A full (standard) installation of Centova Cast uses the following TCP ports:
- 2199 - the main Centova Cast web interface port; must be accessible to the public Internet
- 2197 - the Centova Cast content delivery port; must be accessible to the public Internet
- 21 - the FTP service port; optional, but must be accessible to the public Internet for FTP access
- 80 - optional, but must be accessible to the public Internet for port 80 proxy access
Additionally, you must open ports for each of your hosted streams. Typically, SHOUTcast/IceCast servers are hosted on port 8000 and up, so opening ports 8000 - 10000 is suitable for most scenarios.
A control server installation of Centova Cast (wherein the web interface is hosted on a separate physical server) uses the following TCP ports:
- 2197 - the Centova Cast content delivery port; must be accessible to the public Internet
- 21 - the FTP service port; optional, but must be accessible to the public Internet for FTP access
- 2198 - required for communication between the web interface and the control daemon; should only be accessible to the web interface server's IP address
Additionally, you must open ports for each of your hosted streams. Typically, SHOUTcast/IceCast servers are hosted on port 8000 and up, so opening ports 8000 - 10000 is suitable for most scenarios.
The procedure for opening the required ports will vary depending on your operating system and the firewall software installed on your server. Configuration instructions for several common firewall solutions is provided below. Please note, however, that this information is provided for the convenience of our customers only; Centova Technologies does not provide technical support or assistance with firewall configuration.
firewalld
firewalld is the default firewall solution on CentOS 7.
Full (Standard) Installation
On a full installation of Centova Cast:
# add rules firewall-cmd --permanent --add-port=2199/tcp firewall-cmd --permanent --add-port=2197/tcp firewall-cmd --permanent --add-port=21/tcp firewall-cmd --permanent --add-port=80/tcp firewall-cmd --permanent --add-port=8000-10000/tcp # reload firewall firewall-cmd --reload
Control Server Installation
On a Centova Cast control server installation (controlled by a web interface on a separate server):
# add rules firewall-cmd --permanent --add-port=2197/tcp firewall-cmd --permanent --add-port=21/tcp firewall-cmd --permanent --add-port=8000-10000/tcp firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='WEB_INTERFACE_IP' port port='2198' protocol='tcp' accept" # reload firewall firewall-cmd --reload
Replace WEB_INTERFACE_IP with the public IP address of your web interface server.
APF (Advanced Policy Firewall)
APF can be configured as follows.
Full (Standard) Installation
On a full installation of Centova Cast, edit /etc/apf/conf.apf
and find the line that begins with IG_TCP_CPORTS=
. It should look something like:
# Common inbound (ingress) TCP ports IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995"
Change this line to include Centova Cast's required ports (2199, 2197, 21, 80, and 8000 through 10000), eg:
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2197,2199,8000_10000"
Save your changes, then restart APF:
apf -r
Control Server Installation
On a Centova Cast control server installation (controlled by a web interface on a separate server), edit /etc/apf/conf.apf
and find the line that begins with IG_TCP_CPORTS=
. It should look something like:
# Common inbound (ingress) TCP ports IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995"
Change this line to include Centova Cast's required ports (2197, 21 and 8000 through 10000), eg:
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2197,8000_10000"
Save your changes, then edit /etc/apf/allow_hosts.rules
and add the following line:
tcp:in:d=2198:s=WEB_INTERFACE_IP
Replace WEB_INTERFACE_IP with the public IP address of your web interface server.
Save your changes, then restart APF:
apf -r
CSF (Configserver Firewall)
CSF can be configured as follows.
Full (Standard) Installation
On a full installation of Centova Cast, edit /etc/csf/csf.conf
and find the line that begins with TCP_IN=
. It should look something like:
# Allow incoming TCP ports TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995"
Change this line to include Centova Cast's required ports (2199, 2197, 21, 80, and 8000 through 10000), eg:
# Allow incoming TCP ports TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995,2197,2199,8000_10000"
Save your changes, then restart CSF:
csf -r
Control Server Installation
On a Centova Cast control server installation (controlled by a web interface on a separate server), edit /etc/csf/csf.conf
and find the line that begins with TCP_IN=
. It should look something like:
# Allow incoming TCP ports TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995"
Change this line to include Centova Cast's required ports (2197, 21 and 8000 through 10000), eg:
# Allow incoming TCP ports TCP_IN = "21,22,25,53,80,110,143,443,465,587,993,995,2197,8000:10000"
Save your changes, then edit /etc/csf/csf.allow
and add the following line:
tcp|in|d=2198|s=WEB_INTERFACE_IP
Replace WEB_INTERFACE_IP with the public IP address of your web interface server.
Save your changes, then restart CSF:
$ csf -r
iptables
iptables is the basic packet filtering system underlying most distributions' firewall solutions. If you are using a higher-level firewall solution you should not use these commands.
Further caveats:
-
These commands only take effect from the moment they are invoked until the machine is rebooted; they are not saved, and will need to be reapplied after reboot. Linux distributions provide varying mechanisms to automate the save/load procedure; consult your distribution's documentation for details.
-
Rule order matters. If other iptables rules exist on your server, the rules below may need to be applied either before or after the existing rules in order to achieve the intended effects.
-
If your server has been configured with custom rule chains, or if you have a complicated network interface configuration, these rules may not work as-is. Ask your systems administrator to tailor them to your needs as appropriate.
-
In brief, consider these rules as a starting point only; you are mostly on your own if you are invoking iptables manually.
Full (Standard) Installation
On a full installation of Centova Cast:
iptables -A INPUT -p tcp -m tcp --dport 2199 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 2197 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8000:10000 -j ACCEPT
Control Server Installation
On a Centova Cast control server installation (controlled by a web interface on a separate server):
iptables -A INPUT -p tcp -m tcp --dport 2197 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8000:10000 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 2198 -s WEB_INTERFACE_IP -j ACCEPT
Replace WEB_INTERFACE_IP with the public IP address of your web interface server.