IPTables Firewall Configuration for SIP/VoIP on CentOS Rackspace Cloud

Firewalls are very important for servers with internet facing interfaces, and configuring the firewall properly is even more important. This is a guide on how to configure a strong iptables firewall on a CentOS server. With some small changes to the configuration below it could be used for web servers, database servers and really any other server.
The first step is to install iptables if it is not already. Then start the iptables service so we can make live changes to the config.
yum install iptables
/sbin/service iptables start
Once installed and started flush out the default configuration with the following command.
iptables -F
Now save the blank configuration.
/sbin/service iptables save
Here is where we make the firewall secure from the outside world. Below is a list of commands to run which will make realtime changes to the firewall to lock it down. After that I will explain the line items and how to change them for you.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 10.22.5.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 8.8.8.8/32 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
/sbin/service iptables save
-A INPUT -s 10.22.5.0/24 -p tcp –dport 22 -j ACCEPT – This line is opening up ssh to the source ip range of 10.22.5.1-.255 so any computer with a public ip address that matches will be able to use ssh. Using an ip address filter on ssh is a great way to prevent unauthorized access. This can be repeated for each range or single ip address needed as the line below it opens ssh to the  ip address 8.8.8.8.
iptables -A INPUT -p udp –dport 5060 -j ACCEPT – Here is where SIP port 5060 opens up to internet without any source ip address filter. An ip address filter can also be put on this and I would recommend for stronger security but sometimes that is just not possible.
iptables -A INPUT -p udp –dport 10000:20000 -j ACCEPT – Opening up the media ports for the rtp stream.
iptables -P INPUT DROP – Using this command is very important because it changes the iptables mode to drop all packets unless they match the predetermined rules we have just entered. Without using this command all the work above goes to waste and the firewall is wide open.

Comments