使用首选文本编辑器创建 /etc/iptables.firewall.rules,每次Linode启动时,此文件将用于激活具有所需规则的防火墙。
/etc/iptables.firewall.rules 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config, ie 8050 # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # SIP on UDP port 5060, 5061 for secure signaling. Used for signals such as "hang up" -A INPUT -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 5061 -j ACCEPT # IAX2- the IAX protocol - comment out if you don't plan to use IAX # -A INPUT -p udp -m udp --dport 4569 -j ACCEPT # IAX - old IAX protocol, uncomment if needed for legacy systems. # -A INPUT -p udp -m udp --dport 5036 -j ACCEPT # RTP - the media stream - you can change this in /etc/asterisk/rtp.conf -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT # MGCP - if you use media gateway control protocol in your configuration -A INPUT -p udp -m udp --dport 2727 -j ACCEPT # Uncomment these lines if you plan to use FreePBX to manage Asterisk # -A INPUT -p tcp --dport 80 -j ACCEPT # -A INPUT -p tcp --dport 443 -j ACCEPT # Allow ping -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMITNoteLeave IAX commented out unless you know you need it. IAX is “Inter-Asterisk Exchange” and was meant to allow multiple Asterisk servers to communicate with one another. Some VOIP trunking providers use this, but most use SIP. Unless your VOIP provider requires it or you are running multiple Asterisk servers, you probably won’t need IAX or IAX2.