Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

A dedicated SIP-aware firewall is a better choice for firewall protection so there is no need to run a firewall on the sipXpbx host machine.

Disabling Firewall on Redhat-based systems

To disable the firewall after the installation finished either of these commands for on Redhat systems:

Option 1: Configuration utility'

system-config-securitylevel-tui

Option 2: Turn of firewall service

/sbin/service iptables stop
/sbin/chkconfig iptables off

iptables configuration

If you must enable the firewall, here's a valid iptables configuration:

Here is a shell script to build a firewall configuration for your system. It is designed to work with RHEL's firewall utility (ie system-config-securitylevel-tui) enabled and everything turned off under customize (opening stuff unrelated to sipx here should have no effect – but it doesn't need anything open). It makes no special provisions for rtp, but doesn't seem to interfere due to not blocking outgoing traffic.

It adds a new table called voip with specific ports open to specific IPs in the INPUT table before the RH-Firewall-1-INPUT table. It does nothing other than open ports – leaving the closing of everything else up to the rhel default firewall. It will only touch its own table (and its reference in INPUT) so it should not affect any other firewall rules on the system.

It requires 3 files to be in /root/ each containing a list of (one per line) IPs, hostnames, networks with cidr/subnet mask (or any other valid --source input for iptables).

  • firewall_gateway - Opens SIP ports 5060, 5070, 5080 (and optionally their TLS versions). Not sure if all these are needed for a gateway – 5070 could maybe be moved to user & admin only.
  • firewall user - All of the above + provisioning ports (ftp/tftp), 5110 (status/MWI), http, and voicemail web interface.
  • firewall_admin - All of the above + ports 8443 (admin web interface) and ssh.
<nowiki>
#!/bin/sh
#
# Set this to YES for open a TLS hole. Anything else to close it.
secure="YES"
#
#
# First initialize the basic rules to block all with
# /usr/bin/system-config-securitylevel-tui


# Purge the old generated rules
iptables --delete INPUT --jump voip 2> /dev/null
iptables --flush voip 2> /dev/null
iptables --delete-chain voip 2> /dev/null

# Create the new ones
iptables --new-chain voip
iptables -I INPUT 1 --jump voip

# Open admin ports
cat /root/firewall_admin | while read IP;
do
    iptables -A voip --source ${IP} --protocol tcp --destination-port 8443 -j ACCEPT # Admin web interface
    iptables -A voip --source ${IP} --protocol tcp --destination-port 22 -j ACCEPT
done;

# Open gateway ports
cat /root/firewall_admin /root/firewall_user /root/firewall_gateway| while read IP;
do
    # Allow sip over TCP
    iptables -A voip --source ${IP} --protocol tcp --destination-port 5060 -j ACCEPT  # Calls
    iptables -A voip --source ${IP} --protocol tcp --destination-port 5070 -j ACCEPT  # Reg
    iptables -A voip --source ${IP} --protocol tcp --destination-port 5080 -j ACCEPT  # Auth

    # Allow sip over UDP
    iptables -A voip --source ${IP} --protocol udp --destination-port 5060 -j ACCEPT  # Calls
    iptables -A voip --source ${IP} --protocol udp --destination-port 5070 -j ACCEPT  # Reg
    iptables -A voip --source ${IP} --protocol udp --destination-port 5080 -j ACCEPT  # Auth

    if [ "$secure" == "YES" ]
    then
        # Allow sip TLS over TCP
        iptables -A voip --source ${IP} --protocol tcp --destination-port 5061 -j ACCEPT # Calls
        iptables -A voip --source ${IP} --protocol tcp --destination-port 5071 -j ACCEPT # Reg
        iptables -A voip --source ${IP} --protocol tcp --destination-port 5081 -j ACCEPT # Auth
    fi
done;

# Open user ports
cat /root/firewall_admin /root/firewall_user | while read IP;
do
    # Allow provisioning
    iptables -A voip --source ${IP} --protocol udp --destination-port tftp -j ACCEPT
    iptables -A voip --source ${IP} --protocol tcp --destination-port ftp -j ACCEPT

    # MWI
    iptables -A voip --source ${IP} --protocol tcp --destination-port 5110 -j ACCEPT  # Status/MWI
    iptables -A voip --source ${IP} --protocol udp --destination-port 5110 -j ACCEPT  # Status/MWI

    if [ "$secure" == "YES" ]
    then
        iptables -A voip --source ${IP} --protocol tcp --destination-port 5111 -j ACCEPT # Status/MWI
    fi

    # Allow Web
    iptables -A voip --source ${IP} --protocol tcp --destination-port http -j ACCEPT
    iptables -A voip --source ${IP} --protocol tcp --destination-port 8091 -j ACCEPT # Voicemail web interface
done;

# Save
/sbin/service iptables save
</nowiki>
  • No labels