Firewalls are very important for servers with internet facing
interfaces, and configuring the firewall properly is even more
important. This is a guide on how to configure a strong iptables
firewall on a CentOS server. With some small changes to the
configuration below it could be used for web servers, database servers
and really any other server.
The first step is to install iptables if it is not already. Then start the iptables service so we can make live changes to the config.
iptables -A INPUT -p udp –dport 5060 -j ACCEPT – Here is where SIP port 5060 opens up to internet without any source ip address filter. An ip address filter can also be put on this and I would recommend for stronger security but sometimes that is just not possible.
iptables -A INPUT -p udp –dport 10000:20000 -j ACCEPT – Opening up the media ports for the rtp stream.
iptables -P INPUT DROP – Using this command is very important because it changes the iptables mode to drop all packets unless they match the predetermined rules we have just entered. Without using this command all the work above goes to waste and the firewall is wide open.
The first step is to install iptables if it is not already. Then start the iptables service so we can make live changes to the config.
yum install iptables /sbin/service iptables startOnce installed and started flush out the default configuration with the following command.
iptables -FNow save the blank configuration.
/sbin/service iptables saveHere is where we make the firewall secure from the outside world. Below is a list of commands to run which will make realtime changes to the firewall to lock it down. After that I will explain the line items and how to change them for you.
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 10.22.5.0/24 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 8.8.8.8/32 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j ACCEPT iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT /sbin/service iptables save-A INPUT -s 10.22.5.0/24 -p tcp –dport 22 -j ACCEPT – This line is opening up ssh to the source ip range of 10.22.5.1-.255 so any computer with a public ip address that matches will be able to use ssh. Using an ip address filter on ssh is a great way to prevent unauthorized access. This can be repeated for each range or single ip address needed as the line below it opens ssh to the ip address 8.8.8.8.
iptables -A INPUT -p udp –dport 5060 -j ACCEPT – Here is where SIP port 5060 opens up to internet without any source ip address filter. An ip address filter can also be put on this and I would recommend for stronger security but sometimes that is just not possible.
iptables -A INPUT -p udp –dport 10000:20000 -j ACCEPT – Opening up the media ports for the rtp stream.
iptables -P INPUT DROP – Using this command is very important because it changes the iptables mode to drop all packets unless they match the predetermined rules we have just entered. Without using this command all the work above goes to waste and the firewall is wide open.
Comments