IPtables is one of the most powerful Linux kernel tools. It is mainly used on servers and devices across the world. Elastix security module incorporates ‘iptables' key features into its web interface in order to secure our Unified Communications Server. This module is available in Security | Firewall menu. On the main screen of this module, we can check the firewall status (enabled or disabled). We will also notice the status of each firewall rule with the following information:
- Order: This column represents the order in which rules will be applied
- Traffic: The rule will apply to any ingoing or outgoing packet
- Target: This option allows, rejects or drops a package
- Interface: This represents the network interface on which the rule will be used
- Source Address: The firewall will look for this source IP address and apply the rule.
- Destination Address: We can apply a firewall rule if the destination address is matched
- Protocol: We can apply a rule according to the IP protocol of the packet (TCP, UDP, ICMP, and so on)
- Details: In this column, details or comments relating to this rule may appear in order to remind us why this rule is being applied.
By default, when firewall is applied, Elastix will allow traffic from any device to use ports that belong to Unified Communications Services. The following image shows the state of the firewall.
Before learning more about this subject, fill out the form below to contact Telephone Systems Services and find out about the best VoIP solutions for your company to reduce costs and increase productivity.
We can review this information in the section define ports as shown in the following image:
In this section, you can delete, define a new OU (port) rule, or search for a specific port. If you click on the Display link, you will be redirected to the edit page for the Selected Rule as shown in the Image to the side. This is useful whenever you would like to change the details of a rule.
How to make?
- To add a new rule, click on the Define Port link and add the following information, as shown in the following image:Name: Name for this port.Protocol: We can choose the IP protocol to use.
The options are: TCP, ICMP, IP and UDP.Port: We can enter a single port or a range of ports. To enter a port enter the port number in the text field before the “:” character.
If we would like to introduce a range, we should use both text areas. The first is for the first port in the range, and the second is the last for the range port.
Comment: We can enter a comment for this port.
- The following image shows the creation of a new port for GSM-Solution. This solution will use the TCP protocol from port 5000-5002.
- Having our ports defined, we proceed to activate the firewall by clicking on Save.
- Once the firewall service is activated, let's see the status of each rule. A message will be displayed informing us that the service has been activated.
- When the service has started, we will be able to edit, delete or change the order of execution of a given rule or rules.
- To add a new rule, click on the New rule button (as shown in the image to the side) and we will be redirected to a new web page.
- The information we need to enter is as follows:
- traffic: This option sets the rule for inbound (INPUT), exit (OUTPUT), or redirect (FORWARD) packages.
- IN interface: This is the interface used for the rule. All available network interfaces will be listed. the options ANY and LOOPBACK are also available.
- Source Address: We can apply a rule to any specified IP address. For example, we can block all incoming traffic from IP address 192.168.1.1. It is important to specify your netmask.
- Destination Address: This is the destination IP address for the rule. It is important to specify your netmask.
- protocol: We can choose the protocol we would like to filter or forward. Options are TCP, UDP, ICMP, IP, and STATE.
- Source Port: In this section, we can choose any option previously configured in the Port Definition section for the source port.
- destination port: Here, we can select any option previously configured in the Port Definition section for the source port.
- target: This is the action to be performed by any package that matches any of the conditions set out in the previous fields.
8. The following image shows the application of the rule of a new firewall based on the ports you defined previously:
We can also check user activity using the Audit menu. This module can be found in the Security menu.
To increase the security of our system we also recommend using the built-in Elastix Port Knocking feature.