VoIP client and IPtables port forwarding

Let’s say you have an Asterisk server that listens on the standard UDP port 5060 and want to use the VoIP client on for example your shiny new Nokia N900. You configure the VoIP client and everything works as advertised via your local WiFi link.

Next you also want to use the 3G/3.5G Internet link on your phone. Security conscious as you are you run into a small problem. Using the standard UDP port 5060 is not a smart thing to do as the usual evil suspects are scanning boxes across the Internet for port 5060 so they can try to hack into it and make free calls. So you need to use a different UDP port. Here’s were the problem starts.

Asterisk can only listen on one port and one IP address. Pretty silly I know but that’s the way it is (unless you switch to FreeSWITCH). Your VoIP client also supports only one UDP port. You could create two profiles in your VoIP client but that’s ugly and not what we want.

We really just want to use a UDP port that is not 5060 that can be used on the local LAN and on the 3G/3.5G link while Asterisk is still listening on UDP port 5060. The solution is simple: on the box running Asterisk add one IPtables port forwarding rule to your firewall. Here’s how to do it:

You need root privileges for all steps.

Make sure your firewall is running before continuing with the next steps:

# service iptables start

Next add the portforwarding rule to IPtables where:

INTERFACE = the interface of your Asterisk box (example: eth0)
IP = the IP address of your Asterisk box (example:
OTHERPORT = the port you configured in the VoIP client (anything but 5060, example 12345)

# cd /etc/sysconfig
# cp iptables iptables.backup
# iptables -t nat -A PREROUTING -p udp -i <INTERFACE> -d <IP> –dport <OTHERPORT> -j DNAT –to <IP:5060>
# service iptables save
# service iptables restart

Now check your shiny new IPtables portforwarding rule:

# service iptables status

And you should see something like this (IP addresses are just examples):

To enhance security I would recommend to limit the IP ranges from which the VoIP client can connect by adding IP restrictions to your VoIP client’s profile in /etc/asterisk/sip.conf:

permit=<IP range1 of GSM provider>/<netmask>
permit=<IP range2 of GSM provider>/<netmaks>
permit=<IP range3 of GSM provider>/<netmaks>

Testing the various codecs using the 3G/3.5G link on my N900 it seems that the iLBC codec at 40ms gave the best results (allow=ilbc:40 under the VoIP client’s profile in /etc/asterisk/sip.conf). Alaw was the clearest but every second letter of words I spoke were dropped. Same for AMR and G.729. This seems to be caused by high packet loss. On the N900 I ran mtr-tiny and saw packet loss as high as 49% and about 30% consistently (WTH?). This might be caused by shaping and prioritizing of UDP by the Telco. Once I have replaced Asterisk with FreeSWITCH I will test again using UDP and TCP to see if using TCP makes a difference.

For even more security use TLS with self-signed client certificates. TLS is supported on Asterisk 1.6.x but I do not know if Asterisk 1.6.x also supports authorization based on client certificates. Again, if you want advanced secure functionality like that you should probably look at FreeSWITCH.