Configure iptables

Ports 7080 and 22 on the server hosting NexOSS must be open for external connections. Otherwise, users will not be able to access the NexOSS web interface (port 7080) or to copy files from Acme Packet SBCs using SFTP (port 22). If the iptables of the host server are not configured correctly, these ports will be blocked to external connections after each reboot of the host server. This section provides general instructions on how iptables should be edited to ensure ports 7080 and 22 remain open after a system reboot.

If the iptables are blocking ports 7080 and 22, then a quick way to open the ports when NexOSS is running is to flush the iptables using the /sbin/iptables –flush command. This command will detect all ports that applications are listening on and open those ports. The flush command will need to be run after each system reboot if the iptables are not configured as described in these instructions.

  • Modifying iptables using the System Console

    • Navigate to “Security Level and Firewall”

    • Expand the “Other ports” option.

    • Add the ports that you wish to remain open after a system reboot. This screenshot shows port 5045, but NexOSS requires port 7080 and protocol tcp for web interface access.

    • SFTP, used to copy CDR files from the SBC to NexOSS, uses SSH which opens port 22. Check the SSH box and click the “Apply” button.

    • Click “Yes”, and then “OK”.

  • Modifying iptables using the Command Line Interface

   Become super-user
   [ossadmin@sdreporter ~]$ su
   Password:
   [root@sdreporter ossadmin]#
  • Edit the iptables file: /etc/sysconfig/iptables

    This is an example of a default iptables file before being edited.

      # Firewall configuration written by system-config-securitylevel
      # Manual customization of this file is not recommended.
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      :RH-Firewall-1-INPUT - [0:0]
      -A INPUT -j RH-Firewall-1-INPUT
      -A FORWARD -j RH-Firewall-1-INPUT
      -A RH-Firewall-1-INPUT -i lo -j ACCEPT
      -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
      -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
      -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
      -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
      -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
      -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
      -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    

    This is the iptables file after it has been edited to keep port 7080 open after the system is rebooted.

      # Firewall configuration written by system-config-securitylevel
      # Manual customization of this file is not recommended.
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      :RH-Firewall-1-INPUT - [0:0]
      -A INPUT -j RH-Firewall-1-INPUT
      -A FORWARD -j RH-Firewall-1-INPUT
      -A RH-Firewall-1-INPUT -i lo -j ACCEPT
      -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
      -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
      -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
      -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
      -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
      -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
      -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7080 -j ACCEPT
      -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    
  • The last step is to restart the iptables.

   [root@sdreporter ossadmin]# /etc/init.d/iptables restart
   Flushing firewall rules: [ OK ]
   Setting chains to policy ACCEPT: filter [ OK ]
   Unloading iptables modules: [ OK ]
   Applying iptables firewall rules: [ OK ]
   Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp
   [root@sdreporter ossadmin]#