Configure firewall

By default MiaRec uses the following ports, which should be added into firewall exclusion list.

Port Description
80 (tcp) MiaRec Web-portal (HTTP protocol)
443 (tcp) MiaRec Web-portal (HTTPS protocol). Requires installation of SSL certificate.
6554 (tcp) Live monitoring signaling (RTSP protocol)
7000 - 7999 (udp) Live monitoring media (RTP protocol)
5070 (tcp) Cisco SIP trunk recording signaling (SIP protocol)
20000 - 21999 (udp) Cisco SIP trunk recording media (RTP protocol)
5080 (tcp, udp) SIPREC recording signaling (SIP protocol)
22000 - 23999 (udp) SIPREC recording media (RTP protocol)

Instructions for iptables (Centos 6)

This document describes how to configure iptables.

Execute command iptables --line -vnL to see the current list of rule with line numbers. Example output:

[root@miarec ~]# iptables --line -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     3124 1264K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3       11  3292 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5       63  4881 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 2937 packets, 1212K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

From this output we need to get the line number of the generic REJECT rule. In example above it is at line #5. We will need to add our exclusion rules just above this line.

  • Web-portal rule (port 80 tcp)

    iptables -I INPUT 5 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    
  • Live monitoring rules

    iptables -I INPUT 5 -i eth0 -p tcp --dport 6554 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I INPUT 5 -i eth0 -p udp --dport 7000:7999 -m state --state NEW,ESTABLISHED -j ACCEPT
    
  • Cisco SIP trunk recording interface rules

    iptables -I INPUT 5 -i eth0 -p udp --dport 5070 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I INPUT 5 -i eth0 -p tcp --dport 5070 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I INPUT 5 -i eth0 -p udp --dport 20000:21999 -m state --state NEW,ESTABLISHED -j ACCEPT
    
  • SIPREC recording interface rules

    iptables -I INPUT 5 -i eth0 -p udp --dport 5080 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I INPUT 5 -i eth0 -p tcp --dport 5080 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I INPUT 5 -i eth0 -p udp --dport 22000:23999 -m state --state NEW,ESTABLISHED -j ACCEPT
    
  • Save all rules into iptables configuration file

    service iptables save
    
  • Restart iptables service

    service iptables restart
    

Instructions for firewall-cmd (Centos 7)

  • Web-portal rule (port 80 tcp)

    firewall-cmd --permanent --zone=public --add-port=80/tcp
    
  • Live monitoring rules

    firewall-cmd --permanent --zone=public --add-port=6554/tcp
    firewall-cmd --permanent --zone=public --add-port=7000-7999/udp
    
  • Cisco SIP trunk recording interface rules

    firewall-cmd --permanent --zone=public --add-port=5070/udp
    firewall-cmd --permanent --zone=public --add-port=5070/tcp
    firewall-cmd --permanent --zone=public --add-port=20000-21999/udp
    
  • SIPREC recording interface rules

    firewall-cmd --permanent --zone=public --add-port=5080/udp
    firewall-cmd --permanent --zone=public --add-port=5080/tcp
    firewall-cmd --permanent --zone=public --add-port=22000-23999/udp
    
  • Reload firewall-cmd configuration

    firewall-cmd --reload