iptables for asterisk
If you’re running Asterisk on a VPS or a dedicated server then setting up your iptables firewall can be a tricky.
I thought I’d post my firewall script to help get you started. I save this script as /usr/local/bin/firewall.sh and then add a line to run it from /etc/rc.local
It allows SSH’ing to the machine plus rules required for SIP connections (you will need other rules if you use IAX) plus some basic “bad stuff” filtering.
I’ve commented it so, hopefully, you’ll be able to figure out and chages you need.
#!/bin/bash
EXIF="eth0"
# Clear any existing firewall stuff before we start
/sbin/iptables --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept all incoming traffic associated with an established connection, or a "related" connection
/sbin/iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Check new packets are SYN packets for syn-flood protection
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragmented packets
/sbin/iptables -A INPUT -f -j DROP
# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop null packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow connections to port 22 - ssh. You can add other ports you need in here
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 22 -m state --state NEW -j ACCEPT
# Allow connections from my machines
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 100.101.5.182 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 200.123.88.196 -j ACCEPT
# Allow SIP connections
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 5060 -m udp -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 5060 -m tcp -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 10000:20000 -m udp -j ACCEPT
# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
# Log then drop any packets that are not allowed. You will probably want to turn off the logging
#/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
EXIF="eth0"
# Clear any existing firewall stuff before we start
/sbin/iptables --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept all incoming traffic associated with an established connection, or a "related" connection
/sbin/iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Check new packets are SYN packets for syn-flood protection
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragmented packets
/sbin/iptables -A INPUT -f -j DROP
# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop null packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow connections to port 22 - ssh. You can add other ports you need in here
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 22 -m state --state NEW -j ACCEPT
# Allow connections from my machines
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 100.101.5.182 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 200.123.88.196 -j ACCEPT
# Allow SIP connections
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 5060 -m udp -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 5060 -m tcp -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 10000:20000 -m udp -j ACCEPT
# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
# Log then drop any packets that are not allowed. You will probably want to turn off the logging
#/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
Related posts:
- Limit SMTP connections for OpenVZ VPS
- Securing my Ubuntu VPS [part2]
- Installing Mysql and Apache [part3]
Leave a comment