Configuring a Firewall for Centova Cast

Question:

How should I configure my firewall to allow access to Centova Cast?

Answer:

A full (standard) installation of Centova Cast uses the following TCP ports:

  • 2199 - the main Centova Cast web interface port; must be accessible to the public Internet
  • 2197 - the Centova Cast content delivery port; must be accessible to the public Internet
  • 21 - the FTP service port; optional, but must be accessible to the public Internet for FTP access
  • 80 - optional, but must be accessible to the public Internet for port 80 proxy access
  • Additionally, you must open ports for each of your hosted streams. Typically, SHOUTcast/IceCast servers are hosted on port 8000 and up, so opening ports 8000 - 10000 is suitable for most scenarios.

A control server installation of Centova Cast (wherein the web interface is hosted on a separate physical server) uses the following TCP ports:

  • 2197 - the Centova Cast content delivery port; must be accessible to the public Internet
  • 21 - the FTP service port; optional, but must be accessible to the public Internet for FTP access
  • 2198 - required for communication between the web interface and the control daemon; should only be accessible to the web interface server's IP address
  • Additionally, you must open ports for each of your hosted streams. Typically, SHOUTcast/IceCast servers are hosted on port 8000 and up, so opening ports 8000 - 10000 is suitable for most scenarios.

The procedure for opening the required ports will vary depending on your operating system and the firewall software installed on your server. Configuration instructions for several common firewall solutions is provided below. Please note, however, that this information is provided for the convenience of our customers only; Centova Technologies does not provide technical support or assistance with firewall configuration.

firewalld

firewalld is the default firewall solution on CentOS 7.

Full (Standard) Installation

On a full installation of Centova Cast:

# add rules
firewall-cmd --permanent --add-port=2199/tcp
firewall-cmd --permanent --add-port=2197/tcp
firewall-cmd --permanent --add-port=21/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=8000-10000/tcp
# reload firewall
firewall-cmd --reload

Control Server Installation

On a Centova Cast control server installation (controlled by a web interface on a separate server):

# add rules
firewall-cmd --permanent --add-port=2197/tcp
firewall-cmd --permanent --add-port=21/tcp
firewall-cmd --permanent --add-port=8000-10000/tcp
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='WEB_INTERFACE_IP' port port='2198' protocol='tcp' accept"
# reload firewall
firewall-cmd --reload

Replace WEB_INTERFACE_IP with the public IP address of your web interface server.

APF (Advanced Policy Firewall)

APF can be configured as follows.

Full (Standard) Installation

On a full installation of Centova Cast, edit /etc/apf/conf.apf and find the line that begins with IG_TCP_CPORTS=. It should look something like:

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995"

Change this line to include Centova Cast's required ports (2199, 2197, 21, 80, and 8000 through 10000), eg:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2197,2199,8000_10000"

Save your changes, then restart APF:

apf -r

Control Server Installation

On a Centova Cast control server installation (controlled by a web interface on a separate server), edit /etc/apf/conf.apf and find the line that begins with IG_TCP_CPORTS=. It should look something like:

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995"

Change this line to include Centova Cast's required ports (2197, 21 and 8000 through 10000), eg:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2197,8000_10000"

Save your changes, then edit /etc/apf/allow_hosts.rules and add the following line:

tcp:in:d=2198:s=WEB_INTERFACE_IP

Replace WEB_INTERFACE_IP with the public IP address of your web interface server.

Save your changes, then restart APF:

apf -r

CSF (Configserver Firewall)

CSF can be configured as follows.

Full (Standard) Installation

On a full installation of Centova Cast, edit /etc/csf/csf.conf and find the line that begins with TCP_IN=. It should look something like:

# Allow incoming TCP ports
TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995"

Change this line to include Centova Cast's required ports (2199, 2197, 21, 80, and 8000 through 10000), eg:

# Allow incoming TCP ports
TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995,2197,2199,8000_10000"

Save your changes, then restart CSF:

csf -r

Control Server Installation

On a Centova Cast control server installation (controlled by a web interface on a separate server), edit /etc/csf/csf.conf and find the line that begins with TCP_IN=. It should look something like:

# Allow incoming TCP ports
TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995"

Change this line to include Centova Cast's required ports (2197, 21 and 8000 through 10000), eg:

# Allow incoming TCP ports
TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995,2197,8000:10000"

Save your changes, then edit /etc/csf/csf.allow and add the following line:

tcp|in|d=2198|s=WEB_INTERFACE_IP

Replace WEB_INTERFACE_IP with the public IP address of your web interface server.

Save your changes, then restart CSF:

csf -r

iptables

iptables is the basic packet filtering system underlying most distributions' firewall solutions. If you are using a higher-level firewall solution you should not use these commands.

Further caveats:

  • These commands only take effect from the moment they are invoked until the machine is rebooted; they are not saved, and will need to be reapplied after reboot. Linux distributions provide varying mechanisms to automate the save/load procedure; consult your distribution's documentation for details.

  • Rule order matters. If other iptables rules exist on your server, the rules below may need to be applied either before or after the existing rules in order to achieve the intended effects.

  • If your server has been configured with custom rule chains, or if you have a complicated network interface configuration, these rules may not work as-is. Ask your systems administrator to tailor them to your needs as appropriate.

  • In brief, consider these rules as a starting point only; you are mostly on your own if you are invoking iptables manually.

Full (Standard) Installation

On a full installation of Centova Cast:

iptables -A INPUT -p tcp -m tcp --dport 2199 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2197 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000:10000 -j ACCEPT

Control Server Installation

On a Centova Cast control server installation (controlled by a web interface on a separate server):

iptables -A INPUT -p tcp -m tcp --dport 2197 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000:10000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2198 -s WEB_INTERFACE_IP -j ACCEPT

Replace WEB_INTERFACE_IP with the public IP address of your web interface server.