVED] 5060 closed, 22,80,5038...open no matter what I do


#1

Some clarification/help would be much appreciated.

What’s confusing me is that iptables doesn’t have any effect. If I close all ports through iptables… 22,80,5038 all remain open.

I have tried using system-config-securitylevel-tui and that doesn’t seem to do anything but reset iptables. It also automatically changes my other port option 5060 to sip:tcp which I tried to change and save to sip:udp and the port remains closed.


#2

Show me your iptables commands, involved interfaces and network infrastructure.


#3

If by iptables commands - the commands I used to try and open the ports? :
I followed this guide: voip-info.org/wiki/view/Aste … wall+rules
and these commands:
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

service iptables status shows:
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060

but from the server netstat -a |grep 5060 pulls nothing…no 5060 to be seen.

From another machine I try:
nmap -PN -p 5060 192.168.13.107

which spits out: 5060/tcp closed sip

While doing that port map wireshark shows:
11636 340.473273 192.168.13.131 192.168.13.107 TCP 38743 > sip [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1000658 TSER=0 WS=7
11637 340.473547 192.168.13.107 192.168.13.131 TCP sip > 38743 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

when my cisco 7941 hits the asterisk box it is reading tftp fine:

but showing this, I’m assuming in an attempt to talk sip 5060:
13823 525.095300 192.168.13.107 192.168.13.137 ICMP Destination unreachable (Port unreachable)

The phone was flashed from that same tftp on the same server as asterisk and when it boots it gets a valid read request of the files sitting on the server… example: 13915 533.094997 192.168.13.137 192.168.13.107 TFTP Read Request, File: SEP001930XXXXXX.cnf.xml\000, Transfer type: octet\000

192.168.13.107 - Asterisk
192.168.13.137 - 7941 phone
192.168.13.131 - Host machine for VB

I’m running AsteriskNow 1.7.1 in a virtualbox on an Ubuntu 10.10 box.

The asterisk box is using eth0 which is bridged by VirtualBox from the host machine.

I can ping everything…just no port. If you need more info, let me know. Hope that helps and that you can help me. Thanks


#4

try iptables -I INPUT … instead of iptables -A …


#5

As well do not use the -m -p udp just do simple something like that:
sudo iptables -A INPUT -p udp --dport 5060 -j ACCEPT


#6

I tried -I instead of -A to put it only in that incoming chain. 5060 remained closed even on a localhost nmap

I also tried to slim it down:
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
and
iptables -I INPUT -p udp --dport 5060 -j ACCEPT

The weird thing is that if I remove, say, port 80 or 22 from the iptables rules they remain open.

It’s as if iptables has no effect, like I stated originally. Is there some other firewall in AsteriskNow by default that could have kicked in?

Should I completely remove and reinstall iptables? Can that even be done? Sorry, new to CentOS/RHL

Thanks for your responses, but I’m still at a loss.


#7

I’m sooooo confused.

I completely removed iptables and all dependencies rebooted and STILL

5060 is closed, 80 22 etc. are still open. What is controlling this firewall/ports in a default AsteriskNow build?

So silly that an IP PBX is so difficult to open SIP.

Anyone know of another firewall I can install to TAKE OVER whatever is in control?

PFsense?


#8

It sounds like you should read up on iptables.

iptables -L -n will show you what if any rules exist, and this will remove all rules:

iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT


#9

I have listed and it shows all that I stated in my second post.

I then flushed out everything:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

and listed it with iptables -L -n and got:
Empty
Chain INPUT, FORWARD and OUTPUTs

But from another machine…22, 80, 5038 etc all stay open!

And if I add the single rule:
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
or
iptables -I INPUT -p udp --dport 5060 -j ACCEPT
or even
iptables -F INPUT -p udp --dport 5060 -j ACCEPT
and even both udp and tcp…
EDIT (Additional Info):
5060 remains closed testing with telnet and nmap from local and another machine on the LAN that has access to 80,22 etc.

What else can be going on?


#10

I have tried some asterisk cli sip commands:

sip show peers
Name/username Host Dyn Nat ACL Port Status
400 (unspecified) D A 5060 UNKNOWN
inbound (unspecified) 5060 Unmonitored
asiptrunk/asiptrunk 66.54.xxx.xx 5060 Unmonitored
3 sip peers [Monitored: 0 online 1 offline Unmonitored: 2 online, 0 offline]

400 is the extension for the phone I’m trying to hook up.
inbound is the inbound route to send to 400
asiptrunk is the trunk setup with ipkall/pbxes…shows as online in the admin panel.

Could these 5060 sip connections be the problem?


#11

netstat -nap | grep 5060

gives:

udp 0 0 127.0.0.1:5060 0.0.0.0:* 6629/asterisk


#12

First thing to remember is that an iptables rule will NOT change the output of the netstat command.

Now, if the netstat shows 127.0.0.1:5060, then asterisk is only listening on the localhost(loopback) device.
Look in sip.conf for a line that starts with udpbindaddr. Is should either be 0.0.0.0(for all interfaces) or the IP of your ethernet adapter.
If you end up changing that, reload the chan_sip.so module. The output of netstat -an should be something like

(the first 0.0.0.0 could be the IP of your ethernet adapter if you put that in the udpbindaddr=)

Once you get that going, you can address the iptables issue.

The previously discussed iptables command should work for Inserting a rule into the chain however I would suggest you go back to system-configure-securitylevel.
Enable the firewall, make sure the check boxes for HTTP and SSH are checked. Then in the text box below the list of services add ‘5060:udp’. Save your changes. Just to be on the safe side, do a ‘system iptables restart’.

See how that works out.


#13

Thanks, dalenoll.

Now wireshark shows:
192.168.13.107(asterisk Server) 192.168.13.137(cisco Phone) ICMP Destination unreachable (Host administratively prohibited)

I opened up 5060 OUTPUT now also, because above says from the server it is the host refusing, but that didn’t help.

Are there other ports I need opened? I already have the 10001-20000 range.


#14

Oh, also…

When I edited sip.conf Freepbx had autogenerated the file and directed me to the _customs

I used sip_custom to add the udpbindaddr which works.

Just curious if _general_custom is better for this? Or if these includes get hit in the order they appear in sip.conf and to just gauge importance and where I should stick things based on that? The description (as commented in sip.conf) for each custom conf could be misinterpreted by a novice like me.

Thanks.


#15

Yes, the sip_general_custom.conf file would be the more appropriate file to place the udpbindaddr parameter in.

Now, about the iptables…

The ICMP host prohibited message is because the rules generated by the system-config-securitylevel rejects unwanted connections with that ICMP message. FOr informational purposed only, this is the rule that does that…

system-configure-securitylevel creates a file named… /etc/sysconfig/iptables
Can you post the contents of that file?


#16

Surprisingly enough,

The ICMP complaint was arbitrary and after changing the contents of /tftpboot/ from root:root to asterisk:asterisk it worked!

So once you got me to that point, it was a silly permission issue that stood in my way. Communication to/from server/phone are now great. So good… I learned I need some locale files that are missing…mk-sip.jar, 3g-tones.xml, CTLSEPXXXXXXXXXXXX.tlv as the phone remains unprovisioned without them :frowning:

If anyone knows a workaround, I’m all ears? It is painful waiting for my CCO access to be ‘delivered’

…Digital Delivery should always be instant as long as payment goes through IMO…

Thanks for everyone’s help!

NEWB ALERT: How do I mark this as solved? :wink: