Example 6.1, “Firewall setup with iptables” provides a basic
example for Linux firewalls using iptables. If using a
firewall framework like Shorewall then please
consult the relevant documentation to open the same ports.
Example 6.1. Firewall setup with iptables
iptables -I INPUT -p udp -d 198.51.100.19 --dport 3478 -j ACCEPT
iptables -I INPUT -p udp -d 198.51.100.20 --dport 3478 -j ACCEPT
iptables -I INPUT -p udp -d 198.51.100.19 \
--dport 49152:65535 -j ACCEPT
iptables -A INPUT -p tcp -d 198.51.100.19 --dport 5061 -j ACCEPT
iptables -A INPUT -p tcp -d 198.51.100.19 --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -d 198.51.100.19 --dport 5269 -j ACCEPT
ip6tables -I INPUT -p udp -d 2001:DB8:1000:2000::19 \
--dport 3478 -j ACCEPT
ip6tables -I INPUT -p udp -d 2001:DB8:1000:2000::19 \
--dport 49152:65535 -j ACCEPT
ip6tables -A INPUT -p tcp -d 2001:DB8:1000:2000::19 \
--dport 5061 -j ACCEPT
ip6tables -A INPUT -p tcp -d 2001:DB8:1000:2000::19 \
--dport 5222 -j ACCEPT
ip6tables -A INPUT -p tcp -d 2001:DB8:1000:2000::19 \
--dport 5269 -j ACCEPT
It is highly recommended that the firewall rules for RTP packets are placed at the beginning of the chain, as these packets are time sensitive and over 99% of the RTC traffic is carried in the RTP packets. Putting them lower in the chain will mean that the CPU does more work evaluating each packet before it finds the matching rule. That would lead to wasted CPU cycles and potential latency or congestion issues for all real-time applications on the server.
When you deploy additional RTC applications (such as Asterisk or FreeSWITCH) behind the firewall, you may want to allow RTP traffic to travel directly to those servers too while only allowing the SIP traffic to go through the SIP proxy.