[arm-allstar] Restrict Inbound Connections by Node Number?

David McGough kb4fxc at inttek.net
Wed Mar 2 17:40:37 EST 2016 


Joel brings up a good point that, if you don't need full public access to 
your node, restrict access via firewall rules!  The firewall rule update 
code could be run from the rc.updatenodelist script as well, making 
firewall changes as node IP addresses change.

73, David KB4FXC




On Wed, 2 Mar 2016, Joel via arm-allstar wrote:

> David Andrzejewski via arm-allstar wrote:
> > Is there a way to restrict inbound allstar connections to specific nodes, similar to how you can do it with EchoLink?
> 
> Another way is to block the iax udp packets using the netfilter. You 
can use our "asnode.org" domain to update the firewall via a cron job to 
handle IP changes on nodes you do want to allow.
> 
> One-time items
> ------------------
> Create a new chain for all the iax packets to hit..
> iptables -N iax
> 
> In your input chain grab all iax packets and divert them to your new 
table. (This covers a range of ports that most everyone uses - but you 
could make it specific or a different range (4560-4580)
> iptables -I INPUT 1 -p udp --dport 4560:4580 -j iax
> 
> You can use iptables-save to save this part - and call it back on boot so it's always in place.
> --------------------------
> 
> 
> Then make a simple shell script with the nodes you want to allow in - 
and end it with REJECT of everything else.. Put in as many of the -j 
ACCEPT lines as you need to accommodate all your nodes you WANT to 
connect. The first line here flushes (deletes) anything already in the 
table (clears it) then add in all the ones you want to allow - and END 
with a "Reject all others".
> 
> iptables -F iax
> iptables -A iax -s 12345.asnode.org -j ACCEPT
> iptables -A iax -j REJECT
> 
> Then setup a cron job to re-run the above lines at some interval (say 
once an hour??) to refresh this in the event some nodes public IP 
changes.
> 
> 73's
> Joel/N7GLV
> 
> 
> _______________________________________________
> 
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list