In Ubuntu, the best way to ensure that the firewall is up and running and that your packet filtering or mangling rules are in place any time the network connection comes up, you should create a rule in the /etc/network/if-up.d folder. An alternative approach to that would be to put a “post-up” rule on whatever interface in you /etc/network/interfaces file. From my experience, so that your firewall rules can be easily maintained as well having the ability to make comments for each rule, it’s ideal to take advantage of the iptables-save and iptables-restore functionality.
In order to follow this procedure, the first time you set up the firewall, you will have to manually add all the firewall rules and then issue the iptables-save command. For sake of saving time, I will just provide you with the contents of my config file that can be restored with the iptables-restore < config_file command.
My file contains comments and a description for each mangle rule that I have applied. I have also tailored my firewall configuration to work with Polycom specifically. Please bear in mind, if you don’t append any additional custom rules to this file when you restore it, it will override any existing firewall configuration you may have. The main focus of the config file that I’m providing is strictly for applying outbound QoS rules to the ports that the OpenMCU-ru video conferencing server uses and it does not filter any additional traffic, which means a wide open firewall. To properly tag the packets throughout the full path of your network, you will also have to apply client side QoS rules on whatever device your connecting to the conference from. If you are using Polycom’s RealPresence Desktop H323 client in Windows, I have already documented how to tag the outbound packets client side here.
First, we need to create our /etc/network/if-up.d/iptables rule that will use the iptables-restore functionality to restore our configuration from a file. I like to store this config file here for easy access: /etc/iptables.up.rules. That can easily be accomplished with these few commands:
echo '#!/bin/sh' > /etc/network/if-up.d/iptables echo 'iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables
As I mentioned earlier, if you didn’t want to mess with all that, you could also just add the following line to whatever interface in your /etc/network/interfaces file:
post-up iptables-restore < /etc/iptables.up.rules
Here are the contents for the /etc/iptables.up.rules config file, it will set the DSCP to 26 for any signaling and 34 for any RTP:
# Generated by iptables-save v1.4.21 on Wed Feb 4 11:32:35 2015 *nat :PREROUTING ACCEPT [50:4828] :INPUT ACCEPT [50:4828] :OUTPUT ACCEPT [2:384] :POSTROUTING ACCEPT [2:384] COMMIT # Completed on Wed Feb 4 11:32:35 2015 # Generated by iptables-save v1.4.21 on Wed Feb 4 11:32:35 2015 *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # SIP Signaling UDP -A OUTPUT -p udp -m udp --dport 5060:5061 -j DSCP --set-dscp 26 # SIP Signaling TCP -A OUTPUT -p tcp -m tcp --dport 5060:5061 -j DSCP --set-dscp 26 # Outbound RTP TCP -A OUTPUT -p tcp -m tcp --sport 10000:20000 -j DSCP --set-dscp 34 # Outbound RTP UDP -A OUTPUT -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp 34 # H323 UDP Registration_Admission_Status (RAS) -A OUTPUT -p udp -m udp --dport 1719 -j DSCP --set-dscp 26 # H323 TCP Call_Signaling H225 -A OUTPUT -p tcp -m tcp --dport 1720 -j DSCP --set-dscp 26 # H323 TCP Call_Signaling H245 -A OUTPUT -p tcp -m tcp --dport 3230:3250 -j DSCP --set-dscp 26 # H323 UDP Call_Signaling H245 -A OUTPUT -p udp -m udp --dport 3230:3250 -j DSCP --set-dscp 34 COMMIT # Completed on Wed Feb 4 11:32:35 2015 # Generated by iptables-save v1.4.21 on Wed Feb 4 11:32:35 2015 *filter :INPUT ACCEPT [191:24234] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [78:15134] COMMIT # Completed on Wed Feb 4 11:32:35 2015