Iptables Firewall Script Location

Can anyone tell me where the firewall script location is in the most recent FreePBX distros?

I am wanting to modify/secure the rules.


We don’t modify iptables in anyway.

Don’t forget fail2ban writes rules on the fly.

run ‘man iptables’ for full instructions

Could you clarify what you mean by “we don’t modify iptables in anyway”.

What I would like to do, is make sure the TFTP ports are open to the inside network. It appears they are not, so iptables rules need to be modified to allow this to provision phones.

Also. Is there any information or documentation on securing freepbx?


I mean that the FreePBX distro install stock iptables. It is needed for fail2ban.

No rules are preconfigured.

I sent you the command for the man(ual) page, or there are many websites that discuss iptables.

When you ask about securing FreePBX, it generates random passwords so it does not have the inherent issues of other distro’s that use a well known password.

If you are exposing the system via a public IP address or pinholing certain ports you need to determine your own risk/reward criteria.

Personally I never expose FreePBX web interface or Asterisk SIP directly to the Internet.

I’ve actually been using iptables on public servers for about 10 years now, so I know it quite well.

I do not know fail2ban, but I will read up on it and how it generates rules for iptables.

If someone wants to enable a softphone with a sip account on their iphone, ipad or laptop what would be the best way to achieve this without exposing ports to the internet? From my understanding this would not be possible?

As well, some of the sip providers I use require that I open SIP and RTP ports on the internet.

The SIP providers have fixed IP addresses so that is not a security issue as long as your trust them.

I have not achieved good results using soft clients on smart phones, the mobile networks just aren’t designed for low latency. Even Verizon 4G in the stats is not great.

Anyway, when I test on my phone I use a VPN client called Junos Pulse for Android. It works with Juniper devices. I know that Cisco and I am sure a few others support Android.


OpenVPN on Apple IOS and Android:


You could run the OpenVPN server on the CentOS machine, in a virtual or run PFSense or Untangle, both free servers with OpenVPN support.

The Internet is full of folks being taken for huge phone bills. Since SIP is a clear text protocol I suggest that all end users try and avoid opening it up to the Public.

I didn’t realize SIP was so insecure. Most of my clients have Cisco ASA 5xxx, or Watchguard. I will start recommending VPNs.

I also came across this interesting discussion. http://forums.asterisk.org/viewtopic.php?p=159984


Since SIP is a clear text protocol I suggest that all end users try and avoid opening it up to the Public.

By this rationale, would you argue that getting service from hosted-PBX providers (like SIPStation) is a bad idea – due to the inherent security risks?

SIP Station is a SIP provider (for phone calls) and does not provided hosted PBX’s.

My company is an authorized Schmooze partner and offers hosted systems. We prefer to use VPN’s but if a customer wants and outside IP we employ best practices with perimeter security, intrusion detection, hard secrets and geo matching/profiling.

With all of those protections we have a very small amount of fraud loss and we catch it quick. We also do constant usage monitoring.