The no-NAT dilemma with Asterisk and Bandwidth.com

Posted on March 4th, 2007 by Dennis Little

I recently established an Asterisk phone system utilizing Bandwidth.com SIP trunks. One of the first things the Bandwidth.com representative told me about configuring the Asterisk system was “ This must be a public NON-NATTED IP Address. If you use a private or NATTED address the service will not work.” Wow, this would present some security dilemmas, but nothing that I could not overcome.

I use trixbox and trixbox is based on CentOS, which in turn uses an iptables based firewall. Essentially, I wanted to configure my iptables firewall to only allow traffic from my home office and the Bandwidth.com data center through to the Trixbox. Since I generally have my Linux servers sitting behind other firewalls, I am not much of an iptables guru and so turned to a great helper application to help me configure the firewall: LinWiz. LinWiz allows you to point and click the services and IP addresses you want to allow access to your machine and then spits out a nicely formatted iptables config file for you.

For reference, my iptables is configured to only allow traffic from Bandwidth.com (the very last entry in this config) and my home office which happens to be the next to last entry in this config. LinWiz helped me configure rules to drop spoofed traffic, syn flood attacks and pings from non-allowed hosts, as you can see in the comments. If you are setting up a trixbox / FreePBX / Asterisk server and connecting with Bandwidth.com, this config and LinWiz might be of tremendous help. While I am sure that I can properly configure my system to work behind NAT, this was the simplest and easiest way to quickly and safely get the system up and running. Since I have multiple public IPs available, I was not worried about sitting this box on the outside.

Good luck with your own config!

***Place this config in /etc/sysconfig/iptables and restart your trixbox firewall to apply***

# Created: Mon Feb 26 16:54:06 2007
# By : LinWiz://ServerFirewall, 1.09
# URL : http://www.lowth.com/LinWiz/1.09
#
# This file is provided under the terms of the GNU General Public
# License which governs your rights to use and redistribute it, and
# highlights the fact that it is provided with NO WARRANTY what so ever.
# The full text of the license can be viewed on line at ..
# http://www.lowth.com/LinWiz/1.09/COPYING.txt
# Do not use this file if you disagree with these terms.
#
#
# This facility is available free of charge. If you have found it
# useful, please consider helping to keep it free by using the
# www.lowth.com website as your gateway to Amazon.com or Amazon.co.uk
# when you buy books, music, computers etc from them. This costs you
# nothing extra - but Amazon pays Lowth.com a small commission on any
# purchases you make via this route. This goes to help funding the
# continued development of LinWiz and related tools.
#
# Please use the following links to get to the Amazon site
#
# http://www.lowth.com/LinWiz/us-shop (USA and Canadian purchases)
# http://www.lowth.com/LinWiz/uk-shop (UK and European)
#
# If you live elsewhere - just choose the one nearest to you.
# Thank You

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ADDRESS-FILTER - [0:0]
:LINWIZ-INPUT - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]

-A INPUT -j LINWIZ-INPUT

######################################################################
# Allow all loopback interface traffic

-A LINWIZ-INPUT -i lo -j ACCEPT

# Block all attempts to spoof the loopback address

-A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
-A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP

# Block all attempts to spoof the local IP address: x.x.x.x

-A LINWIZ-INPUT -s x.x.x.x -j DROP

# Block Syn Flood attacks

-A LINWIZ-INPUT -p tcp -m tcp –syn -j SYN-FLOOD

# Ensure that TCP connections start with syn packets
-A LINWIZ-INPUT -p tcp -m tcp ! –syn -m state –state NEW -j DROP

# Allow session continuation traffic

-A LINWIZ-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

# Call the IP and MAC address filtering chain

-A LINWIZ-INPUT -j ADDRESS-FILTER

# Allow ICMP ping requests from allowed hosts

-A LINWIZ-INPUT -p icmp -m icmp –icmp-type ping -j ACCEPT

######################################################################
# Syn flood filtering chain

-A SYN-FLOOD -m limit –limit 1/s –limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP

######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets

-A REJECT-PKT -p tcp -m tcp -j REJECT –reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp –icmp-type ping -j REJECT –reject-with icmp-host-unreachable

######################################################################
# IP and MAC address filtering chain

-A ADDRESS-FILTER -s 127.0.0.1 -j RETURN (substitute your home IP address for 127.0.0.1 to connect from home)
-A ADDRESS-FILTER -s 4.79.212.236 -j RETURN (Bandwidth.com server IP)
-A ADDRESS-FILTER -j REJECT-PKT

COMMIT

Filed under: Technology

« trixbox / Asterisk setup to use Bandwidth.com SIP Trunks Zach Miller Appears with Dr. Dog on Conan O’Brien »

Leave a Reply