Blocking all IP's except for SIP providers on asterisk

Are you allowing related,established, needed UDP (dns, ntp) in your iptables?

I have nothing else in my iptables.  i cleared it out before i started.  

right now the only thing i have in the table is

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT


here is a copy of my iptables


hostname:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  100.ipcomms.net      anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

if i add the drop line in then nothing gets thur including my provider.  

Thanks for your help Jesper

Do this:

iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

And, of course, any other activity that you want to allow needs to be specified prior to rejecting traffic.

ok thanks Jesper.  I just want to make sure i understand.  If i'm thinking correctly, if i dont enter the statements you have above then it doesn't matter what i put before the drop command nothing will be allowed in?  Also, am i to assume that the system will know that the only interface i want to use these statements on is eth1?  I dont want to do any blocking on my internal interface.  just my external one..  I probably sound pretty stupid but i am still a bit confused.  

My main reason for wanting to block all external IP's is due to the fact that someone over in the UK was able to hack into one of my existing phone extensions and register themselves with my asterisks service then proceed to make 1200 minutes worth of calls.  you are welcome to contact me outside of here if you wish..

Yes, you are dropping all packets into eth1.

Re: the statements I provided can also take the "-i eth1" argument or you can open up the other interface (example presumes that it's eth0).   I'm also identifying that you should allow local loopback access, too.  You will want to add that if you are multi-homed and do not want restrictions on another ethernet interface.

iptables -A INPUT -i lo -j ACCEPT
iptables - A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-host-prohibited

When you're done and satisfied with the rules:
      iptables-save
      service iptables save

Ok..  I get what you are doing here.  Thanks.  my only question now is do i still put in the rules

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

or leave them out?  or does the reject statement do that for me?  it looks to me like you are only rejecting pings..  

Your ruleset:

iptables -A INPUT -i lo -j ACCEPT
iptables - A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-host-prohibited

You don't need the drop.  Any traffic not permitted is rejected *with* the reason why.

ok.. thanks.  I'm sorry if i was asking to many dumb questions :-)  I'll let you know how it goes..  it will be tomorrow though.  the system is a production system and can not be tampered with during regular hrs..

No, they are not dumb questions.  As an fyi:

iptables-save            => puts the changes into production
service iptables save => saves the changes to the startup iptables file

***And*** if this box is remote, be sure to add the rules to ssh in before you save your changes.

Thank you Jesper....  The rules you provided are working so far....  I SOOOOO appreciate your help...  This weekend will be the real test though seeing how the hackers seem to love working overtime on weekends..

You are welcome.  If you continue to have problems, holler.

LOL  well now that you mention it..  I am having issues..  the calls get thru but no voice or sound is passing through..  its like a dead zone..

ya know.  now that i'm thinking about it..  i wonder if allowance of port ranges are required.

We need to allow your remote users to reach the Asterisk server.  Do you know the IPs of these remotes or are they outside of your network?  If inside, we can update iptables.  If outside, I'm thinking fail2ban.

We don't have any remote users other then administrators and they come in via eth0 internally thru SSH.  all the phones are internally as well  so they also use the eth0 interface..  I wonder if we need to allow the SIP protocol along with a range of ports.  there is also ports 5060/5061 that SIP uses for communication.  the port range for traffic once the connection is made  is i believe 13000 thru 16000 for voice to travel over.?  In essence all we are using eth1 for is connecting to our VIOP provider.  Connecting to them worked fine with the rules in place..  just no communication between connections..

This line:
    iptables - A INPUT -i eth0 -j ACCEPT
allows everything through your internal interface.

If your asterisk server is on the same subnet and on the same local area network as your internal stuff, there should be no block.

Your other iptables rules specify eth1.  Can you run wireshark on eth0 with and without iptables rules?

Jesper,  I input your rules into my server and thought it was working but i found that folks can still get in.  I was monitoring my asterisk messages file and saw someone trying to register a SIP ext..   do you have any other suggestions?

did you "iptables-save" and "service iptables save"?

what do you have for an "iptables --list" ?

No sir.  I didnt do that because ii was under the impression that when you run that command it saves to your system and i wanted to test the rules first...  do you think it would make a difference if i did run the save rules?

No, it only matters if you have restarted iptables.  Could you do an "iptables --list" and put an X for the first two octets of public IPs that you do not want exposed?

I actually flushed it out it out yesterday when i saw it wasnt working.  I didnt want to get to many rules in there..  I can add them back though..  right now i just have 2 blocked IP's in th list but i sure can list that for ya.   I dont mind exposing those ip addresses after all they are the hackers lol..