Adding Custom iptables rule to FreePBX Firewall

I need to add a custom rule to the FreePBX Firewall but I’m not exactly sure how to do it. I’ve enabled “Custom Firewall Rules”, created the file /etc/firewall-4.rules, made sure it was owned and writable by root only, and added the rule to the file trying different formats but I can’t seem to get it to stick. The rule I’d like to add is iptables -I OUTPUT -m string --string "SIP/2.0 503 Service Unavailable" --algo bm --to 65535 -j DROP (This is related to a Yealink bug regarding transfers but that’s for another topic!)

Any suggestions would be much appreciated :slight_smile:

@xrobau just curious if you have any input on this? I’m not finding much in the Wiki. Sorry to be a PITA but until I figure out why I’m getting recalls on transfers this is my only solution.

Have a look at /tmp/firewall.log and you’ll see why it’s not loading.

Thanks Rob! Figured it out :slight_smile:

1 Like

For anyone else coming in later, the /tmp/firewall.log file says what it’s read from the file, what it’s running, and the output of that command. If it’s refusing to read the file (invalid permissions or ownership, for example), it will also tell you that, and what it should be.

Basically, it’s about as verbose as it’s possible to make it 8)

I need to add a custom iptable rule to allow postrouting NAT for IPSEC tunnels to our PBX, but haven’t figured out how to do so in a way that doesn’t get overwritten.

I know it’s bad form, but I even added the command to rc.local, but the firewall sometimes takes a while to load and then overwrites that.

Could you please share the specifics of how you added custom firewall rules to the FreePBX firewall module that are persistent even after a reboot?



@xrobau. would you be able to help me with this.

I need to run one iptables rule for NATing the server because it’s also an IPSEC server, and I can’t figure out how to load custom firewall rules AFTER the FreePBX firewall has completed loading (on reboots, or if for some reason it reloads).

For your info, here’s the rule/command that I need to run to get our IPSEC tunnels to properly bi-directionally function:

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

I tried to run in rc.local, but often the FreePBX firewall executes after that and then blanks this rule. Also if the firewall reloads it will do the same thing.

I could run this as a cron job every so many minutes but obviously that’s an inelegant way to handle this, though not running this will knock our offices off of the phone system in the event the firewall is reset, or the system reboots.

Would greatly appreciate your, @necits2015, or ideas from others to help me:

a) find the best workaround
b) learn how to implement custom rules that will be persistent



@rymes—thanks for your help debugging my firewall issues. Adding you to this thread as well as I know you’d expressed interest in figuring out if custom firewall rules were possible with FreePBX

Hi ctmet. So basically you need to create the file /etc/firewall-4.rules and assign it proper permissions.
Than just add your rules to that file but do not include iptables. For example you would just add

-t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT to the file. Next Go into Freepbx Firewall settings. Go to advanced settings and Enable Custom Firewall Rules. Check the /tmp/firewall.log for errors.


Huge thanks @necits2015 and I’m basically kicking myself for not having noticed that on the advanced menu page. To make matters worse I also had already enabled it and put a few rules in it—from long, long ago when I set the system up. (DOH!).

Many thanks!

1 Like

Glad I could help! :slight_smile: