AsteriskNow – IPTables Firewall Configuration
In a previous guide I discussed how to setup an AsteriskNow server with Polycom phone support. In this guide I will illustrate how to tighten up your server’s security by using the IPTables firewall already installed in the distribution.
IPTables should already be setup and running on the server, however no rules have been applied. You can verify this by doing the following as the root user:
chkconfig iptables --list
This should report the following:
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Verify there are no rules present:
iptables -L -v
You should see:
Chain INPUT (policy ACCEPT 91 packets, 10124 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 75 packets, 8607 bytes) pkts bytes target prot opt in out source destination
Now it’s time to add some rules. You can copy the following text to a file and import it into IPTables:
# Generated by iptables-save v1.3.5 on Sat Aug 13 17:34:43 2011 *filter :INPUT DROP [19:2463] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [897:135843] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 10000:20000 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT -A INPUT -j LOG COMMIT # Completed on Sat Aug 13 17:34:43 2011
Save the file as iptables.bak
and copy it to /etc/iptables.bak
Now import the file into IPTables:
iptables-restore < /etc/iptables.bak
And verify that the rules have been committed:
iptables -L -v
You should now see:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 51 3852 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:sip 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:ndmp:dnp 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:tftp 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ntp 0 0 LOG all -- any any anywhere anywhere LOG level warning Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 26 packets, 2616 bytes) pkts bytes target prot opt in out source destination
Now save the new IPTables settings:
/etc/init.d/iptables save
That’s it! Your server is now blocking all incoming traffic by default, and only allowing connections to the ports that are necessary to do it’s job. Specifically:
Port 123 UDP for NTP (Time)
Port 69 UDP for TFTP (Phone provisioning)
Port 5060 UDP for SIP (Phone Calls)
Port 10000-20000 UDP for RTP (Phone Calls)
Port 22 TCP for SSH (SSH Connection)
Port 80 & 443 TCP for HTTP/HTTPS (Web)
If you need to open another port just use the following syntax at the command line:
example for SSH over TCP port 22
iptables -A INPUT -p tcp -m state --state NEW \ -m tcp --dport 22 -j ACCEPT
To specify a range of ports do the following:
example for RTP over UDP ports 10000-20000
iptables -A INPUT -p udp -m state --state NEW \ -m udp --dport 10000:20000 -j ACCEPT
You can then save the new configuration by doing:
/etc/init.d/iptabes save
And if your completely satisfied and want to back up the configuration do:
iptables-save > /etc/iptables.bak