/
Firewall
Firewall
- Dmitri Savolainen
Owned by Dmitri Savolainen
Divide network interfaces into “internal” and “external”.
All traffic must be allowed for the internal interface
For the external interface:
INPUT opened
http(s) port 80 and 443 for web (REST-API, Administrative Interface, Client Interface, WebRtc…)
UDP/1025-5067 and UDP/5069-65535 - rtp RTP/SIP (UDP/TCP/5080 must be closed).
extra ports according to "listen_list" parameter of "[Kamailio Sbc]" section in file /etc/ringme/main.cfg
ssh port 22 (fail2ban may be used)
example for the external interface ( name “ens18” is here)
root@somehost:/home/ucom4b# cat /etc/iptables/rules.v4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:kamailio - [0:0]
:freeswitch - [0:0]
:web - [0:0]
# prepare
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
# accept out, established
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#main section
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens18 -j kamailio
-A INPUT -i ens18 -j freeswitch
-A INPUT -i ens18 -j web
# deny other
-A INPUT -i ens18 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#-A kamailio -i ens18 -p tcp -m tcp --dport 5060 -j ACCEPT -m comment --comment "SIP traffic - TCP (disabled)"
-A kamailio -i ens18 -p udp -m udp --dport 5060 -j ACCEPT -m comment --comment "SIP traffic - UDP"
-A kamailio -i ens18 -p udp -m udp --dport 5068 -j ACCEPT -m comment --comment "SIP traffic - UDP"
-A kamailio -j RETURN
# 5080 - freeswitch sip port, drop it, all another ports accept
-A freeswitch -i ens18 -p tcp -m tcp --dport 5080 -j DROP
-A freeswitch -i ens18 -p udp -m udp --dport 5080 -j DROP
-A freeswitch -i ens18 -p udp -m udp --dport 1025:65535 -j ACCEPT -m comment --comment "RTP"
-A freeswitch -j RETURN
#
-A web -i ens18 -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "HTTP"
-A web -i ens18 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS"
-A web -j RETURN
#
COMMIT