Archive for the ‘Asterisk’ Category

Install Asterisk1.8 on Ubuntu 10.10 Server

February 4, 2011 1 comment

Install mysql (You should enter the password for the mysql root user; for example 1234):

aptitude update
aptitude install -y mysql-server

Install all other dependencies we will need later:

aptitude install -y build-essential linux-headers-`uname -r` openssh-server bison flex apache2
php5 php5-curl php5-cli php5-mysql php-pear php-db php5-gd curl sox libncurses5-dev libssl-dev
libmysqlclient15-dev mpg123 libxml2-dev

Download all the asterisk source packages that we are going to compile:

cd /usr/src/
tar xzvf asterisk-

Once we have all the sources we will compile them. Reading the relevant configuration, at least

read the README file, it is always a good idea.

cd asterisk-
make install

install the sample configurations:

make samples

Now we start doing some adjustments to make our installation work. We create the user “asterisk” and

add the apache user to the “asterisk” group (not sure if this is needed):

adduser asterisk --disabled-password --no-create-home --gecos "asterisk PBX user"
adduser www-data asterisk

Change the default user and group for apache to asterisk in apache2.conf (this is also a step that

doesn’t convince me much, but as it is just a test, lest follow the directives of the original script):

cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf_orig
sed -i 's/^\(User\|Group\).*/\1 asterisk/' /etc/apache2/apache2.conf

In the original script it is also proposed to modify the sha-bang of the /usr/sbin/safe_asterisk script

from sh to bash:

nano /usr/sbin/safe_asterisk

change the first line from




Now create the script that will manage the asterisk service. Here I haven’t made any changes on

the original script, I’ve just added the basic information (init info) that should carry every init script:

cat > /etc/init.d/asterisk <&2
    exit 3


exit 0

make appropriate modifications to the asterisk init script to make it available at booting:

chmod 755 /etc/init.d/asterisk
update-rc.d asterisk defaults 90 10

We are almost done. Now we are going to install FreePBX, the graphical interface that we will install

to manage Asterisk (now here comes the chaos; IMHO the following steps reorganized would be better):

cd /usr/src/
wget -O - | tar xvfz -
cd freepbx-2.7.0/

Copy amportal.conf configuration file to /etc/:

cp amportal.conf /etc/

Create the databases. Remember that we had used “1234” as the password for our mysql root user.

Also we define a password for the asterisk database, eg 4321:

export MYSQL_ROOT_PW=1234
export ASTERISK_DB_PW=4321
mysqladmin -u root -p${MYSQL_ROOT_PW} create asterisk
mysqladmin -u root -p${MYSQL_ROOT_PW} create asteriskcdrdb
mysql -u root -p${MYSQL_ROOT_PW} asterisk < SQL/newinstall.sql
mysql -u root -p${MYSQL_ROOT_PW} asteriskcdrdb < SQL/cdr_mysql_table.sql
mysql -u root -p${MYSQL_ROOT_PW} <<-END_PRIVS
GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
flush privileges;

And slightly modify the settings in /etc/amportal.conf (in the original script this is done before

installing freepbx, so we do it too):

sed -i "s/# \(AMPDBUSER=.*\)/\1/" /etc/amportal.conf
sed -i "s/# \(AMPDBPASS=\).*/\1${ASTERISK_DB_PW}/" /etc/amportal.conf
sed -i "s@\(AMPWEBROOT=\).*@\1/var/www/@"  /etc/amportal.conf
sed -i "s@\(FOPWEBROOT=\).*@\1/var/www/panel@" /etc/amportal.conf
sed -i "s@\(FOPWEBADDRESS=\).*@PUTIPADDRESS@" /etc/amportal.conf

Adjust some PHP.ini settings related to the use of memory (in the original script there are some changes

that are not necessary for lucid):

sed -i 's/\(^upload_max_filesize = \).*/\120M/' /etc/php5/apache2/php.ini

Change the permissions of a series of directories:

chown asterisk. /var/run/asterisk
chown -R asterisk. /etc/asterisk
chown -R asterisk. /var/{lib,log,spool}/asterisk
chown -R asterisk. /var/www/

We enable the asterisk configuration as it is indicated in /etc/asterisk/asterisk.conf by removing the

trailing characters in the first line:

sed -i '1 s/\(\[directories\]\).*/\1/' /etc/asterisk/asterisk.conf

At last! lets install freepbx:

./start_asterisk start

Restart apache2 and dahdi:

/etc/init.d/apache2 restart
/etc/init.d/dahdi restart

Finally (it seems necessary):

ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
amportal start

That’s all; we can connect to the management interface of or new virtual ippbx at http://ip/admin/

A reboot shows that everything works!

Categories: Asterisk, Freepbx Tags: ,

How to setup IPTables for Asterisk 1.6.2 on CentOS 5.4

August 29, 2010 Comments off

# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT

iptables -P INPUT ACCEPT – This sets the default policy on the input chain to ACCEPT, so we don’t lock ourselves out if we’re connected remotely via ssh.

iptables -F – This is the command to flush the current rule set and only use the defaults (which we just set to ACCEPT on inbound connections, which gives us a blank slate to work with without locking us out of our own box).

iptables -A INPUT -i lo -j ACCEPT – This is a simple rule to allow all access from the loopback adapter.  The -A switch means we’re Appending a new rule to the chain.  -i means this rule has to do with all traffic flowing through a network interface (in this case, the lo, or loopback, interface).  -j means to Jump to the ACCEPT action.  A lot of applications expect to be able to talk with the loopback adapter, so be sure to include this rule.

