Iptables on debian

From FreeSWITCH Wiki
Jump to: navigation, search


Warning

Superseded by https://confluence.freeswitch.org/display/FREESWITCH/Firewall#Firewall-debianIptablesondebian

 


This is a basic firewall setup using just IPTABLES on Debian Squeeze.

Contents

Back up your current iptables rules

iptables-save > ~/iptables.up.rules.vanilla

Create new rules

vim ~/iptables.fs.rules
*mangle
# mark SIP UDP packets with CS3
-A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp-class cs3
# mark SIP UDP packets with CS3
-A OUTPUT -p tcp --sport 5060 -j DSCP --set-dscp-class cs3
# mark SIP TLS packets with CS3
-A OUTPUT -p tcp --sport 5061 -j DSCP --set-dscp-class cs3
# mark RTP packets with EF
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp-class ef
COMMIT
*filter
# Allows all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that doesn't use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow SSH connections (THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE)
-A INPUT -p tcp -m state --state NEW --dport 6245 -j ACCEPT
# Allow STUN service (Used for NAT traversal)
-A INPUT -p udp --dport 3478 -j ACCEPT
-A INPUT -p udp --dport 3479 -j ACCEPT
# Allow MLP protocol server 
-A INPUT -p tcp --dport 5002 -j ACCEPT
# Allow Neighborhood service
-A INPUT -p udp --dport 5003 -j ACCEPT
# Allow SIP UDP
-A INPUT -p udp --dport 5060 -j ACCEPT
# Allow SIP TCP
-A INPUT -p tcp --dport 5060 -j ACCEPT
# Allow SIP TLS
-A INPUT -p tcp --dport 5061 -j ACCEPT
# Allow RTP
-A INPUT -p udp --dport 16384:32768 -j ACCEPT
# Allow XML_RPC from another server (replace 192.168.0.122 with the IP that will access FS ESL)
-A INPUT -p tcp --dport 8080 -s 192.168.0.122 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

Turn on the rules

iptables-restore < ~/iptables.fs.rules

The rules are now turned on, test and make changes to your firewall.

Save the final rules

Once you are happy with your rules, save them

 iptables-save > /etc/iptables.up.rules

Load rules on boot

vim /etc/network/if-pre-up.d/iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-pre-up.d/iptables