Here’s an iptables ruleset for a VoIP server with a Web interface. The goals are to allow management hosts to communicate with them freely, allow VoIP and HTTP(S) from the public, and drop everything else. It’s designed to be used as /etc/iptables.rules, and loaded with
# iptables-restore < /etc/iptables.rules
In Linux, you’re supposed to adjust the firewall at the command line. This implies an ability to retain the firewall ruleset in your head, as well as an ability to type correctly. Neither of these is true for me. My /etc/iptables.rules
-A INPUT -s 192.168.0.0/16 -i eth0 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 5080 -j ACCEPT
-A INPUT -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 1025:65534 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
The section labeled “management” is where the rules allowing access from my management network goes. Management hosts may connect to this server on any port desired. Add additional lines for additional subnets.
The Web interface rules permit inbound HTTP(S) connections, and the VoIP section supports phone calls.
After working with iptables for a while, I feel perfectly qualified to say: I vastly prefer PF. Or even ipfilter. But now that I have the ruleset worked out, I can easily replicate it across all my VoIP servers.