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT – You should already recognize some parts of this line.  What’s new here is the -m switch, which we use to load a module (in this case, the ’state’ module). The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to incoming packets that are new incoming connections that weren’t initiated by the host system. ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to an already established connection.

iptables -A INPUT -p tcp –dport 22 -j ACCEPT – This rule is a very important rule, at least it’s important if you’re connecting remotely!  This rule is appended to the INPUT chain and says that any packets coming in on the tcp protocol (-p), on port 22 (–dport 22), should be accepted.  Port 22 is of course the default ssh port.  If you’ve changed your ssh port in your sshd_config, you would of course alter this line accordingly.

iptables -P INPUT DROP – Remember our first rule?  When we set the default policy for the INPUT chain to ACCEPT?  This line changes the default policy for the INPUT chain back to DROP, which is what is required if you want to actually block traffic coming into your server.  If you correctly set the previous line to allow ssh traffic, you shouldn’t lock yourself out at this point.

iptables -P FORWARD DROP – This rule is pretty much the same as the previous one, except that we’re setting the default policy for the FORWARD chain, which handles traffic flowing through our system from one interface to another (i.e if you’re using your server as a router, which in this case we’re not).

iptables -P OUTPUT ACCEPT – And finally, this rule allows all traffic to flow outwards from your server.

Now that we’ve got these new rules, we should save them so that they’re applied the next time we restart the iptables service.

# iptables-save
# service iptables save

If you want to learn more about iptables and the various switches available to you, I recommend you read the IPTables How-To on the CentOS wiki I linked to earlier.  There’s a lot of useful information there.

Now, if you want to run asterisk on your server that you’ve got protected with IPTables, you’ll need to setup a few specific rules.  Let’s go over those here:

# iptables -A INPUT -p udp -m udp –dport 5060 -j ACCEPT
# iptables -A INPUT -p udp -m udp –dport 10000:20000 -j ACCEPT
# iptables -A INPUT -p udp -m udp –dport 4000:4999 -j ACCEPT
# iptables -A INPUT -p udp -m udp –dport 4569 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp –dport 5038 -j ACCEPT

Let’s take a look at what we’re doing here:

iptables -A INPUT -p udp -m udp –dport 5060 -j ACCEPT – This rule and the next are needed if you have SIP endpoints or a SIP connection to your ITSP.  UDP port 5060 is the port used for SIP traffic.  If you don’t want to accept SIP traffic from anyone, anywhere, you can further restrict this line by adding source IP addresses or networks with the -s switch:

# iptables -A INPUT -p udp -m udp -s –dport 5060 -j ACCEPT
# iptables -A INPUT -p udp -m udp -s –dport 5060 -j ACCEPT
# iptables -A INPUT -p udp -m udp -s –dport 5060 -j ACCEPT

iptables -A INPUT -p udp -m udp –dport 10000:20000 -j ACCEPT – This rule goes hand in hand with the previous rule.  This is the rule that allows RTP traffic.  By default, asterisk uses a large range of rtp ports to establish rtp connections, and you have to set a large range of udp ports as well.  If you’re uncomfortable with this idea, you can trim down on the number of ports used for your RTP traffic in asterisk’s /etc/asterisk/rtp.conf file.

# cat /etc/asterisk/rtp.conf

# iptables -A INPUT -p udp -m udp –dport 10000:10050 -j ACCEPT

A good rule of thumb is to have 4 ports per concurrent call you plan on having flow through your system, plus 10% for breathing room.  So if you plan on having at most 10 concurrent calls on your system at any time, configure asterisk to use 44 ports (10 calls x 4 ports = 40, 40 * 1.10 = 44).  Be sure the range in your firewall matches the range in your rtp.conf file.

iptables -A INPUT -p udp -m udp –dport 4000:4999 -j ACCEPT – This rule is used to allow udptl traffic, which is a T.38 transport protocol.  If you don’t plan on doing faxing, you can skip this rule.  I don’t have any handy rules of thumb for the number of udptl ports used per T.38 fax, so you may want to leave this rule at it’s default.  You can try changing it down, but until I hear otherwise from the folks at Digium, I’ll leave the defaults as the recommended.

iptables -A INPUT -p udp -m udp –dport 4569 -j ACCEPT – This rule is for IAX2 connections.  IAX2 is another VoIP protocol, much like SIP.  Unlike SIP, it only needs one port open on your firewall for both control traffic and audio / data traffic.  You don’t need to open any ranges of ports to allow multiple concurrent calls using IAX2 either, as it’s all handled through the one port.  If you plan on making any IAX2 connections through your firewall, be sure to open this port.

iptables -A INPUT -p tcp –dport 5038 -j ACCEPT – This rule is to allow connections to the Asterisk Manager Interface, or AMI.  If you’re not accessing AMI remotely, you should leave this rule off your firewall.

Now that you’ve got your rules in place, go ahead and test your system.  If everything seems to be working properly, save your new rules to your iptables config by running one of the following commands:

# iptables-save
# service itpables save

Categories: Asterisk

Yum install asterisk on CentOS

August 14, 2010 19 comments
Use the text editor of your choice to create a new file named “centos-asterisk.repo” in the “/etc/yum.repos.d” folder. Add the following text to the file:
name=CentOS-$releasever – Asterisk – Tested
name=CentOS-$releasever – Asterisk – Current
Save the new file and create another named “centos-digium.repo” and insert the following text:
name=CentOS-$releasever – Digium – Tested
name=CentOS-$releasever – Digium – Current

yum install asterisk16 asterisk16-configs asterisk16-voicemail dahdi-linux dahdi-tools libpri

Categories: Asterisk