[arm-allstar] Adding IP table rules so only my SIP provider can connect to my node (stop hacking attempts)


Hi all, I would like to know how to add IP table rules to allow my SIP provider to connect to my node and reject
 hacking attempts. I'd try Fail2ban but quite honestly installing it and setting it up makes my head spin. 
Thanks in advance, Vendel/ K2DSI.



That is pretty easy to achieve as we do it now for port 5038 when using

supermon and remote management. I do it here on my asterisk PBX. Here is an

example script - [WA3DSP]

###############################################################

#!/bin/bash

# Block port 5060 except from desired locations.

 

IPT=/sbin/iptables

 

### Flush any existing rules, preparing to reload...

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F #ignore error here if mangle module isn't loaded

$IPT -X #deletes every non-builtin chain in the table

 

$IPT -A INPUT -p udp -s 192.168.0.0/16 --dport 5060 -j ACCEPT

 

IP=$(getent hosts newyork4.voip.ms | awk '{ print $1 }')

if [ "$IP" != "" ] ; then

$IPT -A INPUT -p udp -s "$IP" --dport 5060 -j ACCEPT

fi

 

$IPT -A INPUT -p udp --dport 5060 -j DROP

# END OF SCRIPT

##########################################################################
 

Edit this script - change the URL "washington.voip.ms" to your providers

URL. I assume you are using port 5060. Save this script, call it

block_5060.sh, it can go anywhere but suggest /etc/asterisk/local,  then

make it executable - chmod 750 block_5060.sh, then run it with a cron say

once an hour or longer. I doubt the IP address is going to change that

often on a dedicated provider. I run it once a day here at 4:15AM

 

15 04 * * * /etc/asterisk/local/block_5060.sh

 

After this runs you can type  /sbin/iptables -L  to check that it is in

there. What this does is disallow any port 5060 but the one described from

getting in. You can add others also if desired.

 

If you have any questions get back to me.

 

 

*73 Doug*

 

*WA3DSP*