gid01
asked on
iptables: allow certain ips and block all other connection
How do I allow certain ips and block all other connection in iptables?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I run an Asterisk server for my small business, would this be a good way to prevent unauthorized access to my system?
Of course. You should NEVER take network security for granted. You should block IPs that are not valuable and also block all the ports that are not used. Obviously you would not want your system to be compromised and multiple layers of security is better.
I agree completely with farzanj.
Since you're talking about an Asterisk server, if you have AIX2 or SIP ports exposed on the internet (for remote phones, and/or connections to a VOIP provider, and/or connections to another PBX), it would be particularly prudent to restrict access for those ports to specific IPs if you can.
For SIP, a large range of UDP ports is needed for allowing (voice) data transfer between endpoints after establishing a session (a symptom of a problem with this is being able to dial, but there's no sound). The default range for this if I recall correctly is 16384 - 32768, but it could be different (if you're connecting to a SIP provider check what they require also). Some router/firewalls have SIP "helpers" that if enabled, automatically open these data ports for established sessions - if you have this available, it is preferable over having to open the large range of ports outright.
Since you're talking about an Asterisk server, if you have AIX2 or SIP ports exposed on the internet (for remote phones, and/or connections to a VOIP provider, and/or connections to another PBX), it would be particularly prudent to restrict access for those ports to specific IPs if you can.
For SIP, a large range of UDP ports is needed for allowing (voice) data transfer between endpoints after establishing a session (a symptom of a problem with this is being able to dial, but there's no sound). The default range for this if I recall correctly is 16384 - 32768, but it could be different (if you're connecting to a SIP provider check what they require also). Some router/firewalls have SIP "helpers" that if enabled, automatically open these data ports for established sessions - if you have this available, it is preferable over having to open the large range of ports outright.
ASKER
If I block all IPs except for a few essential IPs that are needed to run Asterisk, why should I have rules to block unnecessary ports too?
Because, if a hacker uses simple packet sniffing utilities to sniff the packets coming to your network, will have a pretty good idea as to what IP addresses get accepted at your network. He will then use another simple utility to scan all the ports--standard procedure before hacking. Then he would spoof packets with the acceptable IP address and open ports to launch his attach. Hackers play all kind of games. We as security guys try to keep it as restricted as possible to make their game a little harder.
You should have NO services running that are not being used. They only open ports and make it an easy target of an attack
I tend to agree with farzanj
However I also believe you should balance usage with security.
This said, how about adding a file with all the ip addresses you want open?
you can use the attached code snips examples to do that.
However I also believe you should balance usage with security.
This said, how about adding a file with all the ip addresses you want open?
you can use the attached code snips examples to do that.
IPFILE: (assume here are the ip addresses you want open)
100.100.100.100
101.101.101.101
...
Iptables Script:
# Start of script
# Variables
ipt=$(which iptables)
# Policys
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT # I avoid problems with this
# Examine the IP addresses file and open input to those ip's
cat IPFILE | while read ip; do
$ipt -A INPUT -s $ip -j ACCEPT
done
# End of script
Open in new window
Then you allow some traffic
Open in new window