AsteriskNow – IPTables Firewall Configuration

image_pdfimage_print

In a previous guide I discussed how to setup an AsteriskNow server with Polycom phone support. In this guide I will illustrate how to tighten up your server’s security by using the IPTables firewall already installed in the distribution.

IPTables should already be setup and running on the server, however no rules have been applied. You can verify this by doing the following as the root user:

chkconfig iptables --list

This should report the following:

  
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Verify there are no rules present:

iptables -L -v

You should see:

Chain INPUT (policy ACCEPT 91 packets, 10124 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 75 packets, 8607 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Now it’s time to add some rules. You can copy the following text to a file and import it into IPTables:

# Generated by iptables-save v1.3.5 on Sat Aug 13 17:34:43 2011
*filter
:INPUT DROP [19:2463]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [897:135843]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A INPUT -j LOG
COMMIT
# Completed on Sat Aug 13 17:34:43 2011

Save the file as iptables.bak and copy it to /etc/iptables.bak

Now import the file into IPTables:

 iptables-restore < /etc/iptables.bak

And verify that the rules have been committed:

iptables -L -v

You should now see:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
   51  3852 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:https 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:sip 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpts:ndmp:dnp 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:tftp 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:ntp 
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 26 packets, 2616 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Now save the new IPTables settings:

/etc/init.d/iptables save

That’s it! Your server is now blocking all incoming traffic by default, and only allowing connections to the ports that are necessary to do it’s job. Specifically:

Port 123 UDP for NTP (Time)
Port 69 UDP for TFTP (Phone provisioning)
Port 5060 UDP for SIP (Phone Calls)
Port 10000-20000 UDP for RTP (Phone Calls)
Port 22 TCP for SSH (SSH Connection)
Port 80 & 443 TCP for HTTP/HTTPS (Web)

If you need to open another port just use the following syntax at the command line:

example for SSH over TCP port 22

iptables -A INPUT -p tcp -m state --state NEW \
-m tcp --dport 22 -j ACCEPT

To specify a range of ports do the following:

example for RTP over UDP ports 10000-20000

iptables -A INPUT -p udp -m state --state NEW \
-m udp --dport 10000:20000 -j ACCEPT

You can then save the new configuration by doing:

/etc/init.d/iptabes save

And if your completely satisfied and want to back up the configuration do:

iptables-save > /etc/iptables.bak

2 Responses to “AsteriskNow – IPTables Firewall Configuration”


  1. Dani

    How would i have to configure the iptables if its running as a gateway?

  2. Ronny

    If it is a SIP gateway I would think you just need the SIP and RTP ports.