RTP ports and iptables

Hi all,
so i dont usually deal with pbx’s behind NAT who want offsite access.
I am using port knocker to access the freepbx device, it works, with 5060 sip signalling, but does not work with rtp, eg 10000:20000
it still only opns up 5060 despite it being a -m multiport command in iptables.If I seperate rule that always allows the RTP range audio works

So curious, is there much of a risk permenantly openin RTP ports to the world, just relying on port knocking for 5060 protection?

and before someone raises it, no, vpn is not an option

That’s the way the FreePBX firewall works, RTP open to the world. It is safe.

Agreed, it’s safe, although I shy away from this if at all possible, I’ve done this a couple of time (clients are too scared and by their own admission too tech-dumb and just want stuff “to work” so get scared when you say vpn) but I’d strongly suggest narrowing your RTP range, 10000-20000 is overkill, pure overkill - especially if you’re behind NAT. I’d strongly recommend reducing that port range.

Consider each call will use IIRC (I’m sure someone will point out if I’m wrong) 4 UDP ports per call.

So if you have 100 calls active, that’s only 400 ports, but I like randomness so try 10000-14000 … I don’t see that as a problem, but that said, as I mentioned earlier I do try avoid this type of setup, so again I may be wrong :slight_smile:

Thank you both, I will configur and leave open, I will also try reduce port range, is it really use 4 ports for RTP streaming for just one call?

Which means there’s only 200 ports for people to randomly inject audio into.

The whole point of having such a large range of RTP ports is to make it much harder for attackers to inject fraudulent audio. Leave it 10,000 ports wide.


ok will do.

thanks everyone

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.