TryLearn More

Use SIP trunks, WebRTC & Apps

Slash your Phone Bill by 80%

Modifying the Debian IPTables and Windows Firewall

On this topic:

Modifying the Debian IPTables and Windows Firewall

Introduction

On Linux

On Windows

See also

Introduction

When SIP or Tunnel ports are modified, the firewall rules created during installation need to be modified too. In this guide we take you through the steps required to do this both on Linux and Windows. If you are installing using 3CX ISO, then you need to do nothing.

On Linux

If you are running 3CX on Linux, then you need to modify the firewall that ships with Debian, called IPTables.

1. Connect to the machine via SSH (Secure Shell) and issue the command:

iptables -L INPUT --line-numbers | grep -e 5060 -e 5090

Example output:

...

10   ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https,5000,5001,5015,sip,sip-tls,5090 tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW

11   ACCEPT     udp  --  anywhere             anywhere             multiport dports tftp,sip,5090,afs3-fileserver:9500

2. Locate the rule you want to change and note its ID in the first column of the IPTables output. Since we are looking to change the SIP and Tunnel port (5060 and 5090 respectively), the rules in question are rules 10 and 11 (TCP and UDP respectively).

3. Issue the following command to obtain the command-form of the rules you want to change:

 

iptables -S INPUT | grep -e 5060 -e 5090

Example output:

iptables -S INPUT | grep -e 5060 -e 5090

-A INPUT -p tcp -m multiport --dports 80,443,5000,5001,5015,5060,5061,5090 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT

-A INPUT -p udp -m multiport --dports 69,5060,5090,7000:9500 -j ACCEPT

4. Copy and paste in a text editor the -A entries above and change references to  5060 and 5090 to the new ports to use. For example, changing 5060 to 5062 and 5090 to 5097, the new IPTables commands read:

-A INPUT -p tcp -m multiport --dports 80,443,5000,5001,5015,5062,5063,5097 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT

-A INPUT -p udp -m multiport --dports 69,5062,5097,7000:9500 -j ACCEPT

5. Using the aforementioned edited commands for IPTables, issue the following commands:

/sbin/iptables -R INPUT 10 -p tcp -m multiport --dports 80,443,5000,5001,5015,5062,5063,5097 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT

/sbin/iptables -R INPUT 11 -p udp -m multiport --dports 69,5062,5097,7000:9500 -j ACCEPT

6. To save the IPTables state and make the changes permanent across reboots issue the following command:

service netfilter-persistent save

On Windows

If you are running 3CX on Windows go to “Start > Control panel > Windows Firewall > Advanced settings > Inbound Rules” and edit the first rule “3CX Phone System Server TCP IN”.

  1. Click on Protocols and Ports
  2. Change 5060 to 5062, 5061 to 5063 and 5090 to 5092
  3. Click on the second rule “3CX Phone System Server UDP IN”

  1. Click on Protocols and Ports
  2. Change 5060 to 5062, and 5090 to 5092

See also