Securing Asterisk server with firewall (iptables and CentOS)

Configuring iptables rules for my Asterisk server. Note: all iptables rules are temporary and will be lost after reboot until 'save' command executed (see below)

First, we have to clear all existing rules (if any)

[bc@truecard src]# iptables -F

Enabling SSH incoming connection. Assuming we connected to the Linux box using SSH, without this configuration remote shell will be unavailable. If it happen - don't save rules and reboot server remotely, it resets rules. Protocol on TCP, port 22

[bc@truecard src]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Enabling HTTP incoming connections. Protocol TCP, port 80

[bc@truecard src]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Enabling HTTPS incoming connections. Protocol TCP, port 443

[bc@truecard src]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Enabling H.323 incoming connections (I don't use right now, but just in case). Protocol TCP, port 1720

[bc@truecard src]# iptables -A INPUT -p tcp --dport 1720 -j ACCEPT

Enable incoming traffic for connection we establishing. This allow to establish outgoing TCP connections

[bc@truecard src]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow all incoming UDP traffic

[bc@truecard src]# iptables -A INPUT -p udp -j ACCEPT

Allow local communication.

[bc@truecard src]# iptables -A INPUT -i lo -j ACCEPT

Having ICMP protocol enabling could be useful for troubleshooting purpose, so let's enable it

[bc@truecard src]# iptables -A INPUT -p icmp -j ACCEPT

Now we have to configure default input rule - to drop all traffic not matching other rules

[bc@truecard src]# iptables -P INPUT DROP

Disable routing, I connected to one network only

[bc@truecard src]# iptables -P FORWARD DROP

Allow all outgoing traffic

[bc@truecard src]# iptables -P OUTPUT ACCEPT

We done with rules. Verify all working vwell, but don't reboot yet, it will erase all rules. In order to save rules permanently we have to tell service to save rules table

[bc@truecard src]# service iptables save

Now it's time to reboot and verify our rules was saved. Get list of all rules:

[bc@truecard src]# iptables -L