Configure firewall
By default MiaRec uses the following ports, which should be added into firewall exclusion list.
| Port | Description |
|---|---|
| 80 (tcp) | MiaRec Web-portal (HTTP protocol) |
| 443 (tcp) | MiaRec Web-portal (HTTPS protocol). Requires installation of SSL certificate. |
| 6554 (tcp) | Live monitoring signaling (RTSP protocol) |
| 7000 - 7999 (udp) | Live monitoring media (RTP protocol) |
| 5070 (tcp) | Cisco SIP trunk recording signaling (SIP protocol) |
| 20000 - 21999 (udp) | Cisco SIP trunk recording media (RTP protocol) |
| 5080 (tcp, udp) | SIPREC recording signaling (SIP protocol) |
| 22000 - 23999 (udp) | SIPREC recording media (RTP protocol) |
Instructions for iptables (Centos 6)
This document describes how to configure iptables.
Execute command iptables --line -vnL to see the current list of rule with line numbers.
Example output:
[root@miarec ~]# iptables --line -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 3124 1264K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 11 3292 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 63 4881 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 2937 packets, 1212K bytes)
num pkts bytes target prot opt in out source destination
From this output we need to get the line number of the generic REJECT rule. In example above it is at line #5. We will need to add our exclusion rules just above this line.
Web-portal rule (port 80 tcp)
iptables -I INPUT 5 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPTLive monitoring rules
iptables -I INPUT 5 -i eth0 -p tcp --dport 6554 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 5 -i eth0 -p udp --dport 7000:7999 -m state --state NEW,ESTABLISHED -j ACCEPTCisco SIP trunk recording interface rules
iptables -I INPUT 5 -i eth0 -p udp --dport 5070 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 5 -i eth0 -p tcp --dport 5070 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 5 -i eth0 -p udp --dport 20000:21999 -m state --state NEW,ESTABLISHED -j ACCEPTSIPREC recording interface rules
iptables -I INPUT 5 -i eth0 -p udp --dport 5080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 5 -i eth0 -p tcp --dport 5080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 5 -i eth0 -p udp --dport 22000:23999 -m state --state NEW,ESTABLISHED -j ACCEPTSave all rules into iptables configuration file
service iptables saveRestart iptables service
service iptables restart
Instructions for firewall-cmd (Centos 7)
Web-portal rule (port 80 tcp)
firewall-cmd --permanent --zone=public --add-port=80/tcpLive monitoring rules
firewall-cmd --permanent --zone=public --add-port=6554/tcp firewall-cmd --permanent --zone=public --add-port=7000-7999/udpCisco SIP trunk recording interface rules
firewall-cmd --permanent --zone=public --add-port=5070/udp firewall-cmd --permanent --zone=public --add-port=5070/tcp firewall-cmd --permanent --zone=public --add-port=20000-21999/udpSIPREC recording interface rules
firewall-cmd --permanent --zone=public --add-port=5080/udp firewall-cmd --permanent --zone=public --add-port=5080/tcp firewall-cmd --permanent --zone=public --add-port=22000-23999/udpReload firewall-cmd configuration
firewall-cmd --reload