SIP Server IPTABLES Sample firewall Rules !

http://sysadminman.net/blog/2008/iptables-for-asterisk-49

http://www.voip-info.org/wiki/view/Asterisk+firewall+rules

iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "REGISTER sip:" –algo bm -m recent –set –name VOIP –rsource

iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "REGISTER sip:" –algo bm -m recent –update –seconds 60 –hitcount 12 –rttl –name VOIP –rsource -j DROP

iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "INVITE sip:" –algo bm -m recent –set –name VOIPINV –rsource

iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "INVITE sip:" –algo bm -m recent –update –seconds 60 –hitcount 12 –rttl –name VOIPINV –rsource -j DROP

iptables -I INPUT -p udp -m hashlimit –hashlimit 6/sec –hashlimit-mode srcip,dstport –hashlimit-name tunnel_limit -m udp –dport 5060 -j ACCEPT

iptables -I INPUT -p udp -m udp –dport 5060 -j DROP

# RTP – the media stream

# (related to the port range in /etc/asterisk/rtp.conf)

iptables -A INPUT -p udp -m udp –dport 10000:20000 -j ACCEPT

# MGCP – if you use media gateway control protocol in your configuration

iptables -A INPUT -p udp -m udp –dport 2727 -j ACCEPT

#!/bin/bash

EXIF="eth0"

# Clear any existing firewall stuff before we start

/sbin/iptables –flush

# As the default policies, drop all incoming traffic but allow all

# outgoing traffic. This will allow us to make outgoing connections

# from any port, but will only allow incoming connections on the ports

# specified below.

# Allow connections from my machines

/sbin/iptables -A INPUT -p tcp -i $EXIF -m state –state NEW -s 109.161.251.214 -j ACCEPT

/sbin/iptables –policy INPUT DROP

/sbin/iptables –policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device

/sbin/iptables -A INPUT -i lo -j ACCEPT

# Accept all incoming traffic associated with an established connection, or a "related" connection

/sbin/iptables -A INPUT -i $EXIF -m state –state ESTABLISHED,RELATED -j ACCEPT

# Check new packets are SYN packets for syn-flood protection

/sbin/iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Drop fragmented packets

/sbin/iptables -A INPUT -f -j DROP

# Drop malformed XMAS packets

/sbin/iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

# Drop null packets

/sbin/iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

# Allow connections to port (4501) – ssh. You can add other ports you need in here

/sbin/iptables -A INPUT -p tcp -i $EXIF –dport 4501 -m state –state NEW -j ACCEPT

# Allow connections to port (4500) – Webmin . You can add other ports you need in here

/sbin/iptables -A INPUT -p tcp -i $EXIF –dport 4500 -m state –state NEW -j ACCEPT

# Allow connections to port (80&443) – www. You can add other ports you need in here

/sbin/iptables -A INPUT -p tcp -i $EXIF –dport 80 -m state –state NEW -j ACCEPT

/sbin/iptables -A INPUT -p tcp -i $EXIF –dport 443 -m state –state NEW -j ACCEPT

# Allow connections from my machines

/sbin/iptables -A INPUT -p tcp -i $EXIF -m state –state NEW -s 80.241.212.93 -j ACCEPT

# Allow SIP connections

/sbin/iptables -A INPUT -p udp -i $EXIF –dport 5060 -m udp -j ACCEPT

/sbin/iptables -A INPUT -p tcp -i $EXIF –dport 5060 -m tcp -j ACCEPT

/sbin/iptables -A INPUT -p udp -i $EXIF –dport 10000:20000 -m udp -j ACCEPT

# Allow icmp input so that people can ping us

/sbin/iptables -A INPUT -p icmp –icmp-type 8 -m state –state NEW -j ACCEPT

# Log then drop any packets that are not allowed. You will probably want to turn off the logging

#/sbin/iptables -A INPUT -j LOG

/sbin/iptables -A INPUT -j REJECT

Advertisements

About Ahmad Sabry ElGendi

https://www.linkedin.com/pub/ahmad-elgendi/94/223/559
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to SIP Server IPTABLES Sample firewall Rules !

  1. Pingback: SIP Server IPTABLES Sample firewall Rules ! - Databases, Systems & Networks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s