This article looks at a simple example configuration of iptables to work with Asterisk
Verify whether the IPTables installed
[Root @ localhost ~] # rpm -q iptables
iptables-1.3.5-5.3.el5_4.1
Let's see the current rules using the parameter -L
[Root @ localhost ~] # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt ​​source destination         
ACCEPT all - anywhere anywhere state RELATED, ESTABLISHED 
ACCEPT icmp - anywhere anywhere            
ACCEPT all - anywhere anywhere            
ACCEPT tcp - anywhere anywhere state NEW tcp dpt: ssh 
REJECT all - anywhere anywhere reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination         
REJECT all - anywhere anywhere reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination         

Setting common rules.

Let's create a new rule
# Iptables -P INPUT ACCEPT
This command will allow all incoming connections that will allow us to avoid blocking our connection if configuration is done via the ssh .
# Iptables -F
This command will reset the current default rules and apply only to the created rule.
# Iptables -A INPUT -i lo -j ACCEPT
This simple rule allows all connections to the loopback adapter. The loopback interface is defined by the system as lo and has a default address of 127.0.0.1 -A command adds a new rule at the end of a given INPUT chain. The -i option with the name of lo interface allows all kinds of traffic through a given interface. The -j option specifies a target of ACCEPT rules to accept all connections.
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
Some parts of this rule is already familiar to you. Next there -m option is used to load the module state. The module checks the state package state and determines whether it is a new-NEW, already created-ESTABLISHED or new, but related-RELATED already established connection. ESTABLISHED state indicates that the packet belongs to an existing connection through which packets go in both directions. NEW sign implies that the package opens up a new connection or packet belongs to the unidirectional flow. RELATED sign indicates that the packet belongs to an existing connection, but it opens up a new connection.
  iptables -A INPUT -p tcp --dport 22 -j ACCEPT
This rule is added to the INPUT chain, and says that all packets coming on the TCP protocol (-p tcp), on port 22 (-dport 22), should be taken (-j ACCEPT). Use of ssh c default port for the connection.
If you want to open access to the Web server chain will also look, except for the port number.
   
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
I note that php applications are very weak spot is often used to break Asterisk.
iptables -P INPUT DROP
Remember, the first rule? When we set the default policy for the input circuits take? This rule changes the default policy for the input strings back in the DROP, which is required if you want to actually block the traffic coming to your server.
iptables -P FORWARD DROP
Deny traffic routing
iptables -P OUTPUT ACCEPT
Allow all outgoing traffic.
service iptables save
Save the created rules.

Rules for Asterisk

Consider the rules for the SIP , the RTP , IAX , the AMI
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000: 20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
If you are using TCP:
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT
iptables -A INPUT -p udp -m udp -dport the ACCEPT 5060 -j - this rule allows the initiation of SIPconnections to your Asterisk server from a remote user or provider.
If you do not have remote users, such as just sip trunk from the provider, a good idea to allow the initiation of only certain ip addresses or networks.
iptables -A INPUT -p udp -m udp -s 11.11.11.11 --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 5060 -j ACCEPT
The first rule allows connection only to the address 11.11.11.11, second to the network to your local 192.168.0.XXX subscribers.
iptables -A INPUT -p udp -m udp -dport 10000 20000 ACCEPT -j - This rule enables RTP traffic. Code initsirovano SIP connections on port 5060 voice streams are sent to the ports of said range. I would also like to note that many of the PBX is used for initiation of SIP connections and RTP traffic different interfaces. Those. if the address of SIP server your ISP 11.11.11.11, the RTP traffic, for example, can come with ip addresses 11.11.11.11, etc.
Rtp port range specified in /etc/asterisk/rtp.conf file.
iptables -A INPUT -p udp -m udp -dport the ACCEPT 4569 -j - Allows connection of protocol IAX . Unlike SIPto initiate a connection and for packet voice RTP uses the same port.
iptables -A INPUT -p tcp -m tcp -dport the ACCEPT 5038 -j - Allows connection to the Asterisk Manager Interface.
service iptables save
Save the new rules 
on debian and ubuntu added iptables-persistent package that uses the iptables-save / iptables-restore
#service iptables-persistent Usage: /etc/init.d/iptables-persistent {start | restart | reload | force-reload | save | flush}

Filtering by name scanners

iptables -I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sip-scan" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sundayddr" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "iWar" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sipsak" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sipvicious" --algo bm -j DROP
<Spoiler | Setting IPtables a few clicks>
iptables -P INPUT ACCEPT &&
iptables -F &&
service iptables save &&
iptables -A INPUT -i lo -j ACCEPT &&
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT &&
iptables -A INPUT -p tcp --dport 22 -j ACCEPT &&
iptables -A INPUT -p tcp --dport 80 -j ACCEPT &&
iptables -P INPUT DROP &&
iptables -P FORWARD DROP &&
iptables -P OUTPUT ACCEPT &&
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT &&
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT &&
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT &&
iptables -A INPUT -p udp -m udp --dport 5061 -j ACCEPT &&
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT &&
iptables -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT &&
iptables -A INPUT -p udp -m udp --dport 10000: 20000 -j ACCEPT &&
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT &&
iptables -A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT &&
service iptables save &&
iptables -L
</ Spoiler>

FORWARD

/etc/sysctl.conf
 net.ipv4.ip_forward = 0
 net.ipv4.ip_forward = 1
 # Sysctl -p /etc/sysctl.conf
 # Iptables -t nat -A PREROUTING -p udp --dport 5061 -j DNAT --to-destination 192.168.0.1:5060
# Iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt ​​source destination
DNAT udp - anywhere anywhere udp dpt: sip-tls to: 192.168.0.1: 5060

Chain POSTROUTING (policy ACCEPT)
target prot opt ​​source destination

Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination