Securing Asterisk server with firewall (iptables and CentOS)

Configuring iptables rules for my Asterisk server. Note: all iptables rules are temporary and will be lost after reboot until 'save' command executed (see below)

First, we have to clear all existing rules (if any)

[bc@truecard src]# iptables -F


Enabling SSH incoming connection. Assuming we connected to the Linux box using SSH, without this configuration remote shell will be unavailable. If it happen - don't save rules and reboot server remotely, it resets rules. Protocol on TCP, port 22

[bc@truecard src]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT


Enabling HTTP incoming connections. Protocol TCP, port 80

[bc@truecard src]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT


Enabling HTTPS incoming connections. Protocol TCP, port 443

[bc@truecard src]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT


Enabling H.323 incoming connections (I don't use right now, but just in case). Protocol TCP, port 1720

[bc@truecard src]# iptables -A INPUT -p tcp --dport 1720 -j ACCEPT


Enable incoming traffic for connection we establishing. This allow to establish outgoing TCP connections

[bc@truecard src]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Allow all incoming UDP traffic

[bc@truecard src]# iptables -A INPUT -p udp -j ACCEPT


Allow local communication.

[bc@truecard src]# iptables -A INPUT -i lo -j ACCEPT


Having ICMP protocol enabling could be useful for troubleshooting purpose, so let's enable it

[bc@truecard src]# iptables -A INPUT -p icmp -j ACCEPT


Now we have to configure default input rule - to drop all traffic not matching other rules

[bc@truecard src]# iptables -P INPUT DROP


Disable routing, I connected to one network only

[bc@truecard src]# iptables -P FORWARD DROP


Allow all outgoing traffic

[bc@truecard src]# iptables -P OUTPUT ACCEPT


We done with rules. Verify all working vwell, but don't reboot yet, it will erase all rules. In order to save rules permanently we have to tell service to save rules table

[bc@truecard src]# service iptables save


Now it's time to reboot and verify our rules was saved. Get list of all rules:

[bc@truecard src]# iptables -L