Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Blocking all IP's except for SIP providers on asterisk

Posted on 2011-09-29
22
Medium Priority
?
452 Views
Last Modified: 2012-05-12
Hey guys.  I am needing to block all Public IP's on my Debian/Asterisk machine external interface and allow only my provider access.  I have tried the following commands and i can not get it working.  Can anyone help?  The reason i have a public interface is because we need an internal interface for our phones to register thru.  

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

When i enter this then nothing gets thru the interface.  can someone explain what i'm doing wrong?
0
Comment
Question by:Don Roberts
  • 11
  • 10
22 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36816145
Are you allowing related,established, needed UDP (dns, ntp) in your iptables?
0
 

Author Comment

by:Don Roberts
ID: 36816198
I have nothing else in my iptables.  i cleared it out before i started.  

right now the only thing i have in the table is

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT


here is a copy of my iptables


hostname:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  100.ipcomms.net      anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

if i add the drop line in then nothing gets thur including my provider.  

Thanks for your help Jesper
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36816245
Do this:

iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

And, of course, any other activity that you want to allow needs to be specified prior to rejecting traffic.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:Don Roberts
ID: 36816691
ok thanks Jesper.  I just want to make sure i understand.  If i'm thinking correctly, if i dont enter the statements you have above then it doesn't matter what i put before the drop command nothing will be allowed in?  Also, am i to assume that the system will know that the only interface i want to use these statements on is eth1?  I dont want to do any blocking on my internal interface.  just my external one..  I probably sound pretty stupid but i am still a bit confused.  

My main reason for wanting to block all external IP's is due to the fact that someone over in the UK was able to hack into one of my existing phone extensions and register themselves with my asterisks service then proceed to make 1200 minutes worth of calls.  you are welcome to contact me outside of here if you wish..
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36816759
Yes, you are dropping all packets into eth1.

Re: the statements I provided can also take the "-i eth1" argument or you can open up the other interface (example presumes that it's eth0).   I'm also identifying that you should allow local loopback access, too.  You will want to add that if you are multi-homed and do not want restrictions on another ethernet interface.

iptables -A INPUT -i lo -j ACCEPT
iptables - A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-host-prohibited

When you're done and satisfied with the rules:
      iptables-save
      service iptables save
0
 

Author Comment

by:Don Roberts
ID: 36816929
Ok..  I get what you are doing here.  Thanks.  my only question now is do i still put in the rules

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

or leave them out?  or does the reject statement do that for me?  it looks to me like you are only rejecting pings..  
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36816948
Your ruleset:

iptables -A INPUT -i lo -j ACCEPT
iptables - A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
iptabels -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-host-prohibited

You don't need the drop.  Any traffic not permitted is rejected *with* the reason why.
0
 

Author Comment

by:Don Roberts
ID: 36817039
ok.. thanks.  I'm sorry if i was asking to many dumb questions :-)  I'll let you know how it goes..  it will be tomorrow though.  the system is a production system and can not be tampered with during regular hrs..
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36817142
No, they are not dumb questions.  As an fyi:

iptables-save            => puts the changes into production
service iptables save => saves the changes to the startup iptables file

***And*** if this box is remote, be sure to add the rules to ssh in before you save your changes.
0
 

Author Comment

by:Don Roberts
ID: 36891572
Thank you Jesper....  The rules you provided are working so far....  I SOOOOO appreciate your help...  This weekend will be the real test though seeing how the hackers seem to love working overtime on weekends..
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36891651
You are welcome.  If you continue to have problems, holler.
0
 

Author Comment

by:Don Roberts
ID: 36891753
LOL  well now that you mention it..  I am having issues..  the calls get thru but no voice or sound is passing through..  its like a dead zone..
0
 

Author Comment

by:Don Roberts
ID: 36891779
ya know.  now that i'm thinking about it..  i wonder if allowance of port ranges are required.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36891994
We need to allow your remote users to reach the Asterisk server.  Do you know the IPs of these remotes or are they outside of your network?  If inside, we can update iptables.  If outside, I'm thinking fail2ban.
0
 

Author Comment

by:Don Roberts
ID: 36892102
We don't have any remote users other then administrators and they come in via eth0 internally thru SSH.  all the phones are internally as well  so they also use the eth0 interface..  I wonder if we need to allow the SIP protocol along with a range of ports.  there is also ports 5060/5061 that SIP uses for communication.  the port range for traffic once the connection is made  is i believe 13000 thru 16000 for voice to travel over.?  In essence all we are using eth1 for is connecting to our VIOP provider.  Connecting to them worked fine with the rules in place..  just no communication between connections..
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36892160
This line:
    iptables - A INPUT -i eth0 -j ACCEPT
allows everything through your internal interface.

If your asterisk server is on the same subnet and on the same local area network as your internal stuff, there should be no block.

Your other iptables rules specify eth1.  Can you run wireshark on eth0 with and without iptables rules?
0
 

Author Comment

by:Don Roberts
ID: 36905048
Jesper,  I input your rules into my server and thought it was working but i found that folks can still get in.  I was monitoring my asterisk messages file and saw someone trying to register a SIP ext..   do you have any other suggestions?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36905236
did you "iptables-save" and "service iptables save"?

what do you have for an "iptables --list" ?
0
 

Author Comment

by:Don Roberts
ID: 36909574
No sir.  I didnt do that because ii was under the impression that when you run that command it saves to your system and i wanted to test the rules first...  do you think it would make a difference if i did run the save rules?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36909783
No, it only matters if you have restarted iptables.  Could you do an "iptables --list" and put an X for the first two octets of public IPs that you do not want exposed?
0
 

Author Comment

by:Don Roberts
ID: 36909883
I actually flushed it out it out yesterday when i saw it wasnt working.  I didnt want to get to many rules in there..  I can add them back though..  right now i just have 2 blocked IP's in th list but i sure can list that for ya.   I dont mind exposing those ip addresses after all they are the hackers lol..
0
 
LVL 3

Accepted Solution

by:
rickygm earned 2000 total points
ID: 36971285
maybe you need setup shorewall on your machine and try this

ACCEPT          net:XXX.XXX.XXX.XXX   $FW   udp 5060

regardss  
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question