Instalando y configurando iptables en centos

Entramos en materia, iptables es un firewall tipico de instalaciones linux:

1.- Instalacion usando yum:

yum install iptables

2.- Crear un archivo de texto de configuracion (usando nano o vim):

nano /etc/sysconfig/iptables

# By default drop all incoming and forwarded traffic

# Allow all outgoing traffic
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Puerto 80 http para los diferentes servicios web que podamos tener
-A INPUT -p udp –dport 80 -j ACCEPT

# Puerto Protocolo Dundi
-A INPUT -p udp –dport 4520 -j ACCEPT

# Puerto IAX
-A INPUT -p udp –dport 4569 -j ACCEPT

# Puerto SIP
-A INPUT -p udp –dport 5060 -j ACCEPT

# Puertos RTP media (este rango de puertos luego debemos indicarselo al asterisk)
-A INPUT -p udp –dport 10000:20000 -j ACCEPT

# Allow incoming SSH (el 22 es el puerto por default)
-A INPUT -p tcp –dport xxxx -j ACCEPT

# Allow ping
-A INPUT -p icmp –icmp-type ping -j ACCEPT

# Allow local traffic
-A INPUT -i lo -j ACCEPT

# Allow ping
-A INPUT -p icmp –icmp-type ping -j ACCEPT

COMMIT

Importante es abrir el puerto xxxx de ssh, (22 por defualt)

Guardamos el archivo y debemos reiniciar iptables:

service iptables restart

Aparecera:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

Chequeo general:

iptables -L

Para terminar tenemos que decirle a asterisk que use los puertos desde 10000 hasta 20000 para el protocolo RTP:

abrimos el archivo

vim /etc/asterisk/rtp.conf

quitamos (si lo hay) el punto y coma antes de [general]

En rtpstart ponemos 10000 y en rtpend ponemos 20000

rtpstart=10000
rtpend=20000

Guardar el archivo y reiniciar asterisk:

/etc/init.d/asterisk reload

Probando SCTP en linux debian= proyecto lksctp

Como sabran sctp es la implementacion del protocolo de la capa de transporte usado en sigtran (asi se implementa en forma practica, aunque pudieramos hacer un despliegue sigtran sobre udp), sctp posee algunas ventajassobre su primo tcp:

• Reliability mechanisms—TCP provides both reliable data transfer, through acknowledgments mechanism, and strict order of transmission delivery of data, through sequencing mechanism. Some applications need reliable transfer without sequence maintenance, while others would be satisfied with partial ordering of the data. In both of these cases the head-of-line blocking caused by TCP adds unnecessary delay.

• Real-time issues—The abovementioned acknowledgement mechanism (which added the unnecessary delay) makes the TCP inappropriate for real-time applications.

• TCP sockets—The limited scope of TCP sockets complicates the task of providing highly available data transfer capability using multi-homed hosts.

• Security issues—TCP is relatively vulnerable to denial-of-service attacks.

Se supone que por diseñosctp no adolece de estas debilidades.

Es posible en linux probar este protocolo: (proyecto lksctp)

http://lksctp.sourceforge.net/index.html

http://datatag.web.cern.ch/datatag/WP3/sctp/tests.htm

Linux Kernel SCTP (LKSCTP)

The LKSCTP implementation of SCTP runs in kernel space. For our tests, we used Linux kernel 2.5.65 and lksctp-2_5_65-0_6_8.

Detailed information on LKSCTP can be found on the Web site of the LKSCTP project. According to Randall Stewart (co-author of SCTP), the version of LKSCTP that we tested is not completely compliant with RFC 2960 and the current Implementer’s Guide, and is not optimized for performance. The latter was confirmed by Jon Grimm, from the LKSCTP project.

Loading the SCTP modules is done with: /sbin/modprobe -a sctp

Otras implementaciones de SCTP disponibles:

Linux Linux
(http:// (http://sourceforge sourceforge.net/projects/ .net/projects/lksctp lksctp/) /)

FreeBSD/ FreeBSD/NetBSD NetBSD/ /OpenBSD OpenBSD
(http://www. (http://www.sctp sctp.org) .org)

Solaris Solaris
(http://playground.sun.com/ (http://playground.sun.com/sctp sctp/) /)