[arm-allstar] Restrict Inbound Connections by Node Number?

Joel x-rad at frontier.com
Wed Mar 2 17:00:16 EST 2016


David Andrzejewski via arm-allstar wrote:
> Is there a way to restrict inbound allstar connections to specific nodes, similar to how you can do it with EchoLink?

Another way is to block the iax udp packets using the netfilter. You can use our "asnode.org" domain to update the firewall via a cron job to handle IP changes on nodes you do want to allow.

One-time items
------------------
Create a new chain for all the iax packets to hit..
iptables -N iax

In your input chain grab all iax packets and divert them to your new table. (This covers a range of ports that most everyone uses - but you could make it specific or a different range (4560-4580)
iptables -I INPUT 1 -p udp --dport 4560:4580 -j iax

You can use iptables-save to save this part - and call it back on boot so it's always in place.
--------------------------


Then make a simple shell script with the nodes you want to allow in - and end it with REJECT of everything else.. Put in as many of the -j ACCEPT lines as you need to accommodate all your nodes you WANT to connect. The first line here flushes (deletes) anything already in the table (clears it) then add in all the ones you want to allow - and END with a "Reject all others".

iptables -F iax
iptables -A iax -s 12345.asnode.org -j ACCEPT
iptables -A iax -j REJECT

Then setup a cron job to re-run the above lines at some interval (say once an hour??) to refresh this in the event some nodes public IP changes.

73's
Joel/N7GLV




More information about the arm-allstar mailing list