Solved

Blocking all IP's except for SIP providers on asterisk

Posted on 2011-09-29
22
420 Views
Last Modified: 2012-05-12
Hey guys.  I am needing to block all Public IP's on my Debian/Asterisk machine external interface and allow only my provider access.  I have tried the following commands and i can not get it working.  Can anyone help?  The reason i have a public interface is because we need an internal interface for our phones to register thru.  

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

When i enter this then nothing gets thru the interface.  can someone explain what i'm doing wrong?
0
Comment
Question by:forsol
  • 11
  • 10
22 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Are you allowing related,established, needed UDP (dns, ntp) in your iptables?
0
 

Author Comment

by:forsol
Comment Utility
I have nothing else in my iptables.  i cleared it out before i started.  

right now the only thing i have in the table is

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT


here is a copy of my iptables


hostname:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  100.ipcomms.net      anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

if i add the drop line in then nothing gets thur including my provider.  

Thanks for your help Jesper
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Do this:

iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

And, of course, any other activity that you want to allow needs to be specified prior to rejecting traffic.
0
 

Author Comment

by:forsol
Comment Utility
ok thanks Jesper.  I just want to make sure i understand.  If i'm thinking correctly, if i dont enter the statements you have above then it doesn't matter what i put before the drop command nothing will be allowed in?  Also, am i to assume that the system will know that the only interface i want to use these statements on is eth1?  I dont want to do any blocking on my internal interface.  just my external one..  I probably sound pretty stupid but i am still a bit confused.  

My main reason for wanting to block all external IP's is due to the fact that someone over in the UK was able to hack into one of my existing phone extensions and register themselves with my asterisks service then proceed to make 1200 minutes worth of calls.  you are welcome to contact me outside of here if you wish..
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Yes, you are dropping all packets into eth1.

Re: the statements I provided can also take the "-i eth1" argument or you can open up the other interface (example presumes that it's eth0).   I'm also identifying that you should allow local loopback access, too.  You will want to add that if you are multi-homed and do not want restrictions on another ethernet interface.

iptables -A INPUT -i lo -j ACCEPT
iptables - A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-host-prohibited

When you're done and satisfied with the rules:
      iptables-save
      service iptables save
0
 

Author Comment

by:forsol
Comment Utility
Ok..  I get what you are doing here.  Thanks.  my only question now is do i still put in the rules

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

or leave them out?  or does the reject statement do that for me?  it looks to me like you are only rejecting pings..  
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Your ruleset:

iptables -A INPUT -i lo -j ACCEPT
iptables - A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-host-prohibited

You don't need the drop.  Any traffic not permitted is rejected *with* the reason why.
0
 

Author Comment

by:forsol
Comment Utility
ok.. thanks.  I'm sorry if i was asking to many dumb questions :-)  I'll let you know how it goes..  it will be tomorrow though.  the system is a production system and can not be tampered with during regular hrs..
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
No, they are not dumb questions.  As an fyi:

iptables-save            => puts the changes into production
service iptables save => saves the changes to the startup iptables file

***And*** if this box is remote, be sure to add the rules to ssh in before you save your changes.
0
 

Author Comment

by:forsol
Comment Utility
Thank you Jesper....  The rules you provided are working so far....  I SOOOOO appreciate your help...  This weekend will be the real test though seeing how the hackers seem to love working overtime on weekends..
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You are welcome.  If you continue to have problems, holler.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:forsol
Comment Utility
LOL  well now that you mention it..  I am having issues..  the calls get thru but no voice or sound is passing through..  its like a dead zone..
0
 

Author Comment

by:forsol
Comment Utility
ya know.  now that i'm thinking about it..  i wonder if allowance of port ranges are required.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
We need to allow your remote users to reach the Asterisk server.  Do you know the IPs of these remotes or are they outside of your network?  If inside, we can update iptables.  If outside, I'm thinking fail2ban.
0
 

Author Comment

by:forsol
Comment Utility
We don't have any remote users other then administrators and they come in via eth0 internally thru SSH.  all the phones are internally as well  so they also use the eth0 interface..  I wonder if we need to allow the SIP protocol along with a range of ports.  there is also ports 5060/5061 that SIP uses for communication.  the port range for traffic once the connection is made  is i believe 13000 thru 16000 for voice to travel over.?  In essence all we are using eth1 for is connecting to our VIOP provider.  Connecting to them worked fine with the rules in place..  just no communication between connections..
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
This line:
    iptables - A INPUT -i eth0 -j ACCEPT
allows everything through your internal interface.

If your asterisk server is on the same subnet and on the same local area network as your internal stuff, there should be no block.

Your other iptables rules specify eth1.  Can you run wireshark on eth0 with and without iptables rules?
0
 

Author Comment

by:forsol
Comment Utility
Jesper,  I input your rules into my server and thought it was working but i found that folks can still get in.  I was monitoring my asterisk messages file and saw someone trying to register a SIP ext..   do you have any other suggestions?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
did you "iptables-save" and "service iptables save"?

what do you have for an "iptables --list" ?
0
 

Author Comment

by:forsol
Comment Utility
No sir.  I didnt do that because ii was under the impression that when you run that command it saves to your system and i wanted to test the rules first...  do you think it would make a difference if i did run the save rules?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
No, it only matters if you have restarted iptables.  Could you do an "iptables --list" and put an X for the first two octets of public IPs that you do not want exposed?
0
 

Author Comment

by:forsol
Comment Utility
I actually flushed it out it out yesterday when i saw it wasnt working.  I didnt want to get to many rules in there..  I can add them back though..  right now i just have 2 blocked IP's in th list but i sure can list that for ya.   I dont mind exposing those ip addresses after all they are the hackers lol..
0
 
LVL 3

Accepted Solution

by:
rickygm earned 500 total points
Comment Utility
maybe you need setup shorewall on your machine and try this

ACCEPT          net:XXX.XXX.XXX.XXX   $FW   udp 5060

regardss  
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now