Setup with iptables on Linux

Example 6.1, “Firewall setup with iptables provides a basic example for Linux firewalls using iptables. If using a firewall framework like Shorewall then please consult the relevant documentation to open the same ports.

Example 6.1. Firewall setup with iptables

iptables -I INPUT -p udp -d 198.51.100.19 --dport 3478 -j ACCEPT
iptables -I INPUT -p udp -d 198.51.100.20 --dport 3478 -j ACCEPT
iptables -I INPUT -p udp -d 198.51.100.19 \
        --dport 49152:65535 -j ACCEPT

iptables -A INPUT -p tcp -d 198.51.100.19 --dport 5061 -j ACCEPT

iptables -A INPUT -p tcp -d 198.51.100.19 --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -d 198.51.100.19 --dport 5269 -j ACCEPT

ip6tables -I INPUT -p udp -d 2001:DB8:1000:2000::19 \
        --dport 3478 -j ACCEPT
ip6tables -I INPUT -p udp -d 2001:DB8:1000:2000::19 \
        --dport 49152:65535 -j ACCEPT

ip6tables -A INPUT -p tcp -d 2001:DB8:1000:2000::19 \
        --dport 5061 -j ACCEPT

ip6tables -A INPUT -p tcp -d 2001:DB8:1000:2000::19 \
        --dport 5222 -j ACCEPT
ip6tables -A INPUT -p tcp -d 2001:DB8:1000:2000::19 \
        --dport 5269 -j ACCEPT

It is highly recommended that the firewall rules for RTP packets are placed at the beginning of the chain, as these packets are time sensitive and over 99% of the RTC traffic is carried in the RTP packets. Putting them lower in the chain will mean that the CPU does more work evaluating each packet before it finds the matching rule. That would lead to wasted CPU cycles and potential latency or congestion issues for all real-time applications on the server.

When you deploy additional RTC applications (such as Asterisk or FreeSWITCH) behind the firewall, you may want to allow RTP traffic to travel directly to those servers too while only allowing the SIP traffic to go through the SIP proxy.