4PSA Knowledge Base

Space shortcuts

Page tree

This page details the basic access rules.

Iptables

VoipNow is installed on top of a Linux distribution with iptables installed by default.

With the help of these iptables, you can write your own set of firewall rules that allow only known subnets to access your server. Before anything else, you must ensure that iptables services are set to start at boot.

chkconfig iptables on

Verify default rules

To verify the default set of rules, use the following command:

#> iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The default policy is set to ACCEPT.

The INPUT chain is used for filtering incoming connections, the OUTPUT for filtering outgoing traffic for server toward any destination. FORWARD stores the rules that filter the connection to other servers protected by the firewall; this chain is mainly used in case of a router and not for a stand alone server.

Ensure proper communication

To ensure a proper communication between your server and the registered phones or providers, you need to open some ports (5050, 5060, 5061 on TCP and UDP).

There are ports that should not be filtered, such as:

On TCP
25Port for remote SMTP connections used by the email2fax feature
5222, 5280, 5269IM ports
11211Redis - Should be open for local host, in special configurations that are only open for remote
On UDP
10000-20000This range of UDP ports must be open for the RTP (audio) traffic
53DNS port must be open for outgoing DNS requests
69The TFTP port used for provisioning
4000-5999Used by T.38 (fax) signaling

Some ports can be filtered to allow connection only from particular locations. For example, we can control SSH access towards our server and the access to the web interface.

Assuming we want to drop all connections coming towards our server on ports 443 and 80:

iptables -I INPUT -d <VoipNow server IP address> -p tcp --match multiport --dport 443,80 -j DROP
To allow connection from specified IPs, run the following:
iptables -I INPUT -s <IP address of the client> -p tcp --match multiport --dport 443,80 -j ACCEPT
or from subnets:
iptables -I INPUT -s <IP address of the client> -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d <IP address of the VoipNow box> -p tcp --dport 22 -j DROP
Assuming that we want to block SSH access and allow it only from a specified IP address, you can use:
iptables -I INPUT -s <subnet of the clinet>/<netmask of the 
client subnet> -p tcp --match multiport --dport 443,80 -j ACCEPT
Keep in mind that rules are processed according to a specific order: Accept rules come first, whereas Drop or Reject rules are last in the list. If the server is restarted, these rules no longer apply.

To reapply the rule at server restart, save them using the following command:

/etc/init.d/iptables save

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.