[arm-allstar] Adding IP table rules so only my SIP provider can connect to my node (stop hacking attempts)
Doug Crompton
wa3dsp at gmail.com
Sat Aug 18 15:55:52 EDT 2018
Vendel,
That is pretty easy to achieve as we do it now for port 5038 when using
supermon and remote management. I do it here on my asterisk PBX. Here is an
example script -
#!/bin/bash
# Block port 5060 except from desired locations.
IPT=/sbin/iptables
### Flush any existing rules, preparing to reload...
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F #ignore error here if mangle module isn't loaded
$IPT -X #deletes every non-builtin chain in the table
$IPT -A INPUT -p udp -s 192.168.0.0/16 --dport 5060 -j ACCEPT
IP=$(getent hosts washington.voip.ms | awk '{ print $1 }')
if [ "$IP" != "" ] ; then
$IPT -A INPUT -p udp -s "$IP" --dport 5060 -j ACCEPT
fi
$IPT -A INPUT -p udp --dport 5060 -j DROP
# END OF SCRIPT
Edit this script - change the URL "washington.voip.ms" to your providers
URL. I assume you are using port 5060. Save this script, call it
block_5060.sh, it can go anywhere but suggest /etc/asterisk/local, then
make it executable - chmod 750 block_5060.sh, then run it with a cron say
once an hour or longer. I doubt the IP address is going to change that
often on a dedicated provider. I run it once a day here at 4:15AM
15 04 * * * /etc/asterisk/local/block_5060.sh
After this runs you can type /sbin/iptables -L to check that it is in
there. What this does is disallow any port 5060 but the one described from
getting in. You can add others also if desired.
If you have any questions get back to me.
*73 Doug*
*WA3DSP*
*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
On Sat, Aug 18, 2018 at 3:11 PM, "Vendel Boeree via arm-allstar" <
arm-allstar at hamvoip.org> wrote:
> Hi all, I'm new to the group and would like to know how to add IP table
> rules to allow my SIP provider to connect to my node and reject hacking
> attempts. I'd try Fail2ban but quite honestly installing it and setting it
> up makes my head spin. Thanks in advance, Vendel/ K2DSI.
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>
More information about the arm-allstar
mailing list