Firewall Configuration
sipXecs 4.6 manages the local iptables firewall on the server it's installed on. You can control some settings, or switch to Unmanaged mode, through the web interface (System -> Firewall).
Custom Rules with cfengine
If you want to have custom rules AND have sipxecs manage your firewall then you can use a cfengine plugin to write the custom rules. This solution survives upgrades and the sending of profiles. This works for the example below but make sure you test on a non-production system.
Edit the rules under the "insert_lines:"
Add file:
bundle agent firewall_custom { files: "/etc/sysconfig/iptables" comment => "Allow custom firewall in $(this.promiser)", create => "false", edit_line => custom_iptables_config, classes => if_repaired("iptables_edited"); commands: iptables_edited:: "/sbin/service iptables restart" comment => "Restarting iptables to load new config"; } bundle edit_line custom_iptables_config { insert_lines: "-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m comment --comment 'apacheHttp' -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -m comment --comment 'apacheHttps' -j ACCEPT" location => before_the_accept_established_tcp_conns_rule; } body location before_the_accept_established_tcp_conns_rule { before_after => "before"; first_last => "first"; select_line_matching => "^-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED.*"; }
Adding Custom Rules to the Firewall Configuration
If you install third-party software onto the sipXecs server, you may need to open up additional firewall ports that sipXecs does not know about. In this case, you will either need to tell sipXecs not to manage the firewall configuration, or create a cfengine script to add the rule you need.
Here is a hint of how the latter might be accomplished- http://list.sipfoundry.org/archive/sipx-dev/msg27891.html
Here is an example of commands you can run (as root) to add a custom rule to the running config. This will not survive if/when sipXecs decides to rewrite the firewall configuration:
# allows any traffic from a certain subnet
iptables -A INPUT -s 10.1.2.3/24 -p tcp -j ACCEPT
/etc/init.d/iptables save
Disabling the Firewall (Redhat-based systems)
If you have a dedicated SIP-aware firewall, then you may find that to be a better choice for firewall protection then the firewall on the sipXpbx host machine.
To disable the firewall after the installation finished either of these commands for on Redhat systems:
Option 1: Configuration utility'
system-config-securitylevel-tui
Option 2: Turn of firewall service
/sbin/service iptables stop
/sbin/chkconfig iptables off
iptables configuration
If you must enable the firewall, here's a valid iptables configuration:
Here is a shell script to build a firewall configuration for your system. It is designed to work with RHEL's firewall utility (ie system-config-securitylevel-tui) enabled and everything turned off under customize (opening stuff unrelated to sipx here should have no effect – but it doesn't need anything open). It makes no special provisions for rtp, but doesn't seem to interfere due to not blocking outgoing traffic.
It adds a new table called voip with specific ports open to specific IPs in the INPUT table before the RH-Firewall-1-INPUT table. It does nothing other than open ports – leaving the closing of everything else up to the rhel default firewall. It will only touch its own table (and its reference in INPUT) so it should not affect any other firewall rules on the system.
It requires 3 files to be in /root/ each containing a list of (one per line) IPs, hostnames, networks with cidr/subnet mask (or any other valid --source input for iptables).
- firewall_gateway - Opens SIP ports 5060, 5070, 5080 (and optionally their TLS versions). Not sure if all these are needed for a gateway – 5070 could maybe be moved to user & admin only.
- firewall user - All of the above + provisioning ports (ftp/tftp), 5110 (status/MWI), http, and voicemail web interface.
- firewall_admin - All of the above + ports 8443 (admin web interface) and ssh.
<nowiki> #!/bin/sh # # Set this to YES for open a TLS hole. Anything else to close it. secure="YES" # # # First initialize the basic rules to block all with # /usr/bin/system-config-securitylevel-tui # Purge the old generated rules iptables --delete INPUT --jump voip 2> /dev/null iptables --flush voip 2> /dev/null iptables --delete-chain voip 2> /dev/null # Create the new ones iptables --new-chain voip iptables -I INPUT 1 --jump voip # Open admin ports cat /root/firewall_admin | while read IP; do iptables -A voip --source ${IP} --protocol tcp --destination-port 8443 -j ACCEPT # Admin web interface iptables -A voip --source ${IP} --protocol tcp --destination-port 22 -j ACCEPT done; # Open gateway ports cat /root/firewall_admin /root/firewall_user /root/firewall_gateway| while read IP; do # Allow sip over TCP iptables -A voip --source ${IP} --protocol tcp --destination-port 5060 -j ACCEPT # Calls iptables -A voip --source ${IP} --protocol tcp --destination-port 5070 -j ACCEPT # Reg iptables -A voip --source ${IP} --protocol tcp --destination-port 5080 -j ACCEPT # Auth # Allow sip over UDP iptables -A voip --source ${IP} --protocol udp --destination-port 5060 -j ACCEPT # Calls iptables -A voip --source ${IP} --protocol udp --destination-port 5070 -j ACCEPT # Reg iptables -A voip --source ${IP} --protocol udp --destination-port 5080 -j ACCEPT # Auth if [ "$secure" == "YES" ] then # Allow sip TLS over TCP iptables -A voip --source ${IP} --protocol tcp --destination-port 5061 -j ACCEPT # Calls iptables -A voip --source ${IP} --protocol tcp --destination-port 5071 -j ACCEPT # Reg iptables -A voip --source ${IP} --protocol tcp --destination-port 5081 -j ACCEPT # Auth fi done; # Open user ports cat /root/firewall_admin /root/firewall_user | while read IP; do # Allow provisioning iptables -A voip --source ${IP} --protocol udp --destination-port tftp -j ACCEPT iptables -A voip --source ${IP} --protocol tcp --destination-port ftp -j ACCEPT # MWI iptables -A voip --source ${IP} --protocol tcp --destination-port 5110 -j ACCEPT # Status/MWI iptables -A voip --source ${IP} --protocol udp --destination-port 5110 -j ACCEPT # Status/MWI if [ "$secure" == "YES" ] then iptables -A voip --source ${IP} --protocol tcp --destination-port 5111 -j ACCEPT # Status/MWI fi # Allow Web iptables -A voip --source ${IP} --protocol tcp --destination-port http -j ACCEPT iptables -A voip --source ${IP} --protocol tcp --destination-port 8091 -j ACCEPT # Voicemail web interface done; # Save /sbin/service iptables save </nowiki>